Bearer Token lifetime

This setting is used when an Identity Provider server or service has been configured to authenticate 'SAML2' user accounts.

The token issued by the Identity Provider has a set lifetime which applies to all users (including tenant Administrators) and for interactive access to the Planning Space application, or access using the Web API.

In interactive access the application software will perform automatic refresh of the token so long as the session is active, whereas for API access you will need to set up the code for token management/refresh yourself.

Important: If an interactive client user does not login to Planning Space using the configured Service Address (which will be the load balancer’s address for a clustered deployment) then the automated process for token refresh will fail and the user’s session will silently finish after the initial token expires; this will result in 'unexplained' errors if the user tries to continue the session. The user session must be restarted/re-authenticated to refresh the bearer token. For version 16.5 Update 7 and later: a warning message will be given to the user when the token refresh process has failed; however the user must still restart his session and re-authenticate.

The bearer token lifetime is set for each tenant by the IPS Administrator, using the Token lifetime setting in the IPS Manager user interface (or it can be set using the Admin API or IPS PowerShell module (Automation cmdlets)). Note: the lifetime cannot be modified by a tenant Administrator.

For reasons of protecting the Planning Space service from unauthorized use, the token lifetime is set relatively short: 15 minutes is the default. The minimum lifetime setting is 5 minutes, and the maximum lifetime setting is 1440 minutes.