Single Sign-On (SSO) Troubleshooting

asterisk Contents

Warning:

This SSO documentation is intended for local installations only, and is considered legacy functionality. Local installations of Flow Production Tracking are no longer offered. This documentation is only for customers with existing instances of Flow Production Tracking Enterprise Docker. Click here for a list of our current offerings.

Help!! Single sign-on (SS0) is enabled and misconfigured and I cannot log back in

Due to errors in manipulation, changes in the infrastructure, or simply a certificate that expires, you can be locked out of your Flow Production Tracking site.

For Flow Production Tracking Administrators, there is an alternate login flow which uses the old username and password mechanism. This can only be used for Administrators and is only meant to fix configuration issues, not to interact with the site for Production purposes.

Flow Production Tracking Sign In

Flow Production Tracking Sign In

At the bottom of the page, you will find a Site Administration link that will bring you to the old login graphical user interfact (GUI). If your user was created while SSO was enabled, you will not have a password associated with your user. In that case you can click on the Forgot login or password link to set one.

If you are still unable to connect to your site, please contact Flow Production Tracking support.

I have Flow Production Tracking users who are outside my organization

If you have users who are geographically situated outside of your premises, your Identity Provider (IdP) server will need to be accessible from outside your intranet. IP allowed listings is a solution to restrict access to your IdP, but it also decreases the ease of accessing your Flow Production Tracking server.

If you have outsourced some of the work or rely on external vendors, then you must add these contributors to your IdP system. When SSO is enabled, all of the users will need to authenticate with SSO.

Adding these contributors to your IdP may cause them to have more than one email addresses: their original one and another that uses your organization’s domain. Usually the IdP will know only about the your organization’s domain, and you may want Flow Production Tracking to use the external address.

Assuming that the user was created by a Flow Production Tracking Administrator and that external email is actively used to notify the user, you will want to prevent Flow Production Tracking from updating the email address with the one provided by the IdP. To achieve that, you need to use the Ignore some fields in update option, with the email token.

Some of my users are sporadically unable to connect to Flow Production Tracking

If users are complaining that their access to Flow Production Tracking is intermittent, the first thing to look at is the clock settings on your servers and client machines. Clock drift can be an issue as SAML claims are defined as valid for a set window of time, between two UTC timestamps.

If you have a browser running on your server or on your user’s machine, try using https://time.is to check for clock drift.

A user mistakenly created a second account

It is possible that on an initial connection to the Flow Production Tracking site, a user may have created a new account instead of linking their existing account.

If you were notified quickly after the manipulation, and no work was done with that new user, the problem can be remedied quickly:

  1. Ask the user log out of Flow Production Tracking.
  2. Look for the new duplicate user on the People page of the site and take note of its login field value.
  3. Locate the original Flow Production Tracking account that should have been linked.
  4. Edit the account’s Single Sign-On Login field with the value from step 2.
  5. Send the new user to the Trash.
  6. Ask the user to log in again. They should now be using their original user.

If there is still an issue, please contact Flow Production Tracking Support.

If the problem was not seen immediately and the new user was active for a period of time, and granted access to projects:

The solution is to merge the old and the new accounts into the old one. This preserves all the links, history, and other important metadata. Unfortunately the Flow Production Tracking Administrator cannot merge accounts. You will need to:

  1. Contact Flow Production Tracking Support, as they have the tools to merge accounts.
  2. Let Support know when to do the merging, during a moment where no other users are actively accessing Flow Production Tracking. This is because while merging accounts, the database will be blocked for other users.

I am having trouble configuring my IdP or users cannot connect to Flow Production Tracking

The first step is to ensure that all of the required information is properly sent over to Flow Production Tracking by your IdP. Chrome and Firefox offer plugins and add-ons to see the SAML payload being sent to Flow Production Tracking. Use these tools to ensure that all of the claims ( login_id, firstname, lastname, email, access, and optionally groups) are present.

Some plugins we have used (not an exhaustive list):

If everything looks good on the SAML front, then double-check the IdP configuration. Copy and paste the URLs instead of typing them in, and double-check any values entered manually.

You can also open a Support ticket with us so that we can dig in the Flow Production Tracking Server logs to spot any helpful information.

To learn more, please see SSO in Flow Production Tracking: An Administrator’s guide and Single Sign-On configuration.

Why is Flow Production Tracking opening a new window when I log in?

Warning: this is only for versions of Flow Production Tracking older than 8.16.0.5225.

Flow Production Tracking window open

This is a situation that arises when your Flow Production Tracking site is configured to use Single sign-on (SSO).

When SSO is enabled, Flow Production Tracking periodically needs to connect to your Identity Provider (IdP) to ensure that your user information is up-to-date. This happens at login, and approximately every 4.5 minutes. It stops when you sign out.

In some special cases, the IdP may impose restrictions on the way the user information can be updated. When this occurs, we have to use a secondary window to achieve this goal. This is the situation that you are seeing.

Please keep this window opened. Should you close it, Flow Production Tracking will re-open it when needed.

You may be asked to allow Flow Production Tracking to use pop-up windows. Flow Production Tracking will notify you and will not allow you to proceed until pop-ups have been allowed. Every browser has a different way of enabling pop-ups.

Usually browsers try to make this task easy, and there will likely be an icon in the address bar:

Icon

Or a new button at the top of the page:

Prevention

When you sign out, the smaller window should close automatically. If not, you can go ahead and close it.

window close

I cannot see the SAML Authentication preferences on my Flow Production Tracking Hosted site after migrating from local to cloud

SAML Authentication preferences are no longer available for hosted sites and cannot be activated by Flow Production Tracking Support: these were part of the legacy Flow Production Tracking SSO offering, and are currently only used for Local Installs.

SAML preference

If you have a Premium subscription and would like your users to sign in to your Flow Production Tracking cloud site with their enterprise credentials, you can set up Autodesk SSO instead.

After migrating my email domain is set up with Autodesk SSO but I cannot see the Configure Single Sign On option in the Autodesk Identity Migration wizard

The Configure Single Sign On step for the Autodesk Identity Migration will only appear if your site was previously configured with Flow Production Tracking SSO. If that was not the case, please follow the Migration Steps for Flow Production Tracking Sites Without SSO.

Parent page: Single Sign On (SSO)