ADFS Server 2016 - SSO & PSSO

SSO and Authenticated Devices Explanation

After providing credentials for the first time, by default users with registered devices get single Sign-On for a maximum period of 90 days, provided they use the device to access AD FS resources at least once every 14 days. If they wait 15 days after providing credentials, users will be prompted for credentials again.

Persistent SSO is enabled by default. If it is disabled, no PSSO cookie will be written.


SSO and PSSO settings:

 The AD FS 2016 PowerShell cmdlet for SSO and PSSO are as follows:


  • PSSO is enabled/disabled

Set-AdfsProperties -EnablePersistentSso <Boolean\>

  • Device usage window is 14 days by default

Set-AdfsProperties -DeviceUsageWindowInDays <Int32\>

  • Maximum SSO period is 90 days by default

Set-AdfsProperties -PersistentSsoLifetimeMins <Int32\>


KSMI for unauthenticated devices:


  • KMSI is enabled/disabled

Set-AdfsProperties -EnableKmsi <Boolean\>

  • SSO lifetime is measured in minutes; default value is 480

Set-AdfsProperties -SsoLifetime <Int32\>

  • KMSI lifetime is measured in minutes; default value is 1440

Set-AdfsProperties -SsoLifetime <Int32\>


Multi-factor authentication (MFA) behaviour

It's important to note that, while providing relatively long periods of single sign on, AD FS will prompt for additional authentication (MFA) when a previous sign on was based on primary credentials and not MFA, but the current sign on requires MFA. This is regardless of SSO configuration. AD FS, when it receives an authentication request, first determines whether or not there is an SSO context (such as a cookie) and then, if MFA is required (such as if the request is coming in from outside) it will assess whether or not the SSO context contains MFA. If not, MFA is prompted.


PSSO revocation

To protect security, AD FS will reject any persistent SSO cookie previously issued when the following conditions are met. This will require the user to provide their credentials in order to authenticate with AD FS again.


To set the cutoff time, run the following PowerShell cmdlet:

Set-AdfsProperties -PersistentSsoCutoffTime <DateTime>


Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request