We have multiple applications that wants to use Okta for SSO. Each application has a different SSO mechanism like SAML and JWT. My app uses JWT tokens - both refresh and access token, and I would like to know if there is a way to keep the Okta session alive when access tokens are issued.

Below is a scenario.

System: App1 and App2 are trying to do SSO using Okta. App1 uses JWT. App2 uses SAML.

Assumption: Okta session lifetime is 30 mins. Refresh token lifetime is 1 hr and Access token lifetime is 15 mins.

App

1) User logs into app1 and continues using the app for an hour. By this time the Okta session has expired.

2) User then clicks a link that takes them to app2 but since Okta session has expired, they are asked to login again.

Step 2 may not be a great user experience for us because we are asking the user to re-login when they have been active in one of the apps. In other words, SSO only works for 30 mins which is the lifetime of the Okta session. So below are my questions.

a) Is there a way to extend the Okta session lifetime when a refresh token is used to get access token after the previous access token expires? We use refresh token rotation, so a new refresh token would be issued everytime we get an access token.

b) Is it good practice to design this way?

c) Can this be configured in Okta itself instead of the app having the responsibility to keep the Okta session alive?

d) If the app should do this, are there any recommendations/documentation from Okta regarding the best way to implement it?

Really appreciate the community's help. I read threads on this topic but they dont address these questions directly, so I thought I would create a new one. If you need additional information, please let me know and I am happy to provide.