Administer > System security > SAML Single Sign-On > SAML SSO setup > Configure SAML SSO using the standalone IdM > Task 17: Adjust the max authentication age setting in the IdM service

Task 17: Adjust the max authentication age setting in the IdM service

The IdP (Microsoft ADFS) uses a parameter named Web SSO lifetime to determine whether a user login request is sent within a valid time period of the user's last login. If yes, the user is automatically logged in without the need to enter a user name and password. Similarly, the IdM service uses a parameter named maxAuthenticationAge for the same purpose.

To enable SAML SSO for Service Manager, the maxAuthenticationAge value defined in the IdM service must be no less than the Web SSO lifetime value defined in the IdP. By default, the IdM service setting is 36000 seconds (10 hours), and the ADFS setting is 480 minutes (8 hours). Since this IdP setting is usually a global setting for your organization, you may want to change the IdM setting according to your IdP setting. To do this, perform the following steps.

Step 1. Check the web SSO lifetime value in the IdP

  1. Open Microsoft ADFS.
  2. Click Service and then select Edit Federation Service Properties.

  3. On the General tab, check the Web SSO lifetime value.

    Note The default value is 480 minutes (8 hours).

Step 2. Adjust the web SSO lifetime setting in the IdM service

To check the value in the IdM service, follow these steps:

  1. Open the <idm-service>\WEB-INF\spring\applicationContext.properties file in a text editor.
  2. Add a new line:

    idm.saml.maxAuthenticationAge = <TIME_IN_SECONDS>
    
    

    Where: <TIME_IN_SECONDS> represents a value (in seconds) that is no less than your ADFS Web SSO lifetime. For example, if your ADFS setting is 480 (minutes), <TIME_IN_SECONDS> should be 28800 or greater. By default, the value is 36000.

  3. Restart the IdM service.