Enable "Keep Me Signed In" for AD FS 3.0
Written on June 24, 2015

Keep Me Signed In (KMSI) is popularly used around the web-based software world to provide users with a login assurance that persists beyond the current session. In AD FS land, Microsoft call this Persistent SSO. Persistent SSO encapsulates a number of technologies, but the simplest of these is KMSI. KMSI will provide a user with a 24-hour cookie, allowing for logins to persist across browser sessions for up to a day.

Enable the KMSI checkbox with the following simple command on your Primary AD FS server:

Set-AdfsProperties -EnableKmsi:$true

Easy as that! Run this command and your AD FS login page will update and look something like this:

If you start poking through cookies, you’ll see the validity of the sign-in token change. With KMSI off, the cookie is only valid for this session:

With KMSI on, the cookie is valid for 24 hours from the second it is provided to me:

Comments/questions

There's no commenting functionality here. If you'd like to comment, please either mention me (@chris@aus.social) on Mastodon or email me. I don't have any logging or analytics running on this website, so if you found something useful or interesting it would mean a lot to hear from you.