I receive a Token Expired error message when returning from a supplier's PunchOut catalog.

Multiple scenarios can cause this error:

1. The buyer is using the deprecated s1-2 Front Door to access Ariba.
2. The session's BuyerCookie value from the PunchOutSetupRequest (POSR) is not maintained or is different in the PunchOutOrderMessage (POOM) returned by the supplier.
3. Supplier uses cross-site cookies, which the latest versions of Chrome and Edge Browsers are restricting. The Chromium project made changes to how cookies are handled in winter of 2020. Details on this change can be found in here. Users with a Chrome version prior to 90 could disable samesite cookies in order to avoid being impacted, however, as of version 90, samesite cookies can no longer be disabled.

Depending on which scenario applies to your situation, one of the following actions may need to take place:

1. If the s1-2 front door has been deprecated, you must use the front door. The following KBA has additional details: KB0844458.
2. If the session's BuyerCookie value from the POSR is different from the POOM returned by the supplier, the supplier must ensure that the BuyerCookie they are sending in the POOM matches what they are receiving in the POSR sent by Ariba. See BuyerCookie Element for more information.
3. If the supplier uses cross-site cookies, see KB0401486.

Catalog Management
Catalog Management > APC
Catalog Management > Punchout Catalog > Punchout Catalog Ordering