Task 17: Adjust the max authentication age setting in the IdM service

Search for	Example	Results
A single word	`cat`	Topics that contain the word "cat". You will also find its grammatical variations, such as "cats".
A phrase. You can specify that the search results contain a specific phrase.	`"cat food"` (quotation marks)	Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase.

Search for	Operator	Example
Two or more words in the same topic	`AND` `and` `+` (plus symbol) `&` (ampersand)	`cat AND dog` `"cat food"+milk` `"cat food"&"dog food"`
Either word in a topic	`OR` `or` `\|` (pipe)	`cat OR dog` `cat \| dog`
Topics that do not contain a specific word or phrase	`NOT` `not` `!` (exclamation point)	`NOT cat` `! dog`
Topics that contain one string and do not contain another	`^` (caret)	`cat ^ mouse`
A combination of search types	`( )` parentheses	`cat + (dog \| mouse)` `cat \| dog + (! mouse)`

The IdP (Microsoft ADFS) uses a parameter named Web SSO lifetime to determine whether a user login request is sent within a valid time period of the user's last login. If yes, the user is automatically logged in without the need to enter a user name and password. Similarly, the IdM service uses a parameter named maxAuthenticationAge for the same purpose.

To enable SAML SSO for Service Manager, the maxAuthenticationAge value defined in the IdM service must be no less than the Web SSO lifetime value defined in the IdP. By default, the IdM service setting is 36000 seconds (10 hours), and the ADFS setting is 480 minutes (8 hours). Since this IdP setting is usually a global setting for your organization, you may want to change the IdM setting according to your IdP setting. To do this, perform the following steps.

Step 1. Check the web SSO lifetime value in the IdP

Open Microsoft ADFS.

Click Service and then select Edit Federation Service Properties.

On the General tab, check the Web SSO lifetime value.

Note The default value is 480 minutes (8 hours).

Step 2. Adjust the web SSO lifetime setting in the IdM service

To check the value in the IdM service, follow these steps:

Open the <idm-service>\WEB-INF\spring\applicationContext.properties file in a text editor.

Add a new line:

idm.saml.maxAuthenticationAge = <TIME_IN_SECONDS>

Where: <TIME_IN_SECONDS> represents a value (in seconds) that is no less than your ADFS Web SSO lifetime. For example, if your ADFS setting is 480 (minutes), <TIME_IN_SECONDS> should be 28800 or greater. By default, the value is 36000.

Restart the IdM service.