We have a On-prem Sharepoint 2013 setup, with SAML Authentication.

• SAML Token Expires in 5mins.
• Session Cookie Expires in 5hours.
• Login Token Cache on SharePoint is 1min.

Scenario:

1. User starts a new session, requests the SharePoint site
2. Browser is redirected to Authentication provider, and browser is redirected back to SharePoint presenting the SAML Token
3. SharePoint accepts the token and provide user with a 5 hours session cookie.
4. If user perform a search within the SAML Token 5mins life time, search application will work.
5. If user tries to search after the SAML Token 5mins life time, search application returns: 

ID4223: The SamlSecurityToken is rejected because the SamlAssertion.NotOnOrAfter condition is not satisfied. NotOnOrAfter: '8/25/2015 5:17:19 PM' Current time: '8/25/2015 5:46:57 PM'
ID3242: The security token could not be authenticated or authorized.

Shouldn't Sharepoint send user back to the Authentication provider to re-authenticate? And suggestion in configuration is appreciated. Thank you.

• Edited by Tak Wan Wednesday, August 26, 2015 7:23 PM

Hi Tak,

What the SAML token provider for your SharePoint, ADFS or other providers? It sounds the token provider cannot load a security token to the application server. To troubleshoot the issue, please first check whether the clock time is synced between your identity provider and the application server.

If the issuer persists, please check the event log on the security token provider server to get more information, and you may also use Fiddler to trace the HTTP request when user performs a search after the SAML token expires.

Thanks,
Reken Liu