You log in via SSO, get into TenderB, work for a while, and then — sometimes within the hour — you're bounced back to the login screen. Annoying mid-document, doubly so on a deadline. Below: what's happening, why TenderB cannot change it from our side, and how the One-time login link lets you skip SSO entirely when you need an uninterrupted session.
What SSO is and why TenderB sessions sometimes end early
Single Sign-On (SSO) lets you log in to TenderB using your organisation's identity provider — for most of our customers that's Microsoft Entra ID (formerly Azure AD), occasionally Google Workspace. Your identity provider authenticates you and issues a token to TenderB. TenderB trusts that token until it expires, then redirects you back to the identity provider to re-authenticate.
The lifetime of that token — and therefore how long your TenderB session lasts before SSO asks you to log in again — is decided by your Microsoft tenant, not by TenderB. The Microsoft defaults (documented on the Microsoft Learn page on token lifetimes) are roughly:
Access tokens last 60–90 minutes, randomised, with a default around 75 minutes.
Conditional Access sign-in frequency policies can force re-authentication on a much shorter cadence — minutes, if your admin sets it that way.
Continuous Access Evaluation (CAE) can extend session lifetime, but can also force immediate re-authentication when something changes (network change, sign-in risk increase, password change, group-membership change, etc.).
Reference: Microsoft's documentation page Configurable token lifetimes in Microsoft Entra ID.
If you're being asked to re-authenticate more than once per hour, the cause is almost always one of:
Your IT department has a Conditional Access policy with sign-in frequency set lower than 60 minutes for cloud apps.
CAE is firing — usually because your laptop is switching networks (Wi-Fi ↔ VPN ↔ ethernet) or your security context is changing.
The default randomised token lifetime is landing at the short end of the 60–90 minute window.
Why TenderB cannot change this from our side
TenderB only knows about your session what your identity provider tells us. When Microsoft says "this token has expired" or "this user must re-authenticate", we honour it — there is no setting on the TenderB side that overrides Microsoft's token policy. The fix has to come from one of two places:
Your Entra admin relaxes the policy, or
You bypass SSO using the one-time login link.
Option A — ask your Entra admin to adjust the policy
The clean fix lives in your Microsoft tenant. If repeated logouts are slowing your team down, send your IT or Entra admin a request along these lines:
"Our team uses TenderB (a SaaS application reachable via SSO from our Entra tenant). The current Conditional Access sign-in frequency policy is logging us out more than once per hour during active use. Could you raise sign-in frequency for TenderB to 8 hours, or exclude TenderB from the persistent re-authentication policy, in line with the team's productivity needs?"
Your admin can set this per-application without weakening security globally — Microsoft's reference is the Configurable token lifetimes page above. This is the right long-term fix.
Option B — use the One-time login link to bypass SSO
If you cannot wait for an admin change (deadline, admin unreachable, or your org chooses not to change the policy), you can log in without SSO using a magic link.
Go to the TenderB login page.
Enter your email address in the Email field.
Click One-time login link at the bottom of the login form (next to Reset password).
Check your email — you will receive a message from TenderB with a single-use login link.
Click the link. You're now logged into TenderB directly, with a session that is independent of your Entra token lifetime.
That session lasts as long as a normal TenderB session — typically several days — and is not interrupted by Microsoft's token-expiry redirects, because no SSO token is in play.
When the one-time login link is the right call
You're on a tender deadline and cannot afford to be redirected mid-write.
Your laptop switches networks frequently (commuting, hot-desking, VPN ↔ direct).
You're presenting or screen-sharing and don't want a login screen mid-demo.
When SSO is still the better choice
You want your TenderB access to be revoked automatically when you leave the organisation. (SSO does this; the magic link does not until your email is removed from the workspace.)
Your security policy requires every login to flow through Entra (audit/compliance).
You're an admin and need MFA enforced on every login.
The one-time login link is a productivity workaround, not a security bypass. It still requires you to control your email inbox, but it skips your org's Conditional Access policies. If you find yourself using it daily, that's a strong signal to ask your Entra admin to relax the sign-in frequency for TenderB rather than relying on the link.
If the link doesn't arrive
Check your spam/junk folder.
Confirm the email address you entered matches the one in your TenderB workspace exactly.
Some organisations strip "magic link" emails at the mail gateway. If yours does, Option A (admin policy change) is the only route — there is no SSO-bypass that doesn't depend on email delivery.
Workspace admins can disable email login for security reasons. If yours has, the One-time login link will still appear on the form but the email won't be sent. Contact your TenderB workspace admin.