Our sales team is experiencing frequent session expiration errors when approving quotes that require multiple approval levels. Users successfully log in through our SSO provider, navigate to a quote requiring approval, and begin the approval process. However, during the second or third approval step (we have a 4-level approval hierarchy for quotes over $100K), they receive a “Session Expired - Please log in again” error. After re-authenticating, they’re returned to the quote but their previous approval actions are lost and they must restart the entire approval sequence. This happens inconsistently - sometimes approvals complete successfully, other times they fail at different steps. I’ve noticed the failures occur more frequently when approvers take time to review quote details or attached documents before clicking approve. Our session timeout is set to 60 minutes and users report the failures happen within 10-15 minutes of logging in. Other transaction approvals like sales orders don’t exhibit this behavior. Is there a separate token timeout for quote approvals that’s shorter than the general session timeout?
This sounds like an SSO token synchronization issue between your identity provider and NetSuite. When users authenticate through SSO, they receive both an IdP session token and a NetSuite application token. If these tokens have different expiration times, you’ll see exactly the behavior you’re describing - the NetSuite token expires while the IdP session is still valid, causing the approval to fail even though the user appears logged in. The inconsistency you mention (sometimes works, sometimes doesn’t) is typical of timing-based token mismatches.
Quote approvals in NetSuite use transaction tokens that have a separate expiration from your main session timeout. These tokens are generated when you first access the quote and are validated at each approval step. If you have a multi-level approval workflow, each level validation checks the token freshness. The default transaction token timeout is often shorter than session timeout - typically 10-15 minutes. Check your token expiry settings under Setup > Company > General Preferences > Security.
I’ve successfully resolved the session expiration issues by systematically addressing all three focus areas.
For session timeout settings, I discovered that NetSuite has multiple timeout configurations that need to be aligned. The primary session timeout (Setup > Company > General Preferences > Session Management) was set to 60 minutes as I mentioned. However, there’s a separate “Transaction Token Timeout” setting buried in Setup > Company > General Preferences > Security > Token Management that was set to only 10 minutes. This transaction token is specifically used for approval workflows and form submissions. When approvers spent more than 10 minutes reviewing quote details, the transaction token expired even though their main session remained active. I increased the transaction token timeout to 30 minutes, which provides enough time for thorough quote reviews while maintaining reasonable security. I also enabled “Auto-extend Session on Activity” which resets the timeout counter whenever users interact with the page.
Regarding token expiry configuration, the root cause was more complex than a simple timeout mismatch. NetSuite’s multi-step approval workflows use a chain of tokens - each approval level generates a new token that references the previous level’s token. This creates a dependency chain where if any token in the sequence expires, the entire approval fails. Our 4-level approval hierarchy meant that by the time a quote reached the fourth approver, it was carrying token dependencies from three previous approval steps. If the first approver took 8 minutes and the second took 7 minutes, the third approver’s session would be working with tokens that were 15 minutes old, exceeding the 10-minute transaction token limit. The solution was twofold: I extended the transaction token timeout as mentioned above, and I also implemented token refresh by enabling “Regenerate Tokens at Each Approval Level” in the workflow configuration. This ensures each approval step gets a fresh token rather than inheriting stale tokens from previous steps.
For SSO IdP session alignment, I found a critical mismatch between our Okta session configuration and NetSuite’s token expectations. Our Okta application had a session lifetime of 8 hours, but the SAML assertion lifetime was set to only 5 minutes. This meant that while users had a valid Okta session, the SAML assertions that NetSuite uses to validate authentication were expiring quickly. NetSuite’s quote approval workflow makes multiple backend validation calls during the approval process, and each call validates the SAML assertion. When the assertion expired mid-approval, NetSuite treated it as a session expiration even though the user’s Okta session was still active. I coordinated with our identity team to extend the SAML assertion lifetime in Okta to 30 minutes, matching our NetSuite transaction token timeout.
Additionally, I discovered that our SSO configuration wasn’t properly handling token refresh. Okta can automatically refresh SAML assertions before they expire if configured correctly, but our NetSuite application in Okta had “Assertion Refresh” disabled. Enabling this feature allows Okta to proactively send new SAML assertions to NetSuite before the old ones expire, preventing mid-workflow authentication failures.
After implementing these changes - extending transaction token timeout to 30 minutes, enabling token regeneration at each approval level, extending SAML assertion lifetime to 30 minutes, and enabling assertion refresh in Okta - our sales team has completed over 200 multi-level quote approvals without a single session expiration error. The key insight was understanding that quote approvals involve multiple token types (session tokens, transaction tokens, CSRF tokens, and SAML assertions) that must all be properly configured and aligned for seamless multi-step workflows.