In environments using vCenter federated with Microsoft ADFS as an external IDP for the latest vSphere Supervisor releases, repeated authentication prompts occur when logging in through the Tanzu CLI with Pinniped. Authentication works initially, but after approximately two minutes of idle time the user is prompted again to re-authenticate. This cycle repeats consistently, impacting normal workflow.

The short session timeout is due to the lifetime of Pinniped-issued tokens, which is not configurable in the latest vSphere Supervisor releases. In addition, ADFS does not fully implement the OIDC specification, leading to refresh token errors. These issues have been addressed in Pinniped v0.41.0.

There is no supported configuration change in the current release to extend the session lifetime. The resolution requires a Supervisor update that includes Pinniped v0.41.0 or later, along with updated configuration for ADFS integration. Manual upgrades of Pinniped pods are not supported and are not recommended. The fix will be available with vSphere 8.0U3P07 which will include pinniped v0.41.0.