强制用户使用ws联合身份验证和Azure AD重新输入凭据

Question

I use ws-federation with Azure AD in my web application. All is working except that i would like my users to be logged out after 30 minutes of inactivity.

Im using cookieauthentication:

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = DefaultAuthenticationTypes.ExternalCookie,
    SlidingExpiration = true,
    ExpireTimeSpan = new TimeSpan(0, 30, 0),

}); 

And my wsfederation:

app.UseWsFederationAuthentication(
    new WsFederationAuthenticationOptions
    {
        Wtrealm = _appSettings.Realm,
        MetadataAddress = _appSettings.Metadata,
        AuthenticationMode = AuthenticationMode.Passive,
        SignInAsAuthenticationType = DefaultAuthenticationTypes.ExternalCookie,
        UseTokenLifetime = false,
    });

The user is logged out of the web application after 30 minutes. But when they click the login url and gets redirected to Azure AD they're still logged in and gets automatically signed in to my application again.

I want the users to re enter their credentials before getting signed in again. Is there a way to achieve this?

Regards

Answer 1

You can change the lifetime of the Azure AD SSO ticket. The default is 480 minutes I think. Just set that to 30 and the users will have to re-authenticate.

Edit : Possibly you can set Force user to enter credential on Azure AD, since this is supported in on-prem ADFS, it might be in AAD, too.

If you do not want to change the global TTL of the SSO tickets you could also send the user to the logout endpoint of the Azure AD if your local TTL expires (but that can be avoided by the user, if he want's to - so you should stick with option 1).