Using an Outlook desktop application and if the AD password is changed. the Outlook application is still using a cached credential even after 30 mins.
- AM as the WS-Fed with Actve requestor profile
- Open Outlook desktop
- Change AD password
- Wait 30 minutes
- Try access Outlook
Alternative test: See attachment
org.forgerock.openam.saml2.plugins.DefaultWsFedAuthenticator throws ActiveRequestorException and return 500 for SOAPFault for authentication error.
It seems Outlook/Skype client need 401 Unauthorized status code for the SOAP error to reprompt for credentials (otherwise it may send the old cache credentials)