We recently migrated our Arena QMS instance to the cloud (AQP 2022.1), and since then our change control workflow approvals have become significantly delayed. Before migration, approvals would route immediately to the next stage, but now there’s a 15-30 minute delay between approval actions.
The workflow routing rules appear intact in the configuration, but I’m wondering if there’s something related to SSO integration or user group mapping that might be causing this. Our approval chains involve cross-departmental teams, and we use Azure AD for SSO authentication.
Has anyone experienced similar delays after cloud migration? The delay is impacting our change turnaround times significantly.
The SSO integration piece is critical here. After cloud migration, Arena QMS needs to sync user attributes from your Azure AD more frequently, especially for approval workflows. There’s a configuration setting in the SSO connector that controls how often user group memberships are refreshed from the identity provider. Default is often set too high for organizations with dynamic approval chains. Also verify that your Azure AD group claims are being passed correctly in the SAML token - missing group attributes can cause the system to fall back to slower database lookups.
You’ll need to work with Arena support for cloud environment configuration changes, but they can adjust this quickly. In the meantime, check if your user group mapping is using nested groups - that can add significant overhead. We had a similar issue where departmental groups were nested three levels deep, and flattening the structure improved routing performance dramatically even before the cache settings were optimized.
Here’s the comprehensive solution that addresses all three areas:
Workflow Routing Rules Optimization:
First, audit your routing rules to eliminate any unnecessary dynamic group queries. Navigate to Admin > Workflow Configuration > Routing Rules and identify rules using “Current Member Of” conditions with nested groups. Convert these to direct user assignments or flattened group structures where possible. For your cross-departmental chains, create dedicated approval groups (e.g., “CC_Engineering_Approvers”) that map directly to Azure AD groups without nesting.
SSO Integration Configuration:
Work with Arena support to adjust the SSO token refresh interval. Request they reduce the group membership cache from 30 minutes to 5 minutes for your tenant. Additionally, ensure your Azure AD SAML configuration includes group claims in the token response - add “groups” to the Claims section in your Enterprise Application settings. This eliminates the need for Arena to query Azure AD separately for each approval action.
User Group Mapping Enhancement:
Implement a hybrid approach: use SSO for authentication but maintain a synchronized local group cache in Arena QMS. Set up a scheduled sync job (available in AQP 2022.1 cloud) that runs every 4 hours to update group memberships from Azure AD. This provides the benefits of centralized identity management while maintaining fast local lookups for workflow routing.
After implementing these changes, our approval routing delays dropped from 20-30 minutes to under 2 minutes. The key is balancing real-time SSO validation with local caching for performance-critical operations like workflow routing.
Another thing to verify - are your workflow routing rules using dynamic group queries or static group assignments? Dynamic queries against Azure AD in cloud deployments have higher latency than static mappings. If your approval chains don’t change frequently, consider converting to static group assignments for critical workflows.
I’ve seen this before. Check your workflow routing rules first - specifically the group membership resolution settings. In cloud deployments, Arena QMS caches user group memberships differently than on-premise. The default cache refresh interval is 30 minutes, which matches your delay pattern exactly.
Thanks for the insights. I checked the SSO connector settings and found the group membership cache was indeed set to 30 minutes. However, I’m not sure where to adjust this in the cloud environment - is this something I can configure directly or does it require Arena support involvement?