Content Management and Capture

Content Management and Capture

Come for answers. Stay for best practices. All we’re missing is you.

 View Only

  • 1.  OIDC and Problems with Session Expiration

    Posted Tue September 30, 2025 11:33 AM

    Hello,
    I have configured Content Navigator for PingFed OIDC based on Rogers Blog-Post.

    How to Configure LTPA/OAuth/OIDC SSO with FileNet ICN, CS GraphQL, and CPE on WebSphere traditional application server

    CPE authentication is done via LTPA tokens. 
     
    In general, everything works and users can successfully log in to the ICN via OIDC.
     
    However, after a few minutes, the user receives a login dialog with the message "Your session expired."  The time span in which the problem occurs varies, but is less than 10 minutes. In the developers tools I can see messages like  .../jarxs/pingServer 401 (Unauthorized)
     
    The problem seems to be related to the OIDCSTATE token. As far as I have been able to observe, the error occurs every time the OIDCSTATE token is renewed. This has an expiration time of 10 minutes. 
     
    However, I cannot find any further information on how to solve the problem.

    Regard
    Michael 



    Ibm remove preview
    How to Configure LTPA/OAuth/OIDC SSO with FileNet ICN, CS GraphQL, and CPE on WebSphere traditional application server
    View this on Ibm >





    ------------------------------
    Michael Pressler
    ------------------------------


  • 2.  RE: OIDC and Problems with Session Expiration

    Posted Thu October 02, 2025 12:08 PM

    I would first check if a timeout is configurable at your IDP side (i.e. PingFed). 

    If no changes there seem to fix the issue, then look through the WebSphere OIDC configuration properties here to see if changing any timeout properties or ones related to OIDCSTATE help.
    https://www.ibm.com/docs/en/was/9.0.5?topic=party-openid-connect-relying-custom-properties

    Finally, look to see if any WebSphere HTTP Session tuning needs to be done.

    https://www.ibm.com/docs/en/was-nd/9.0.5?topic=applications-configuring-http-sessions

    Also, check that you've set these 2 properties in WebSphere, as described below.

    • Navigate to Security > Global security > Custom Properties
    • Click New … and define the following custom properties
      • Name: com.ibm.websphere.security.InvokeTAIbeforeSSO
      • Value: com.ibm.ws.security.oidc.client.RelyingParty

    Note: if property exists, add this to existing value, separated by a comma to create a list

      • Name: com.ibm.websphere.security.performTAIForUnprotectedURI
      • Value: true



    ------------------------------
    ROGER Bacalzo
    ------------------------------



  • 3.  RE: OIDC and Problems with Session Expiration

    Posted Fri October 17, 2025 03:50 AM

    For the moment it looks like we fixed the problem.

    Issue was the the "com.ibm.websphere.security.InvokeTAIbeforeSSO" custom property. After wie removed it, everything was working fine.

    The WebSphere Docu describe as follow:


    Because we using LTPA for CPE it seems to be the better solution for our environment. 

    Regards
    Michael



    ------------------------------
    Michael Pressler
    ------------------------------

    Original Message


Related Content