| Bug Number | ENH-000116621 |
| Submitted | Sep 06, 2018 |
| Modified | Jun 06, 2019 |
| Severity | High |
| Applies To | Portal for ArcGIS |
| Version Found | 10.6 |
| Prog Language | N/A |
| Server Platform | Windows 2012 R2 |
| Client Platform | Windows 2012 R2 |
| Database | N/A |
| Locale | N/A |
| Status | Implemented |
| Version Fixed | 10.7 |
| SP Fixed | N/A |
Bug ENH-000116621
Synopsis
Add the ability to modify the maximum token expiration time of tokens generated to login to Portal for ArcGIS when using IDP-initiated logins.
Additional Information
N/A
Alternate Solution
This issue is only regarding IDP-initiated logins. This is where you login to your identity provider, and then open Portal for ArcGIS from the identity provider. (Think of how you login to esri.okta.com and can then choose the various apps from there like salesforce, or outlook)
This document's workflow specifies how to increased the default token expiration time of Portal for ArcGIS.
http://enterprise.arcgis.com/en/portal/latest/administer/windows/specify-the-default-token-expiration-time.htm
I used the steps in that document and set my Portal’s maxTokenExpirationMinutes parameter to 4 hours.
maxTokenExpirationMinutes: 240
If you sign into my portal using IDP-initiated logins, you can check the token's expiration time.
1. Go here: https://red-inf-adfs-d1.esri.com/adfs/ls/idpinitiatedsignon.aspx
2. Choose “Sign in to one of the following sites”
3. Choose “csc-dsieger10l” from the drop down
4. Continue to sign in
5. Enter AVWORLD credentials, automatic account creation will create your user.
6. This will take you to the portal/home page.
7. Open dev tools, click on organization.
8. In dev tools, copy the ags-roles cookie and decode it.
9. esri_auth={"portalApp":true,"email":"dani7496@esri.com","token":"d04L42cUcD6zXXjUVYeAnnJQ8yUkIfUV99UG6SnC5wMlNW9mMkesTL9OI9d8wU7_sRkxjV5V4sL6zeZi0_gTwk4q56RxhuwMfncVE7nBGKHuhOSKcl3BT43hKEy4gDdeKrbOuIn7ttTYkluK3wIjFPrfWWuSE6PZjtfTTaR4tcTLoQOuymfgq4u0l5UzsCGWiWRd60RU1JHuaA_YmZPvGBzGKAUPr6E8bg8n73qltrs.","culture":"en","region":null,"expires":1540328409180,"allSSL":true,"accountId":"0123456789ABCDEF","role":"org_user"}
10. You can see the epoch expiration time is: "expires":1540328409180
11. https://www.epochconverter.com/ Shows this as this time.
Your time zone: Tuesday, October 23, 2018 5:00:09.180 PM GMT-04:00 DST
Relative: In 2 hours
When I manually request a token using built-in users from here, the token is 4 hours. https://csc-dsieger10l.esri.com/portal/sharing/rest/generateToken
When I login to my portal using service-provider initiated logins, the token in the esri_auth cookie follows the expiration time set at the portal sharing self page as well at 4 hours.
I have attached an email thread with the Product Development team discussing this issue.
Jose (Developer) has confirmed that we have no way to configure the default expiration time of tokens generated via IDP-initiated logins.