Bug Number ENH-000116621
Submitted Sep 06, 2018
Modified Jun 11, 2020
Severity High
Applies To Portal for ArcGIS
Version Found 10.6
Prog Language N/A
Server Platform Windows 2012 R2
Client Platform Windows 2012 R2
Database N/A
Locale N/A
Status Implemented
Version Fixed 10.7
SP Fixed N/A

Bug ENH-000116621


Add the ability to modify the maximum token expiration time of tokens generated to login to Portal for ArcGIS when using IDP-initiated logins.

Additional Information


Alternate Solution

This issue is only regarding IDP-initiated logins. This is where you login to your identity provider, and then open Portal for ArcGIS from the identity provider. (Think of how you login to esri.okta.com and can then choose the various apps from there like salesforce, or outlook)

This document's workflow specifies how to increased the default token expiration time of Portal for ArcGIS.

I used the steps in that document and set my Portal’s maxTokenExpirationMinutes parameter to 4 hours.
maxTokenExpirationMinutes:    240

If you sign into my portal using IDP-initiated logins, you can check the token's expiration time.
1.    Go here: https://red-inf-adfs-d1.esri.com/adfs/ls/idpinitiatedsignon.aspx
2.    Choose “Sign in to one of the following sites”
3.    Choose “csc-dsieger10l” from the drop down
4.    Continue to sign in
5.    Enter AVWORLD credentials, automatic account creation will create your user.
6.    This will take you to the portal/home page.
7.    Open dev tools, click on organization.
8.    In dev tools, copy the ags-roles cookie and decode it.
9.    esri_auth={"portalApp":true,"email":"dani7496@esri.com","token":"d04L42cUcD6zXXjUVYeAnnJQ8yUkIfUV99UG6SnC5wMlNW9mMkesTL9OI9d8wU7_sRkxjV5V4sL6zeZi0_gTwk4q56RxhuwMfncVE7nBGKHuhOSKcl3BT43hKEy4gDdeKrbOuIn7ttTYkluK3wIjFPrfWWuSE6PZjtfTTaR4tcTLoQOuymfgq4u0l5UzsCGWiWRd60RU1JHuaA_YmZPvGBzGKAUPr6E8bg8n73qltrs.","culture":"en","region":null,"expires":1540328409180,"allSSL":true,"accountId":"0123456789ABCDEF","role":"org_user"}
10.    You can see the epoch expiration time is: "expires":1540328409180
11.    https://www.epochconverter.com/ Shows this as this time.
Your time zone: Tuesday, October 23, 2018 5:00:09.180 PM GMT-04:00 DST
Relative: In 2 hours

When I manually request a token using built-in users from here, the token is 4 hours. https://csc-dsieger10l.esri.com/portal/sharing/rest/generateToken
When I login to my portal using service-provider initiated logins, the token in the esri_auth cookie follows the expiration time set at the portal sharing self page as well at 4 hours.

I have attached an email thread with the Product Development team discussing this issue.
Jose (Developer) has confirmed that we have no way to configure the default expiration time of tokens generated via IDP-initiated logins.