SSO in Shotgun: A user’s guide

What is Single Sign-On?

Single Sign-On (SSO) is used by organizations to centrally control access to applications and services. For users, it simplifies their work by removing the need to authenticate with each service.

When your Shotgun site is configured to use SSO, your interaction with the site will change a bit from the default login flow.

Accessing your Shotgun site in your browser

When you navigate to the URL of your Shotgun site, instead of the usual Login / Password page, you will see the following page. It informs you that your corporate credentials will be used instead to access Shotgun:

Shotgun Sign In

SSO login in a Windows environment (desktop SSO integration)

If you are working in a Windows environment, it is very likely that you will not need to enter your credentials. The required information will be sent automatically from your machine’s current Windows session to the server. This is called ‘desktop SSO integration’.

SSO login in other environments

On Linux and Mac, and sometimes on Windows, you will be prompted for your credentials. The specific graphical user interface (GUI) being shown to the user will differ according to the SSO system being used and can also be customized with the company logo and other information.

As an example, here is what you would see if your company uses Okta for SSO:

Okta Sign In

Failed login

If you entered incorrect credential information, or if you were not granted access to Shotgun, you will get an error message from either the SSO system or from Shotgun. This is dependant on the SSO system used by your company.

Here are two examples of denied access.

Blocked at the SSO system level

This error message is from the SSO system, where your user’s credentials have not been granted access to Shotgun.

You will need to contact your Shotgun Administrator to get this resolved.

Okta No Access

Blocked at the Shotgun level

The following error occurs when your credentials were correct, but you were still not given access to Shotgun.

You will need to contact your Shotgun Administrator to get this resolved.

Shotgun No Access

Your first connection using SSO

Your initial connection to a SSO-enabled Shotgun site may require a few additional steps. Don’t worry, this will happen only once. Your future visits should be seamless.

If you already had a Shotgun account before SSO was turned on

Ideally, your Shotgun Administrator has taken care of configuring everything. You should connect directly to your Shotgun site and be able to work right away.

If this is the case, you should have received an email mentioning that SSO has been enabled on your Shotgun site:

Shotgun SSO Activated

If you already had a Shotgun account, but something went wrong

While your Shotgun Administrator may have done everything in their power to make the transition to SSO as smooth as possible, an error or problem may still occur. There are three possible situations.

1. Your user does not exist in Shotgun. With the first situation, you will be notified:
   This usually happens when your old Shotgun login does not match the login information sent over by the SSO system. Your Shotgun Admin will need to ensure that they match or link the two accounts.
   You will need to contact your Shotgun Administrator to get this resolved.
2. Your email address in Shotgun matches the email provided by the SSO system. You will be asked to manually link your accounts.
   Here, you have two choices:

• Link your SSO account with the Shotgun account. You will be asked to provide your password for your Shotgun account in order to prove who you are. If you have forgotten your password, you can always click on the ‘Forgot login or password’ link.

  
  Shotgun Link Account Password

• You can also elect to skip the account linking. We do not recommend this step. Not linking your account will result in creating a new user. This new user will not be tied to your old account and will be missing your old privileges and accesses.
  You will need to contact your Shotgun Administrator to get this resolved.
• No match was made in the list of existing users. You will be asked to manually link your account with an existing user account on Shotgun.
  Here you have two choices:
• Link your SSO account with an existing Shotgun account. You will be asked to provide the username and password for that account in order to prove who you are. If you have forgotten your password, you can always click on the ‘Forgot login or password’ link.
• You can also elect to skip the account linking. We do not recommend this step. Not linking your account will result in creating a new user. This new user will not be tied to your old account and will be missing your old privileges and accesses.
  You will need to contact your Shotgun Administrator to get this resolved.

If you did not have an existing Shotgun account

Ideally, your Shotgun Administrator should have created a user for you, with the appropriate login name and access to the needed projects. In that case, you should connect directly to Shotgun.

If this is the case, you will have received an email inviting you to the Shotgun site:

Shotgun SSO Invitation

Clicking on the ‘Accept invitation’ will log you in automatically.

On the following page, choose the answer that this is your first account on the site, and proceed with signing in:

Shotgun Link Account No Matches

If you do not access Shotgun directly and are being asked to link your account or create a new user

Should you see any unexpected errors or if you are asked to link to an existing account, this is a strong indication that something has gone very wrong. Please do not proceed, unless specifically instructed to do so by your Shotgun Administrator. Incorrect manipulations may cause undesired effects and result in additional delays.

You will need to contact your Shotgun Administrator to get this resolved.

Accessing your Shotgun site in RV

If your studio uses RV, you need to ensure that you are using version 7.2.2 or later in order to connect to your SSO-enabled Shotgun site.

We strongly suggest that you first try to successfully connect to your Shotgun server using a browser. This is to ensure that you have proper access using any other means to log in to Shotgun.

When you see the following connection dialog, click on the ‘Use Single Sign-On (SSO)’ link:

RV Connect

This will switch to the following dialog:

RV Connect SSO

Click ‘Continue’.

Should you experience any issues, please refer to the Failed login section. We also strongly suggest that you contact your Shotgun Administrator if you encounter any unexpected behavior.

Accessing your Shotgun site with Shotgun Desktop

If your studio uses Shotgun Desktop, you need to ensure that you are using version 1.5.0 or later in order to connect to your SSO-enabled Shotgun site.

We strongly suggest that you first try to successfully connect to your Shotgun server using a browser. This is to ensure that you have proper access before using any other means to log in to Shotgun.

When you see the following connection dialog, type in your site’s URL:

SG Desktop Login

The dialog will automatically detect that your site uses SSO:

SG Desktop Login SSO

Click ‘Sign in’ to proceed.

Should you experience any issues, please refer to the Failed login section. We also strongly suggest that you contact your Shotgun Administrator if you encounter any unexpected behavior.

Accessing your Shotgun site with internal tools and third-party applications

Any internal tools or third-party applications your studio uses to access Shotgun will need to be modified to support SSO.

Before enabling SSO on your Shotgun site, your Administrator should have ensured that your environment was ready for the switch.

If you encounter any issues with internal tools and third-party applications, please contact your Shotgun Administrator.

Troubleshooting

You received an email stating that SSO has been deactivated

It is possible that your Shotgun Administrator has decided to disable SSO. The immediate impact for you is that you will need to remember the Shotgun credentials you used prior to SSO being activated.

There are two possible scenarios here:

1. You did not have a Shotgun account prior to SSO being enabled. In this case, you should have received the following email:
   Click on the ‘Reset your password’ link to proceed.
2. You did have a Shotgun account prior to SSO being enabled. In this case, you should have received the following email:
   As the message indicates, you will need to remember your prior credentials. If you did forget your password, you can click on ‘Forgot login or password’ link at the sign-in page to reset your password.

I have no access to any projects

You may successfully access your Shotgun server, but see the following page:

Shotgun No Projects

There are two possible scenarios here:

1. If you are a new user, the Shotgun Administrator may have forgotten to assign you to your project.
2. If you had a Shotgun account before, there may have been an oversight or a misconfiguration.

In either case, please contact your Shotgun Administrator to get the issue resolved.

I keep seeing a small window pop-up appear after I log into Shotgun

After logging into Shotgun, you may see the following browser window appear:

SSO Renewal Window

This is perfectly normal. As the text states, please do not close this window. It is used to continually authenticate your user with Shotgun and your SSO system. If you close the window, it will re-open automatically later. Then you may have to authorize Shotgun to open pop-ups in your browser (see I am being asked to allow Shotgun to open a new window).

This pop-up window appears because of a constraint tied to your SSO system.

The window should close automatically once you sign out of Shotgun.

I am being asked to allow Shotgun to open a new window

See also: I keep seeing a small window pop-up appear after I log on Shotgun

Closing the window that opened after you initially connected to Shotgun may lead to the following message:

Shotgun Popup Blocked

You will need to allow Shotgun to open new windows in order to use the site.

The mechanism to allow Shotgun to open a new window will depend on your browser. On Google Chrome, you will see a red notification in the address bar. Clicking on it will bring up the following menu:

Shotgun Popup Blocked

Choose the option to always allow pop-ups, click on ‘Done’ and then click on ‘OK’ in the notification window.

You should see a smaller Shotgun window appear in the lower left part of your screen.

If you did not close any windows after logging in, please contact your Shotgun Administrator, as there is an incorrect configuration.

Sometimes I am unable to log in to Shotgun

Your local computer clock may not have the correct time. A minor difference between your computer clock and that of the Shotgun or SSO server can cause problems.

An easy way to identify clock skew is by visiting this site: time.is.

The upper left corner will indicate if the time is correct:

or if there is a significant skew:

Please contact your System Administrator to fix your computer’s clock or contact your Shotgun Administrator if the issue persists.

In RV, my sessions do not last as long as before

With SSO enabled, the duration of sessions is no longer controlled by Shotgun or by RV. It is controlled by the SSO backend and your IT department.

I keep experiencing inconsistent behavior when logging into Shotgun

This may include intermittent access or being asked to link your account or create a new one.

There may be some leftover information from a previous session.

We strongly recommend that you clear all of the cookies in the browser for your user. The way to do that depends on the browser you use. Please consult the appropriate help documentation.

If the problem persists, please contact your Shotgun Administrator.