search cancel

SiteMinder : OIDC refresh token validity is not extended when user is active


Article ID: 252744


Updated On:


VIP Authentication Hub CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) SITEMINDER


SiteMinder is the AuthProvider.

OIDC Client setting has refresh_token expiry set to 30 days.

In a mobile_app use case, user would launch the app and login to obtain the access_token and refresh_token.

Although the user is active (launching the mobile app frequently during the 30 days period) the refresh_token expired at the end of 30 days and the user session was rejected.


Release : 12.8.6


By design


As of SiteMinder R12.8.6, the refresh_token is issued at login and refresh_token does not get extended.

1. There is no option to update refresh_token without user re-login by providing credentials.
2. The maximum refresh_token expiry you can set within SiteMinder is whatever value allowed in the AdminUI. It accepts 3 digits so it would be up to 999 days.
3. It is not advisable to update the session store directly by any means (to manipulate the refresh_token validity).

So the refresh_token expiring at the expiry date is by design.


Please upvote the 'idea' at the communities site if you need SiteMinder to have an option to extend the refresh_token.