I have a RP connected to ADFS and then the ADFS uses federation to go through a chain of R-STS to the IDP.
Just wondering what the rules around token time-out are?
If the RP token times out it will go back to ADFS for a new token. If the ADFS token time-out is less than the RP token time-out, then does ADFS pass this to the preceding one in the chain and that checks its token time-out and (if timed out) pass back upstream potentially all the way to the IDP?
If one of the upstream R-STS had not timed out, would it simply re-mint the token at that level? I assume that it would need to store the token information that it received from its upstream partner in order to do this? perhaps in a cookie? Problem is I can't see any sign of these?
WS-Fed is used all the way up.
I can't find any articles that define the correct behaviour hence the question.