AD FS: Redirect user to login page when password changed?

Question

I'm using OpenID Connect and OAuth 2.0 to authenticate and authorize users directly against AD FS 4.0. I added my Angular + ASP.NET Core app as Native and Wep API application to Application groups. If I change user password in AD user will be redirected to login page only in 1 hour. I need to redirect user to login page when password is changed in the couple of minutes.

To do that I decreased TokenLifetime (access-token lifetime) from 60 minutes to 2 minutes in AdfsWebApiApplication properties. Every 2 minutes refresh token is checked but despite password changing no redirection is occurred. User is still redirected to login page in 60 minutes. Also I tried to decrease SSOLifetime to 5 minutes in AdfsProperties but in that case user is redirected to login page every 5 minutes regardless password changing status.

Get-AdfsWebApiApplication:

AccessControlPolicyName              : Permit everyone
AccessControlPolicyParameters        : 
AdditionalAuthenticationRules        : 
AllowedAuthenticationClassReferences : {}
AllowedClientTypes                   : Public, Confidential
ApplicationGroupIdentifier           : MyApp
AlwaysRequireAuthentication          : False
ClaimsProviderName                   : {}
DelegationAuthorizationRules         : 
Enabled                              : True
ImpersonationAuthorizationRules      : 
IssuanceAuthorizationRules           : 
IssueOAuthRefreshTokensTo            : AllDevices
IssuanceTransformRules               : ...


NotBeforeSkew                        : 0
Description                          : 
PublishedThroughProxy                : False
RefreshTokenProtectionEnabled        : False
RequestMFAFromClaimsProviders        : False
ResultantPolicy                      : RequireFreshAuthentication:False
                                       IssuanceAuthorizationRules:
                                       {
                                         Permit everyone
                                       }
TokenLifetime                        : 2

Get-AdfsProperties:

AddProxyAuthorizationRules                 : ...
ArtifactDbConnection                       :....
AuditLevel                                 : {Basic}
AutoCertificateRollover                    : True
CertificateCriticalThreshold               : 2
CertificateDuration                        : 365
CertificateGenerationThreshold             : 20
CertificatePromotionThreshold              : 5
CertificateRolloverInterval                : 720
CertificateSharingContainer                : 
CertificateThresholdMultiplier             : 1440
ClientCertRevocationCheck                  : None
ContactPerson                              : Microsoft.IdentityServer.Management.Resources.ContactPerson
DisplayName                                : login
IntranetUseLocalClaimsProvider             : False
ExtendedProtectionTokenCheck               : Allow
FederationPassiveAddress                   : /adfs/ls/
HostName                                   : login
HttpPort                                   : 80
HttpsPort                                  : 443
TlsClientPort                              : 49443
Identifier                                 : <identifier>
IdTokenIssuer                              : <issuer>
InstalledLanguage                          : en-US
LogLevel                                   : {Errors, FailureAudits, Information, Verbose...}
MonitoringInterval                         : 1440
NetTcpPort                                 : 1501
NtlmOnlySupportedClientAtProxy             : False
OrganizationInfo                           : 
PreventTokenReplays                        : False
ProxyTrustTokenLifetime                    : 21600
ReplayCacheExpirationInterval              : 60
SignedSamlRequestsRequired                 : False
SamlMessageDeliveryWindow                  : 5
SignSamlAuthnRequests                      : False
SsoLifetime                                : 480
PersistentSsoLifetimeMins                  : 129600
KmsiLifetimeMins                           : 1440
PersistentSsoEnabled                       : True
PersistentSsoCutoffTime                    : 01/01/0001 00:00:00
KmsiEnabled                                : False
LoopDetectionEnabled                       : True
LoopDetectionTimeIntervalInSeconds         : 20
LoopDetectionMaximumTokensIssuedInInterval : 5
PasswordValidationDelayInMinutes           : 60
SendClientRequestIdAsQueryStringParameter  : False
WIASupportedUserAgents                     : {MSAuthHost/1.0/In-Domain, MSIE 6.0, MSIE 7.0, MSIE 8.0...}
BrowserSsoSupportedUserAgents              : {Windows NT 1, Windows Phone 1}
ExtranetLockoutThreshold                   : 2147483647
ExtranetLockoutEnabled                     : False
ExtranetObservationWindow                  : 00:30:00
GlobalRelyingPartyClaimsIssuancePolicy     : ...
ExtranetLockoutRequirePDC                  : True
LocalAuthenticationTypesEnabled            : True
RelayStateForIdpInitiatedSignOnEnabled     : False
BrowserSsoEnabled                          : True
DelegateServiceAdministration              : 
AllowSystemServiceAdministration           : False
AllowLocalAdminsServiceAdministration      : True
CurrentFarmBehavior                        : 3
DeviceUsageWindowInDays                    : 14
EnableIdpInitiatedSignonPage               : False
IgnoreTokenBinding                         : False

I suppose that PasswordValidationDelayInMinutes = 60 is responsible for that. But I cannot change this parameter using Set-AdfsProperties command.

What can I do to redirect user to login page in 2 minutes?

Answer 1

After 2 minutes app. token times out - goes to ADFS - token not timed out because it's 5 minutes so new token minted.

So ADFS timeout needs to be less than app. timeout.