Adjust the max authentication age setting in IdM

The IdP (Microsoft ADFS) uses a parameter named Web SSO lifetime to determine whether a user login request is sent within a valid time period of the user's last login. If yes, the user is automatically logged in without the need to enter a user name and password. Similarly, the IdM service uses a parameter named maxAuthenticationAge for the same purpose.

To enable SAML SSO for Service Manager, the maxAuthenticationAge value defined in the IdM service must be no less than the Web SSO lifetime value defined in the IdP. By default, the IdM service setting is 7200 seconds (2 hours), and the ADFS setting is 480 minutes (8 hours). Since this IdP setting is usually a global setting for your organization, you may want to change the IdM setting according to your IdP setting. To do this, perform the following steps.

Step 1. Check the web SSO lifetime value in the IdP

  1. Open Microsoft ADFS.
  2. Click Service and then select Edit Federation Service Properties.

  3. On the General tab, check the Web SSO lifetime value.

    Note The default value is 480 minutes (8 hours).

Step 2. Adjust the web SSO lifetime setting in the IdM service

To check the value in the IdM service, follow these steps:

  1. Open the <idm-service>\WEB-INF\spring\applicationContext-saml.xml file in a text editor.
  2. Search for the following line:

    <bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl"/>            
  3. Change this line to the following:

    <bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl">
        <property name="maxAuthenticationAge" value="xxxx"/>
    </bean>

    Where: xxxx represents a value (in seconds) that is no less than your ADFS Web SSO lifetime. For example, if your ADFS setting is 480 (minutes), xxxx should be 28800 or greater.

  4. Restart the IdM service.

Tip To do this, run the following command: systemctl restart idm.

Now, SAML SSO is enabled for the single Service Portal instance.

Next, you need to configure an IdM token signing key, which is needed to enable SAML SSO in Service Manager.

Next step

Configure an IdM token signing key in Service Portal