Adjust the max authentication age setting in IdM

Search for	Example	Results
A single word	`cat`	Topics that contain the word "cat". You will also find its grammatical variations, such as "cats".
A phrase. You can specify that the search results contain a specific phrase.	`"cat food"` (quotation marks)	Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase.

Search for	Operator	Example
Two or more words in the same topic	`AND` `and` `+` (plus symbol) `&` (ampersand)	`cat AND dog` `"cat food"+milk` `"cat food"&"dog food"`
Either word in a topic	`OR` `or` `\|` (pipe)	`cat OR dog` `cat \| dog`
Topics that do not contain a specific word or phrase	`NOT` `not` `!` (exclamation point)	`NOT cat` `! dog`
Topics that contain one string and do not contain another	`^` (caret)	`cat ^ mouse`
A combination of search types	`( )` parentheses	`cat + (dog \| mouse)` `cat \| dog + (! mouse)`

The IdP (Microsoft ADFS) uses a parameter named Web SSO lifetime to determine whether a user login request is sent within a valid time period of the user's last login. If yes, the user is automatically logged in without the need to enter a user name and password. Similarly, the IdM service uses a parameter named maxAuthenticationAge for the same purpose.

To enable SAML SSO for Service Manager, the maxAuthenticationAge value defined in the IdM service must be no less than the Web SSO lifetime value defined in the IdP. By default, the IdM service setting is 7200 seconds (2 hours), and the ADFS setting is 480 minutes (8 hours). Since this IdP setting is usually a global setting for your organization, you may want to change the IdM setting according to your IdP setting. To do this, perform the following steps.

Step 1. Check the web SSO lifetime value in the IdP

Open Microsoft ADFS.

Click Service and then select Edit Federation Service Properties.

On the General tab, check the Web SSO lifetime value.

Note The default value is 480 minutes (8 hours).

Step 2. Adjust the web SSO lifetime setting in the IdM service

To check the value in the IdM service, follow these steps:

Open the <idm-service>\WEB-INF\spring\applicationContext-saml.xml file in a text editor.

Search for the following line:

<bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl"/>

Change this line to the following:

<bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl">
    <property name="maxAuthenticationAge" value="xxxx"/>
</bean>

Where: xxxx represents a value (in seconds) that is no less than your ADFS Web SSO lifetime. For example, if your ADFS setting is 480 (minutes), xxxx should be 28800 or greater.

Restart the IdM service.

Tip To do this, run the following command: systemctl restart idm.

Now, SAML SSO is enabled for the single Service Manager Service Portal instance.

Next, you need to configure an IdM token signing key, which is needed to enable SAML SSO in Service Manager.

Next step

Related topics