This SSO documentation is intended for local installations only, and is considered legacy functionality. Local installations of Flow Production Tracking are no longer offered. This documentation is only for customers with existing instances of Flow Production Tracking Enterprise Docker. Click here for a list of our current offerings.
Single Sign-On (SSO) is used by organizations to centrally control access to applications and services. Please note that SSO integration in Flow Production Tracking is not trivial. An important part of the work is required at the Identity Provider (IdP) level. As a Flow Production Tracking Admin, you will need to discuss with your IdP Administrators to ensure that the required information is sent over, and in the proper format.
To use SSO, you must first contact support asking for an onboarding session with our Street team. Please ensure that you meet all of the requirements.
In order to use legacy SSO in Flow Production Tracking, you need to meet the following criteria:
Enabling SSO has a number of side effects. It is important for you to evaluate the impact of SSO on your production pipeline.
using an API Key and Script Name pair will still function and will not require changes to your scripts or applications.
While using SSO makes it easier for users to access services without re-entering their credentials, the primary benefit of SSO is increased security. Users and privileges are managed centrally, ensuring that employees who should no longer access Flow Production Tracking cannot do so.
By default, Flow Production Tracking takes for granted that the IdP is the authoritative reference for information about the users. When a user connects to Flow Production Tracking, we will synchronize the information your Flow Production Tracking site has about that user with what the IdP provides. While logged on, the user will be automatically re-authenticated against the IdP. Should access to Flow Production Tracking be removed for that user, they will be automatically logged out of Flow Production Tracking at the time of re-authentication. This process happens roughly every 4.5 minutes.
Even with SSO enabled, the Flow Production Tracking Administrators will still need to manage users. It will be necessary to provide users access to projects, and optionally manage their permission group. When transitioning an existing site to SSO, it may be necessary to modify some user information to ensure a seamless transition.
While automatic provisioning is possible in Flow Production Tracking, it may not be the ideal option. Users thusly created will likely not have the proper access to their Flow Production Tracking projects, resulting in support calls for the Administrators. You may want to create the users in Flow Production Tracking, as was done before, in order to ensure that they are assigned to the correct projects and have the proper Permission Group. Access to the Flow Production Tracking site itself is still managed at the IdP level.
When using automatic provisioning, user accounts are only created at the moment when the user first connects to the Flow Production Tracking site.
Automatic de-provisioning is not supported. When an employee leaves or is assigned to another project, their access to Flow Production Tracking should be removed. But the Flow Production Tracking user will stay present and active until an Administrator explicitly deactivates the account.
You will be charged for the user until it is deactivated.
To learn more, please see Single Sign-On configuration and Single Sign-On troubleshooting.