How to Configure SAML2 SSO and Session Timeout in Evolve (On-Premises)
Overview
This article explains how to enable Single Sign-On (SSO) using SAML 2.0 in Evolve on-premises deployments, and how to view and adjust the session timeout configuration.
Applies To
- Product: Casewise Evolve / erwin Evolve
- Versions: 2022.0.0 and later
- Deployment: On-Premises only
Part 1 — Enabling SAML2 SSO in Evolve
Evolve supports three authentication modes:
- Windows Authentication (Direct Active Directory)
- Forms Authentication
- SAML 2.0 (federated SSO — recommended for cross-application SSO)
Important: Windows Authentication cannot share sessions with external applications. To enable cross-application SSO (e.g. from a portal or another application into Evolve without re-authentication), SAML 2.0 must be configured.
Prerequisites
- An Identity Provider (IdP) is already configured — ADFS or Azure AD
- Both the source application and Evolve are registered as Service Providers in the IdP
- You have Administrator access to the Evolve server
Step 1 — Register Evolve in your Identity Provider
If using ADFS:
- Open ADFS Management Console → Add Relying Party Trust
- Identifier:
https://[your-evolve-server]/ - Assertion Consumer Service (ACS) URL:
https://[your-evolve-server]/Saml2/Acs - Complete the wizard and configure claim rules
If using Azure AD:
- Azure Portal → Enterprise Applications → New Application → Create your own
- Set up Single Sign-On → SAML
- Reply URL (ACS):
https://[your-evolve-server]/Saml2/Acs - Identifier (Entity ID):
https://[your-evolve-server]/ - Download the Federation Metadata XML — you will need this in Step 2
Step 2 — Configure SAML2 in the Evolve Server Configurator
- On the Evolve server, open CwEvolveServerConfigurator.exe
- Navigate to: Security Settings → Authentication Mode
- Select: SAML2
- Enter your IdP Metadata URL (from ADFS or Azure AD)
- Click Save
Step 3 — Restart IIS
Open Command Prompt as Administrator and run:
iisreset /restart
Step 4 — Verify
Open a browser, navigate to your Evolve URL. You should be redirected to your IdP login page (ADFS / Azure AD). After authenticating once, navigating from other registered applications should not prompt for credentials again.
Part 2 — Viewing and Adjusting Session Timeout
The session timeout controls how long a user remains logged into Evolve after a period of inactivity. There are three places where this is controlled:
Method A — Evolve Server Configurator (Recommended)
- Open CwEvolveServerConfigurator.exe on the Evolve server
- Navigate to: Security Settings → Session Timeout
- Change the value (in minutes). Recommended: 60
- Click Save and restart IIS:
iisreset /restart
Method B — IIS Manager
- Open IIS Manager
- Navigate to: Application Pools → [Your Evolve App Pool]
- Click Advanced Settings
- Under Process Model → Idle Time-out (minutes)
- Set to 60 (or your preferred value)
Method C — web.config
- Locate:
C:\inetpub\wwwroot\[EvolveApp]\web.config - Find and update the sessionState element:
<system.web>
<sessionState timeout="60" slidingExpiration="true" />
</system.web>
- After saving, restart IIS:
iisreset /restart
Recommended Timeout Values
| Environment | Recommended Timeout |
|---|---|
| Development / Testing | 480 minutes (8 hours) |
| Production (standard) | 60 minutes |
| High-security production | 20 minutes |
Related Articles
Keywords: SSO, SAML2, single sign-on, session timeout, IIS, authentication, ADFS, Azure AD, Windows Authentication, Evolve, on-premises, Kentor, cross-application






Comments