We are using OKTA SSO for user logins and business users would like to configure inactivity time out setting
I’ve came across via Pega help stating that “If authentication is handled by an external system, you can turn off the Pega Platform authentication time-out feature by leaving the Authentication timeout field blank.”
Has anyone came across this scenario? If so, please advise how-to configure inactivity timeout setting either Pega or OKTA IDP.
@Kamil Janeczek @MarcCheong - FYI/A
@KrishnaHCC When using delegated SSO with Constellation the Access Group AG timeout can be set blank. The system should redirect to /authorize on Okta when the Refresh Token expires set by the IDP on the OAuth 2.0 Client Registration rule with same name as the Application rule. You should test this very carefully. Note this advice is only for a Constellation portal. When using Designer Studio and other non Constellation portals you should set the AG timeout.
Also update to at least 24.2 to add additional security options specific to Constellation (next to all other improvements in constellation)
@sleij Thanks for your prompt response and caution. As suggested - Yes, I could see OAuth 2.0 Client Registration rule with same name as the Application rule.
Can you advise which setting variables we need to configure under Token Management area? (refer attached screenshot)
@KrishnaHCC There is no need to change any of these timeouts. The defaults work. You should make sure the checkbox “Enable Refresh Token”
and “Set refresh token expiry from IDP session expiry” are set to true. When Infinity generates the pega-aat API token for Constellation it will set the Refresh Token length to match the IDP session length ensuring the redirect to /authorize when the Refresh token expires. If you know the IDP session length, then you can test with a container / incognito tab for the redirect as per the specified timeout. I hope this helps.
