我正在使用OpenID Connect和OAuth 2.0直接针对AD FS 4.0进行身份验证和授权。我将Angular + ASP.NET Core应用程序作为本机和Wep API应用程序添加到应用程序组。如果我在AD中更改用户密码,用户将仅在1小时内重定向到登录页面。在几分钟之内更改密码后,我需要将用户重定向到登录页面。
为此,我在AdfsWebApiApplication属性中将TokenLifetime(访问令牌生存期)从60分钟减少到2分钟。每2分钟检查一次刷新令牌,但是尽管更改了密码,也没有发生重定向。用户仍会在60分钟内重定向到登录页面。我也尝试将AdfsProperties中的SSOLifetime减少到5分钟,但是在这种情况下,无论密码更改状态如何,用户每5分钟就会重定向到登录页面一次。
Get-AdfsWebApiApplication:
AccessControlPolicyName : Permit everyone
AccessControlPolicyParameters :
AdditionalAuthenticationRules :
AllowedAuthenticationClassReferences : {}
AllowedClientTypes : Public, Confidential
ApplicationGroupIdentifier : MyApp
AlwaysRequireAuthentication : False
ClaimsProviderName : {}
DelegationAuthorizationRules :
Enabled : True
ImpersonationAuthorizationRules :
IssuanceAuthorizationRules :
IssueOAuthRefreshTokensTo : AllDevices
IssuanceTransformRules : ...
NotBeforeSkew : 0
Description :
PublishedThroughProxy : False
RefreshTokenProtectionEnabled : False
RequestMFAFromClaimsProviders : False
ResultantPolicy : RequireFreshAuthentication:False
IssuanceAuthorizationRules:
{
Permit everyone
}
TokenLifetime : 2
Get-AdfsProperties:
AddProxyAuthorizationRules : ...
ArtifactDbConnection :....
AuditLevel : {Basic}
AutoCertificateRollover : True
CertificateCriticalThreshold : 2
CertificateDuration : 365
CertificateGenerationThreshold : 20
CertificatePromotionThreshold : 5
CertificateRolloverInterval : 720
CertificateSharingContainer :
CertificateThresholdMultiplier : 1440
ClientCertRevocationCheck : None
ContactPerson : Microsoft.IdentityServer.Management.Resources.ContactPerson
DisplayName : login
IntranetUseLocalClaimsProvider : False
ExtendedProtectionTokenCheck : Allow
FederationPassiveAddress : /adfs/ls/
HostName : login
HttpPort : 80
HttpsPort : 443
TlsClientPort : 49443
Identifier : <identifier>
IdTokenIssuer : <issuer>
InstalledLanguage : en-US
LogLevel : {Errors, FailureAudits, Information, Verbose...}
MonitoringInterval : 1440
NetTcpPort : 1501
NtlmOnlySupportedClientAtProxy : False
OrganizationInfo :
PreventTokenReplays : False
ProxyTrustTokenLifetime : 21600
ReplayCacheExpirationInterval : 60
SignedSamlRequestsRequired : False
SamlMessageDeliveryWindow : 5
SignSamlAuthnRequests : False
SsoLifetime : 480
PersistentSsoLifetimeMins : 129600
KmsiLifetimeMins : 1440
PersistentSsoEnabled : True
PersistentSsoCutoffTime : 01/01/0001 00:00:00
KmsiEnabled : False
LoopDetectionEnabled : True
LoopDetectionTimeIntervalInSeconds : 20
LoopDetectionMaximumTokensIssuedInInterval : 5
PasswordValidationDelayInMinutes : 60
SendClientRequestIdAsQueryStringParameter : False
WIASupportedUserAgents : {MSAuthHost/1.0/In-Domain, MSIE 6.0, MSIE 7.0, MSIE 8.0...}
BrowserSsoSupportedUserAgents : {Windows NT 1, Windows Phone 1}
ExtranetLockoutThreshold : 2147483647
ExtranetLockoutEnabled : False
ExtranetObservationWindow : 00:30:00
GlobalRelyingPartyClaimsIssuancePolicy : ...
ExtranetLockoutRequirePDC : True
LocalAuthenticationTypesEnabled : True
RelayStateForIdpInitiatedSignOnEnabled : False
BrowserSsoEnabled : True
DelegateServiceAdministration :
AllowSystemServiceAdministration : False
AllowLocalAdminsServiceAdministration : True
CurrentFarmBehavior : 3
DeviceUsageWindowInDays : 14
EnableIdpInitiatedSignonPage : False
IgnoreTokenBinding : False
我想PasswordValidationDelayInMinutes = 60对此负责。但是我无法使用Set-AdfsProperties命令更改此参数。
如何在2分钟内将用户重定向到登录页面?