Thursday, July 9, 2015

Cannot login to SharePoint site enabled with SAML based authentication using WAAD

Environment: SharePoint 2013, Windows Azure AD service as Identity Provider.

Issue: Cannot login to SharePoint Portal working and getting Session has timed out error. Steps to reproduce
  1. Open SharePoint Portal
  2. Portal navigates to Azure login page
  3. After proving credentials, the page redirects to Azure login page

Cause: There is no SAMLResponse cookie available to validate the credentials and that is the reason why the login is failing. The FedAuth cookie that the SharePoint STS is setting before redirecting to SharePoint application is expiring. This is occurring because the cookie lifetime has exceeded the lifetime of the token issued by ACS, so it's redirecting to get a new SAML token from ACS immediately.

The login page keeps looping because the default LogonTokenCacheExpirationWindow for the SharePoint STS is 10 minutes. The relying party by default it sets the token lifetime in ADFS to be 2 minutes, so as soon as it authenticated it knew the cookie was good for less time than the LogonTokenCacheExpirationWindow value. Therefore it goes back to ADFS to authenticate again. And so it goes , back and forth. So I needed to change the LogonTokenCacheExpirationWindow to be less than the SAML TokenLifetime.

Findings: The first time that you navigate to a SharePoint Portal that is secured with SAML claims, it redirects you to get authenticated and get your claims. Your SAML identity provider, also known as identity provider security token service (IP-STS), does all that and then redirects you to SharePoint. When you come back into SharePoint, SharePoint creates a FedAuth cookie; that is how SharePoint knows that you have been authenticated. To make a smoother end-user experience, SharePoint writes the FedAuth cookie value to the local cookies folder. On subsequent requests for that site, if SharePoint finds a valid FedAuth cookie for the site, SharePoint reads the cookie and takes you directly to the SharePoint content, without reauthenticating.
The token lifetime is determined by the Relying Party Trust in ADFS, and is stamped with the local time of that server before being sent to SharePoint. SharePoint is in charge of determining when it feels that the token has expired (based on the LogonTokenCacheExpirationWindow property). Both of these properties can be changed but unless you have a very specific scenario, there is likely no need. Default values work fine.


The default lifetime for the SharePoint Relying Party in ACS and the STS token cache lifetime is 10 minutes.  You can increase the SAML token lifetime in ACS on the SharePoint Relying Party trust to something higher that 600 seconds (10 minutes) so that the FedAuth cookie cache is lower than the SAML token lifetime.

See Also:

No comments:

Post a Comment