After the configuration of ADFS v2 to SharePoint 2010 and
when I tried to login, I found at myself that after I authenticate to ADFS, get caught up in this endless loop where go back and forth between SharePoint and ADFS.
In Fiddler it turns out that I are authenticating successfully to ADFS, I am coming back to SharePoint and it is successfully issuing the FedAuth cookie,
it redirects you to /_layouts/authenticate.aspx on the SharePoint site which clears out the FedAuth cookie and redirects me back to the ADFS site.
I basically ping pong back and forth until ADFS stops it .
In Event Viewer of ADFS Server :
I saw the exception:
Exception details:
Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '11' seconds. Contact your administrator for details.
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.UpdateLoopDetectionCookie()
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSignInResponse(MSISSignInResponse response)
That’s because the default LogonTokenCacheExpirationWindow for the SharePoint STS is 10 minutes. In this case when I created my relying party by default it sets the token lifetime in ADFS to be 2 minutes, so as soon as it authenticated it knew the cookie was good for less time than the LogonTokenCacheExpirationWindow value. Therefore it went back to ADFS to authenticate again. And so it went, back and forth. So I needed to change the LogonTokenCacheExpirationWindow to be less than the SAML TokenLifetime.
The solution is PowerShell Script:
$sts = Get-SPSecurityTokenServiceConfig
$sts.LogonTokenCacheExpirationWindow = (New-TimeSpan –minutes 1)
$sts.Update()
iisreset