ADFS 2.1 and SharePoint 2013 Authentication Timeout settings

When using SharePoint with an ADFS 2.1 Trusted Identity Provider, there are several authentication cookies and places where you can set the time outs. After much trial and error, I've discovered how to set it to properly time everything out (so that users aren't logged in perpetually). By default ADFS gives you a cookie that expires after a full month (MSISIPSelectionPersistent) and SharePoint gives you a cookie that expires after a day and a half (FedAuth). When the FedAuth ticket expires it directs you to the trusted identity provider (ADFS). ADFS checks to see if you have that cookie. If so, it logs you back in without asking for credentials. To stop that behavior, change the web.config in the /adfs/ls directory and set the persistIdentityProviderInformation key's enabled property to "false". After that, every time a user is directed to the TIP it will have the user authenticate again. In our environment (SmartCard) this is practically seamless (it just prompts them for their PIN). To lower the amount of time of the FedAuth cookie, go to your SharePoint server and open up the SharePoint Management PowerShell console. use the following: $sts = Get-SPSecurityTokenServiceConfig $sts.CookieLifetime = (New-Timespan -minutes [however long you want the cookie to last in minutes]) $sts.Update() iisreset The next time users have to check in they'll get the new cookies and timeout settings.