Idea ID: 2870964

Support for setting token lifetime on WS-federation

Status : New Idea
2 months ago

We are using Access Manager WsFed protocol to migrate a number of applications from ADFS to Access Manger. After migration of the first application (Sharepoint) we noticed that Access Manager does not populate token lifetime and has no option to specify the same in the configuration.

 

We need Access Manager to support setting values for Lifetime, which is part of WS-Trust (which is one of the primary namespaces used by WS-Federation), and is typically pseudonymized as wst. The values under Lifetime consist of Created and Expires, both of which are defined in the WS Security Utility.

The WS-Fed specification (http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html) section 1.4 specifies the namespace wst (WS-Trust) , and in the WS-Trust specification (http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/ws-trust.html), Lifetime is defined in section 4.4.

 

Please see the below attachment of the tokens issued by ADFS where the token lifetime is present. We are in the process of migrating a large number of WsFed applications to access manager and without the tokenlifetime, The length of session on the target systems is unspecified and leads to problems thereby preventing our migration plans.

I could not add an image HERE!

 

Labels:

Configuration