NotOnOrAfter security token expiration

You may see this error message when accessing a SAML 2 protected web server.

INVALID Remarks: Time condition: for security reasons NotOnOrAfter (2013-02-26T21:41:54.321Z) cannot be more than 5 minutes ahead of the current time (2013-02-26T20:41:54.806Z)]

Some Relying Parties (aka Service Provider or SP) set a threshold on the time-to-live for login assertions. They do this by examining the NotOnOrAfter value on your login token, and rejecting you if it doesn't meet their criteria. In the example above, we see the NotOnOrAfter time on your token is a full hour from the current time and they have rejected it because they only accept 5 min. 

So let's change this on the Claims Provider (aka Identity Provider or IdP).  The default lifetime on a Microsoft login token is 60 min however and your token reflects this in the error message above. Let's change that to 4 min so there's no trouble with clock sync.  Assuming you have admin access to the federation server:

  1. Start an administrative power shell prompt
  2. Issue the commands:
PS > Add-PSSnapin Microsoft.Adfs.PowerShell

PS > Get-ADFSRelyingPartyTrust

# Note the 'Name' attribute's value for the relying party you're modifying


PS > Get-ADFSRelyingPartyTrust -Name "someRelyingPartyName"
PS > Set-ADFSRelyingPartyTrust -Targetname "someRelyingPartyName" -TokenLifetime 4



Claims-based authentication and security token expiration
http://technet.microsoft.com/en-us/library/gg188586.aspx

AD FS 2 Powershell Overview
http://technet.microsoft.com/en-us/library/adfs2-help-using-windows-powershell(v=ws.10).aspx

Comments