How To Change The Token Lifetime For A SAML 2.0 Application With Azure Active Directory
You can specify the lifetime of a access, ID, or SAML token issued by the Microsoft identity platform. You can set token lifetimes for all apps in your organization, for a multi-tenant (multi-organization) application, or for a specific service principal in your organization. However, we currently do not support configuring the token lifetimes for managed identity service principals.
How to change the token lifetime for a SAML 2.0 application with Azure Active Directory
The default lifetime of an access token is variable. When issued, an access token's default lifetime is assigned a random value ranging between 60-90 minutes (75 minutes on average). The default lifetime also varies depending on the client application requesting the token or if conditional access is enabled in the tenant. For more information, see Access token lifetime.
SAML tokens are used by many web-based SaaS applications, and are obtained using Azure Active Directory's SAML2 protocol endpoint. They are also consumed by applications using WS-Federation. The default lifetime of the token is 1 hour. From an application's perspective, the validity period of the token is specified by the NotOnOrAfter value of the element in the token. After the validity period of the token has ended, the client must initiate a new authentication request, which will often be satisfied without interactive sign in as a result of the Single Sign On (SSO) Session token.
ID tokens are passed to websites and native clients. ID tokens contain profile information about a user. An ID token is bound to a specific combination of user and client. ID tokens are considered valid until their expiry. Usually, a web application matches a user's session lifetime in the application to the lifetime of the ID token issued for the user. You can adjust the lifetime of an ID token to control how often the web application expires the application session, and how often it requires the user to be re-authenticated with the Microsoft identity platform (either silently or interactively).
Refresh and session token configuration are affected by the following properties and their respectively set values. After the retirement of refresh and session token configuration on January 30, 2021, Azure AD will only honor the default values described below. If you decide not to use Conditional Access to manage sign-in frequency, your refresh and session tokens will be set to the default configuration on that date and you'll no longer be able to change their lifetimes.
Non-persistent session tokens have a Max Inactive Time of 24 hours whereas persistent session tokens have a Max Inactive Time of 90 days. Any time the SSO session token is used within its validity period, the validity period is extended another 24 hours or 90 days. If the SSO session token is not used within its Max Inactive Time period, it is considered expired and will no longer be accepted. Any changes to this default periods should be change using Conditional Access.
You can create and then assign a token lifetime policy to a specific application, to your organization, and to service principals. Multiple policies might apply to a specific application. The token lifetime policy that takes effect follows these rules:
The Microsoft identity platform supports single sign-on (SSO) with most enterprise applications, including both applications pre-integrated in the Azure Active Directory (Azure AD) application gallery and custom applications. When a user authenticates to an application through the Microsoft identity platform using the SAML 2.0 protocol, the Microsoft identity platform sends a token to the application. And then, the application validates and uses the token to log the user in instead of prompting for a username and password.
By default, the Microsoft identity platform issues a SAML token to an application that contains a NameIdentifier claim with a value of the user's username (also known as the user principal name) in Azure AD, which can uniquely identify the user. The SAML token also contains other claims that include the user's email address, first name, and last name.
I see that this can be configured using conditional access: -us/azure/active-directory/conditional-access/overview Unfortunately, this requires an Azure Premium license or a Microsoft 365 Business Premium license. We are using Microsoft 365 Standard licenses. Previously the "conditional access" functionality was available to 365 standard licenses, but not anymore.
Configurable token lifetimes for Azure Active Directory (AAD) have been available for while now, although the feature is still in public preview. This article provides details of how to create an access token lifetime policy and how to apply it to an application federated with AAD using SAML 2.0.
However, you can request refresh token along with access token or IdToken by passing offline_access in scope parameter to get the refresh token which is used to obtain new access/refresh token pairs when the current access token expires. The refresh token lifetime by default is 90 days.
In a recent announcement at the Enterprise Mobility Blog, -to-the-token-lifetime-defaults-in-azure-ad/, there will be a change for default settings to the Token Lifetime Defaults in Azure Active Directory for New Tenants only. This change will not affect existing old Tenants.
This is great news for many customers to remove user frustration over authentication prompts when refresh tokens expired after a period of inactivity. For example, if I havent used an App on my mobile phone for 14 days, I have to reauthenticate with my work/school account again to get a new Access Token and Refresh Token. Some Apps I use quite often, like Outlook and OneDrive, and by keeping active the Refresh Token will be continously renewed as well together with the Access Token (which by default is valid for 1 hour). For my existing tenant this would mean that keeping active, and at least using the Refresh Token inside the 14 Days, I will get new Access and Refresh Tokens, but after 90 Days the Single and/or Multi factor Refresh Token Max Age will be reached, and I have to reauthenticate again in my Apps.
In some cases, you might want to change this policy for a dedicated Azure AD application. I received recently the requirement to reduce the token life time to 10 minutes and the refresh token to 30 minutes. I used the script below to perform this configuration.
When a client requests a security token for a relying party (RP) from the FS the authentication cookie is used to authenticate to the FS and initialise or bootstrap the set of input claims for token issuance. This cookie provides SSO. An example being a client authenticates with AD FS and gets a token to an application, e.g. Azure AD, and then attempts to access another app, for example an on-premises federated app; the client already has a valid authentication token in the form of the cookie and therefore is able to SSO to the FS and obtain a new security token for the federated app.
If you work on devices which are not registered in Azure AD, it might also be that applications running on top of that device are not sharing their oAuth refresh token with each other, requiring the user to authenticate multiple times.
When a token expires, ideally the application requests a newtoken from Azure AD to continue working in the session. This is where AAD can influencethe way it issues a new token as the user is being redirected from theapplication back to AAD for validation. The thing to remember here is that AADhas no way to validate how the token is being used and even more if the token isbeing used or if the application itself is being used. In short, AAD cannotdetermine if the user is actively using the application or not.
But what we can do is, ensure that the token AAD sends to the application only has a specific lifetime, so we ensure (if the application adheres to all the standards) that the user is sent back to AAD frequently so if needed, we can apply the re-auth rule ourselves. This is called Sign-In Frequency within Azure AD. Note that it does not matter if the user actually used the application or not. If the session timer is up, he/she needs to put their credentials in again (and MFA if required):
The result is that a user can login and open any applicationthey have access to. But, when clicking an application that falls under thesession-timeout policy, the token lifetime of that application will be reducedto the lifetime specified in the session-timeout (+ 5 minutes). Once the userhas used the application for 1:05 hours, they will be redirected back to AzureAD and will see the login screen.
(PS. While the official documentation ( -us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime)shows support for oAuth or OIDC protocols, it actually works on the custom F5deployment I wrote about in an earlier blog).
When a client application connects to a service application that relies in Azure AD for authentication (for example the Outlook app connecting to Office 365 Exchange Online) the application will request a token to the Web Account Manager using its API.
During WinLogon there are two tokens that come back: the PRT and an ID Token that is for consumption of the client. There are no other tokens or refresh tokens. During authentication to an application, the PRT is exchanged by an access token. This happens via the Web Account Manager. The client calls this API to get the access token.
I am configuring Tableau SSO SAML/ADFS with Azure AD. It was pretty good with documentation provided by Tableau and Microsoft. However, Tableau console intermittently gives session timeout invalid user id and password error. When checked with tableau support, they mentioned this happens when maximum authentication age on tableau server is shorter than maximum authentication age on azure ad / application.
To resolve this issue, ensure the appID matches what is sent. Azure will automatically append "SPN" to the appID when using the application ID with the app that is being used. You can change the value in the Tableau SAML settings by adding "SPN:" prefix to the application ID. 350c69d7ab