function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

How to avoid SSO Timeout

Background Info:
First, some background info, to help give context. Contact records in our Salesforce org are automatically created: we have an integration with an external platform that tracks mobile user registration -- when a user downloads the mobile app from the App Store / Google Play and registers for the product, their peronsal information (first name, last name, email, phone, some other key details) are pushed into Salesforce as a Contact record. If the user updates their information, the contact info in salesforce is updated / refreshed with the new info. 

Anticipating their might be scenarios in which the information wasn't automatically refreshed properly, I added a "Update Contact" button, which triggers a Flow > Apex > HTTP Request callout to the target platform storing contact info. All relatively straight forward, everything works great.

The Issue:
All users must access Salesforce (and other backend systems) via SSO. When I first login, I've noticed I can execute those operations under that "Update Contact" button with no issue -- but if I don't trigger them for 15 minutes, I'll start getting a 401 Response. My HttpRequest AuthHeader uses an Access Token, and I suspect the issue is that token has expires after 15 minutes.  (NOTE: My Salesforce Session settings are set for 2 hours, but that has no bearing on the Access Token -- if I don't make use of it regularly, it will time-out after 15 minutes of no HTTP callouts).

One approach I've considered is that if my HttpRequest gets a 401 response back, then I could prompt the user for their SSO login password and then log back in with a HttpRequest POST containing their credentials. That feels like a cumbersome user experience. The user will be constantly having to enter their SSO password to login if they want to refresh consumer data, do to string time-out rules of our backend env.

Is there a better method for keeping the session alive, so users don't need to provide their SSO credentials on those infrequent occassions where they need to refresh contact info?