Content Manager 10.4 and OKTA

Hi all, I'm wondering if anyone has experience with OKTA authentication with Content Manager 10.4.

We've switched it on in our DEV environment and it works well for the web-client.

However, the full app will time out after 51 minutes. Our global OKTA timeout is set to several hours, however, after 51 minutes CM 10.4 will prompt 'Credentials are no longer valid'.

To continue working, users need to either close and reopen their CM client or reselect the dataset.

Just to be clear, we can be actively using the client and it will still timeout at the 51 minute mark (not 51 minutes of idle time).

Any advice greatly appreciated!

  • 0  

    Hi Glen,

    Haven't had much of a play around with OKTA but seems very similar to an Aure refresh token type issue.

    Make sure in the OpenID settings that under the claims you have 'offline_access' specified as well as the claim supported from the OKA side as well.

    It seems like that the normal token has expired, and what would normally be covered automatically by a 'refresh_token' is not being handled.

    OKTA looks like it will only return a refresh_token in the respoinse if the offline_access scope has been granted.

    https://developer.okta.com/docs/reference/api/oidc/

    -Scotty

  • 0

    This looks a lot like the issue we have with ADFS authentication (case 02892820).

    Problem is that ~10 minutes before the token valid period expired, the CM purges the session from the TSAUTHSESS table and because ADFS doesn't support refresh tokens, the client gives the "Credentials are no longer valid" error until the token has actually expired and the CM client will get another token.

    Dev seems unwilling to fix the issue by either letting the user make use of the original token until it's actually expired, or just get a new token immediately instead of waiting for the original to expire...

    As a workaround we had stretched the valid period for the tokens from 1 hour to 10 hours which should get us through a normal working day, but it's still frustrating that they won't fix the root cause of the issue.