Single Sign-On (SSO) Troubleshooting

Help!! Single sign-on (SS0) is enabled and misconfigured and I cannot log back in

Due to errors in manipulation, changes in the infrastructure, or simply a certificate that expires, you can be locked out of your Shotgun site.

For Shotgun Administrators, there is an alternate login flow which uses the old username and password mechanism. This can only be used for Administrators and is only meant to fix configuration issues, not to interact with the site for Production purposes.

Shotgun Sign In
Shotgun Sign In

At the bottom of the page, you will find a Site Administration link that will bring you to the old login graphical user interfact (GUI). If your user was created while SSO was enabled, you will not have a password associated with your user. In that case you can click on the Forgot login or password link to set one.

If you are still unable to connect to your site, please contact Shotgun support.

I have Shotgun users who are outside my organization

If you have users who are geographically situated outside of your premises, your Identity Provider (IdP) server will need to be accessible from outside your intranet. IP whitelisting is a solution to restrict access to your IdP, but it also decreases the ease of accessing your Shotgun server.

If you have outsourced some of the work or rely on external vendors, then you must add these contributors to your IdP system. When SSO is enabled, all of the users will need to authenticate with SSO.

Adding these contributors to your IdP may cause them to have more than one email addresses: their original one and another that uses your organization’s domain. Usually the IdP will know only about the your organization’s domain, and you may want Shotgun to use the external address.

Assuming that the user was created by a Shotgun Administrator and that external email is actively used to notify the user, you will want to prevent Shotgun from updating the email address with the one provided by the IdP. To achieve that, you need to use the Ignore some fields in update option, with the email token.

Some of my users are sporadically unable to connect to Shotgun

If users are complaining that their access to Shotgun is intermittent, the first thing to look at is the clock settings on your servers and client machines. Clock drift can be an issue as SAML claims are defined as valid for a set window of time, between two UTC timestamps.

If you have a browser running on your server or on your user’s machine, try using https://time.is to check for clock drift.

A user mistakenly created a second account

It is possible that on an initial connection to the Shotgun site, a user may have created a new account instead of linking their existing account.

If you were notified quickly after the manipulation, and no work was done with that new user, the problem can be remedied quickly:

  1. Ask the user log out of Shotgun.
  2. Look for the new duplicate user on the People page of the site and take note of its login field value.
  3. Locate the original Shotgun account that should have been linked.
  4. Edit the account’s Single Sign-On Login field with the value from step 2.
  5. Send the new user to the Trash.
  6. Ask the user to log in again. They should now be using their original user.

If there is still an issue, please contact Shotgun Support.

If the problem was not seen immediately and the new user was active for a period of time, and granted access to projects:

The solution is to merge the old and the new accounts into the old one. This preserves all the links, history, and other important metadata. Unfortunately the Shotgun Administrator cannot merge accounts. You will need to:

  1. Contact Shotgun Support, as they have the tools to merge accounts.
  2. Let Support know when to do the merging, during a moment where no other users are actively accessing Shotgun. This is because while merging accounts, the database will be blocked for other users.

I am having trouble configuring my IdP / users cannot connect to Shotgun

The first step is to ensure that all of the required information is properly sent over to Shotgun by your IdP. Chrome and Firefox offer plugins and add-ons to see the SAML payload being sent to Shotgun. Use these tools to ensure that all of the claims (login_id, firstname, lastname, email, access, and optionally groups) are present.

Some plugins we have used (not an exhaustive list):

  • SAML Tracer (Firefox)
  • SAML Message Decoder (Chrome)
  • SAML DevTools extension (Chrome)

If everything looks good on the SAML front, then double-check the IdP configuration. Copy and paste the URLs instead of typing them in, and double-check any values entered manually.

You can also open a Support ticket with us so that we can dig in the Shotgun Server logs to spot any helpful information.

To learn more, please see “SSO in Shotgun: An Administrator’s guide” and “Single Sign-On configuration.”

Follow

0 Comments

Please sign in to leave a comment.