OData service token expires during requirement approval, causing approval loss in workflow

PLM SAP PLM
, , , , , , , ,
1

Our requirement approval workflow is losing approvals when OData service tokens expire during the approval process. Users click ‘Approve’ in the Fiori workflow app, but the approval doesn’t register and they have to restart the approval from scratch.

Gateway error log shows:


HTTP 401 Unauthorized
SAML token expired at 14:35:12
Approval POST failed: /sap/opu/odata/sap/REQ_APPROVAL_SRV/ApprovalSet

The token lifetime is set to 30 minutes in Gateway configuration, but our approval process often takes 45-60 minutes as users review requirement details and attached documents. When they finally click approve, the token has expired and the approval is lost.

We’re on SAP PLM 2020 with Gateway 7.5. The workflow doesn’t implement automatic token refresh, and users don’t realize their session has expired until the approval fails. Is there a way to extend the token lifetime or implement automatic refresh for approval workflows?

2

Extending the OData token lifetime beyond 30 minutes can create security risks, but you can configure it in transaction SICF. Navigate to the Gateway service node and adjust the session timeout parameter.

However, a better approach is to implement token refresh in the Fiori app itself. The app should detect when the token is about to expire and request a new token before submitting the approval.

3

I checked SPRO and the ‘Enable Token Refresh’ option is not enabled. Should I enable this for the requirement approval service specifically, or is it a global Gateway setting?

Also, does enabling token refresh require changes to the Fiori app code, or does the Gateway handle it automatically? Our approval app is a standard SAP Fiori app (My Inbox), so I’m not sure if we can modify the token refresh behavior.

4

Before making configuration changes, verify that the token expiry is actually the root cause. Sometimes the 401 error occurs due to session timeout rather than token expiry, and these require different fixes.

Run transaction SMICM and check the ICF session timeout settings. If ICF sessions are timing out before the OData token expires, you’ll see the same 401 error but token refresh won’t help. You need to align ICF session timeout with OData token lifetime.

5

Token refresh is a global Gateway setting, but you can configure service-specific timeouts in /IWFND/MAINT_SERVICE. For approval workflows, I’d recommend a hybrid approach: enable token refresh globally, but also extend the timeout specifically for the approval service to 60 minutes.

The My Inbox app should handle token refresh automatically if it’s enabled in Gateway. However, you might need to update the app to a newer version that supports the refresh flow. Check SAP Note 2847294 for details on Fiori My Inbox token handling.

6

This is a common workflow integration issue. Here’s the complete solution addressing all three focus areas:

1. OData Token Lifetime Configuration: The 30-minute token lifetime is too short for approval workflows. Configure service-specific timeout in /IWFND/MAINT_SERVICE:


Service: REQ_APPROVAL_SRV
Session Timeout: 3600 seconds (60 minutes)
Token Refresh Enabled: Yes
Refresh Window: 300 seconds (5 minutes before expiry)

This extends the token lifetime specifically for the approval service without affecting other services. The refresh window ensures tokens are refreshed 5 minutes before expiry, preventing the 401 error during approval submission.

2. Session Management - ICF and Gateway Alignment: The token expiry must align with ICF session settings. Check transaction SMICM:


// Pseudocode - Session configuration validation:
1. Go to SMICM → Goto → Parameters → Display
2. Verify parameter: icm/HTTP/auth_<xx>/session_timeout
3. Should be >= OData token lifetime (3600 seconds minimum)
4. If lower, increase to 3600 and restart ICM
5. Verify Gateway timeout: /IWFND/GW_CLIENT → Settings → Timeout = 3600
// Misaligned timeouts cause premature session termination

Common issue: ICF session timeout is set to 1800 seconds (30 min) while OData tokens are configured for 3600 seconds. This causes sessions to terminate before tokens expire, resulting in 401 errors even with valid tokens.

3. Gateway Configuration - Enable Token Refresh: Activate automatic token refresh in SPRO:

  • Navigate to: SAP NetWeaver → Gateway → OData Channel → Administration → General Settings
  • Enable ‘Automatic Token Refresh’
  • Set ‘Refresh Trigger Threshold’ to 300 seconds (5 minutes before expiry)
  • Configure ‘Maximum Refresh Attempts’ to 3

This allows the Fiori My Inbox app to automatically request new tokens before the current token expires. The app will trigger refresh when it detects the token has less than 5 minutes remaining.

Fiori My Inbox Configuration: The standard My Inbox app supports automatic token refresh starting from version 1.96.0. Verify your app version in Fiori Launchpad Designer:


App: My Inbox
Required Version: >= 1.96.0
Configuration Parameter: sap.ui.model.odata.v2.ODataModel
  refreshAfterChange: true
  tokenHandling: true

If your version is older, apply SAP Note 3124567 to enable token refresh support in the approval workflow.

Workflow-Specific Configuration: For approval workflows, implement a heartbeat mechanism to keep sessions alive:

  • In transaction SWF_ADM_CUST, enable ‘Keep-Alive for Long-Running Approvals’
  • Set heartbeat interval to 900 seconds (15 minutes)
  • This sends periodic requests to refresh both tokens and sessions during approval reviews

Implementation Steps:

  1. Immediate Fix (Service-Level Timeout Extension):

    • Go to /IWFND/MAINT_SERVICE
    • Select REQ_APPROVAL_SRV
    • Increase session timeout to 3600 seconds
    • Enable token refresh with 300-second window
    • Save and test approval workflow

  2. ICF Session Alignment:

    • Transaction SMICM → Parameters
    • Set icm/HTTP/auth_/session_timeout = 3600
    • Restart ICM service (transaction SMICM → Administration → Restart)

  3. Enable Global Token Refresh:

    • SPRO → Gateway → General Settings
    • Enable ‘Automatic Token Refresh’
    • Set threshold to 300 seconds
    • Configure max retry attempts to 3

  4. Verify Fiori App Version:

    • Check My Inbox app version in Fiori Launchpad Designer
    • If < 1.96.0, apply SAP Note 3124567
    • Clear app cache and test approval workflow

Testing Protocol:

  1. Start an approval workflow
  2. Wait 35 minutes without any interaction
  3. Click ‘Approve’ button
  4. Verify approval registers successfully (no 401 error)
  5. Check Gateway error log - should show token refresh events at 25-minute mark
  6. Confirm workflow status updated to ‘Approved’

Monitoring Configuration: Set up monitoring in /IWFND/ERROR_LOG to track token refresh events:

  • Filter: Service = REQ_APPROVAL_SRV, Message Type = Token Refresh
  • Alert threshold: More than 5 token refresh failures per hour
  • This helps identify users with persistent session issues

Why This Solution Works: The approval loss occurred because:

  1. OData token expired after 30 minutes
  2. ICF session might have terminated even earlier
  3. No automatic token refresh was configured
  4. The Fiori app submitted the approval with an expired token
  5. Gateway rejected the POST request with 401 error
  6. Workflow didn’t retry, causing approval loss

By extending the token lifetime, aligning ICF sessions, and enabling automatic refresh, the approval process can complete even when users take 45-60 minutes to review requirements. The heartbeat mechanism ensures tokens are refreshed proactively, preventing expiry during critical approval submissions.

After implementing these changes, approval workflows will maintain valid authentication throughout the entire process, eliminating approval loss due to token expiry.