All,
Good day. I am currently on a project that is creating a web application that uses AD FS for authentication. We are using claims based authentication and its an ASP.NET application. The relying party trust in AD FS is set to 90 minutes and the SSO token is set to 1 day.
The app pool in IIS is set to 90 minutes and the cookie timeout is also set to 90.
Problem: If we log in to the web application and leave the page idle for 90 minutes, we are not getting logged off. After 90 minutes, we should be redirected to the log in page, assuming that our timers are correct. However this is not what is happening. Additional, after 90 minutes, clicking on a link within the page, doesn't force the user to re-authenticate and it just goes on functioning without a problem. It's appears the the session/cookie is not expiring.
Any help the community can give would be excellent. I am more of a liaison (systems engineer) so I will get answers to any questions that you all ask. I have been assured by our web developers that this is something wrong on the server side because their code hasn't changed and apparently this used to function.
Hence, while I wait for Microsoft to call us page, I thought turning to the forum of experts might yield some valuable information. I am looking forward to your help.
ASP.NET - Session State = InProc
Terry