We’re having a critical issue with SSO token expiration affecting our procure-to-pay approval workflow. Remote approvers are getting kicked out mid-approval when reviewing purchase orders. Here’s the scenario: An approver logs in via SSO, navigates to their approval queue, opens a PO for review (which might take 10-15 minutes for complex purchases), then when they click ‘Approve’, they get an SSO token expired error and have to start over.
This is particularly problematic for our remote workforce who are approving high-value POs that require careful review of line items, vendor details, and budget codes. By the time they finish their review, the SSO token has expired and their approval doesn’t go through. We’re seeing PO approval delays of 24-48 hours because approvers get frustrated and defer to the next day.
Our SSO token lifetime is currently set to 15 minutes. Has anyone dealt with SSO token expiry issues in approval workflows? We need a solution that maintains security but allows remote users to complete their approval tasks without constant re-authentication.
15 minutes is quite aggressive for a token lifetime, especially for workflows that require review time. Most organizations use 30-60 minutes for SSO tokens in approval scenarios. However, simply extending the token lifetime isn’t ideal from a security perspective. Have you considered implementing token refresh? This allows the application to automatically request a new token before the current one expires, keeping the user’s session active without requiring re-authentication.
Working with our Azure AD admin to enable refresh tokens. The auto-save feature for approvals is a great idea as a backup. Will test the token refresh configuration in our test environment this week before rolling to production.
The token refresh sounds promising. Is this something configured in the SSO provider (we’re using SAML with Azure AD) or in JDE itself? Also, for the activity-based extension, does JDE natively support detecting user activity, or do we need custom development? We want to avoid heavy customization if possible.
Here’s a comprehensive solution addressing SSO token management, PO approval workflow continuity, and remote user session stability:
SSO Token Configuration:
Optimize your SAML SSO setup with Azure AD and JDE:
-
Azure AD Enterprise Application Settings:
- Enable ‘Refresh Token’ capability for JDE application
- Set Access Token lifetime: 30 minutes (balanced security/usability)
- Set Refresh Token lifetime: 4 hours (allows extended work sessions)
- Configure Refresh Token rotation: enable for additional security
- Set conditional access policy: require MFA on initial login only, not on token refresh
-
JDE Security Server SSO Configuration:
- Modify JDE.INI SSO section:
- SSOTokenLifetime=1800 (30 minutes)
- EnableTokenRefresh=1
- TokenRefreshThreshold=300 (refresh when 5 minutes remaining)
- MaxSessionDuration=14400 (4 hours total)
- Configure session activity tracking: InactivityTimeout=900 (15 minutes of actual inactivity)
- Enable silent token refresh: user not prompted during refresh
-
Token Refresh Implementation:
- Deploy JavaScript in JDE web client to monitor token expiry
- Implement background refresh: request new token 5 minutes before expiry
- Add retry logic: if refresh fails, alert user 2 minutes before hard expiry
- Store refresh token securely in HTTP-only secure cookies
PO Approval Workflow Protection:
Ensure approval process survives session interruptions:
-
Implement Auto-Save for Approval Workflow:
- Modify P4310 (PO Entry) approval form to auto-save every 3 minutes
- Save approval state to temporary table: includes line items reviewed, notes entered, decision status
- Add ‘Resume Approval’ button: loads saved state when user re-authenticates
- Retain saved state for 24 hours before cleanup
-
Workflow State Management:
- Create approval session tracking table: records which POs are being reviewed
- Lock PO during review: prevent concurrent approvals
- Add session recovery logic: if approver returns within 1 hour, auto-resume at last screen
- Implement approval timeout: if no activity for 2 hours, release PO back to queue
-
User Experience Enhancements:
- Add session timer widget in approval screen: shows remaining time before token expiry
- Display warning at 5 minutes remaining: ‘Your session will expire in 5 minutes. Click here to extend.’
- Provide ‘Extend Session’ button: manually triggers token refresh
- Enable ‘Save and Continue Later’: explicitly saves approval progress and releases PO
Remote User Session Management:
Optimize for remote workforce challenges:
-
Network Resilience:
- Implement connection health monitoring: detect network drops
- Enable automatic reconnection: restore session when network returns
- Add offline mode indicators: clearly show when disconnected
- Queue approval actions locally: submit when connection restored
-
Activity-Based Session Extension:
- Configure granular activity detection:
- Mouse movement within approval screen
- Keyboard input in notes/comments fields
- Navigation between PO line items
- Document attachment viewing
- Reset inactivity timer on any detected activity
- Differentiate between ‘idle’ (user present, reading) vs ‘inactive’ (user away)
- Implement ‘I’m still working’ heartbeat: user can manually signal activity
-
Approval Workflow Optimization:
- Enable PO preview mode: approvers can review without starting formal approval (doesn’t start session timer)
- Add bulk approval capability: approve multiple POs in one session
- Implement approval delegation: if approver can’t complete, delegate to backup
- Create approval templates: pre-fill common approval notes to speed process
-
Security Considerations:
- Maintain audit trail of all token refreshes and session extensions
- Log approval session duration and activity patterns
- Alert security team if session exceeds 4 hours (potential account compromise)
- Require re-authentication for high-value POs (>$50K) regardless of token status
Monitoring and Support:
-
Create SSO health dashboard:
- Track token refresh success rate
- Monitor approval completion rates
- Identify users with frequent session timeouts
- Alert on abnormal patterns (many refreshes, long sessions)
-
User Support:
- Provide training on session management features
- Create quick reference guide for remote approvers
- Establish help desk escalation for SSO issues
- Collect feedback on approval workflow usability
Implementation Roadmap:
- Week 1: Configure Azure AD refresh tokens and extend JDE token lifetime to 30 minutes
- Week 2: Implement auto-save for approval workflow and session recovery
- Week 3: Deploy activity-based session extension and user warnings
- Week 4: Full testing with remote approvers, refine thresholds
- Week 5: Production rollout with monitoring
This solution maintains security through shorter initial token lifetime and inactivity detection while enabling remote users to complete PO approvals without interruption through token refresh, auto-save, and activity-based session management.
For SAML with Azure AD, you’ll configure token refresh in both places. In Azure AD, enable ‘Refresh Token’ in your enterprise application settings for JDE. In JDE, you need to modify the SSO configuration in the security server to handle refresh token requests. JDE 9.2.0 has basic activity detection - it tracks user interactions with the web client. You can configure the inactivity timeout separately from the SSO token lifetime. Set inactivity to 15 minutes but allow SSO tokens to refresh for up to 4 hours of total session time.
You should also look at implementing activity-based token extension. This means the token lifetime extends automatically when the user is actively working in the application. If they’re navigating between screens, entering data, or reviewing documents, the system detects this activity and refreshes the token. This way, inactive sessions still time out for security, but active users aren’t interrupted. We implemented this and it solved our approval workflow issues.