Updating BootStrapContext with new SessionSecurity

2020-04-16 18:41发布

问题:

When using sliding sessions in WIF with the session authentication module (SAM) and Thinktecture IdentityModel as described in brockallen's blog. The session security token issued and written to the cookie has it's "valid to" extended as required and the cookie is set accordingly.

But, the BootStrapToken serialized to the current claims Identity remains the old one, with the potentially expired token. This causes problems when trying to use the bootstrap context token for different reasons (among them could be Implementing “Poor Man”’s Delegation) .

What is the best way to update the bootstrap token with the new issued token?

回答1:

The only way to get a fresh "bootstrap" token is to do a roundtrip to the actual issuer.



回答2:

If you're using Microsoft's Active Directory Federation Services (AD FS), then you can adjust/increase the timeout of the AD FS relying party token to be longer, which will extend the lifetime of the WIF bootstrap token.

For example, we had an issue where we were getting new session tokens, but we still had timeouts before the AD FS Web SSO timeout. One of the developers discovered that there is a setting to extend the relying party token's lifetime, which correlates to the bootstrap token in Windows Identity Foundation (WIF).

The setting is below:

Set-ADFSRelyingPartyTrust -TargetName YourTargetName -TokenLifetime 480

After we set the relying party token's timeout to be the same as the Web SSO token timeout, then it worked.

Note: You can check the current relying party token's timeout with the following command:

Get-ADFSRelyingPartyTrust -Name YourTargetName

Note II: You can check the Web SSO token's timeout by opening the AD FS Management tool, clicking "AD FS" in the left navigation pane, then click "Edit Federation Service Properties..." in the Actions pane in the right pane.