Share

Single Sign-On (SSO) Administrator’s Overview

Warning:

This SSO documentation is intended for local installations only, and is considered legacy functionality. Local installations of Flow Production Tracking are no longer offered. This documentation is only for customers with existing instances of Flow Production Tracking Enterprise Docker. Click here for a list of our current offerings.

Single Sign-On (SSO) is used by organizations to centrally control access to applications and services. Please note that SSO integration in Flow Production Tracking is not trivial. An important part of the work is required at the Identity Provider (IdP) level. As a Flow Production Tracking Admin, you will need to discuss with your IdP Administrators to ensure that the required information is sent over, and in the proper format.

Note:

To use SSO, you must first contact support asking for an onboarding session with our Street team. Please ensure that you meet all of the requirements.

Requirements

In order to use legacy SSO in Flow Production Tracking, you need to meet the following criteria:

  1. Use an IdP that supports SAML 2.0. Currently, the following IdPs support SAML 2.0:
  • Active Directory Federated Services (AD FS)
  • Azure Active Directory Federated Services (Azure AD FS)
  • Ping Identity
  • Okta
  • OneLogin
  • G Suite's SAML applications
  1. Test your tools and workflow on a Staging site before we can enable SSO on your production site. If you do not have a Staging site, we can discuss how one can be set up for you.
  2. Attend a 60 minute online onboarding meeting with a representative of our Street team. At this meeting, both Flow Production Tracking and SSO Administrators need to be present. This meeting will go over the specifics of the setup and management of SSO in Flow Production Tracking. It is also an opportunity to ask questions before we proceed with the setup.

Constraints

Enabling SSO has a number of side effects. It is important for you to evaluate the impact of SSO on your production pipeline.

  • SSO is an all-or-nothing option: If enabled, everyone will need to use it. If you have vendors or collaborators outside your company, they will also need to use SSO. Your IdP must be accessible by everyone who will need to log on Flow Production Tracking. However, playlist sharing will continue to work as it did for the Client Review Site.
  • The iOS Review App supports SSO starting at version 2.0.0. If it is essential to your workflow, you will need to update to the latest version.
  • If you use RV, you will need to update to version 7.3.2 or later.
  • If you use Flow Production Tracking Desktop , you will need to reinstall version 1.5.4 or later.
  • If you use Flow Production Tracking Toolkit , you need to update to tk-core version 0.18.166 or later.
  • If you use the Flow Production Tracking Python API or the Flow Production Tracking REST API, it will no longer be possible to connect to Flow Production Tracking using only a username and password. Your scripts will need to be modified. Our support team can provide help and advice.
    Note:

    using an API Key and Script Name pair will still function and will not require changes to your scripts or applications.

  • If you depend on internal tools or third party applications, you need to ensure that they support SSO. Your tools will likely need to be modified. Again, we can provide help and advice.

A few notes about user management

While using SSO makes it easier for users to access services without re-entering their credentials, the primary benefit of SSO is increased security. Users and privileges are managed centrally, ensuring that employees who should no longer access Flow Production Tracking cannot do so.

By default, Flow Production Tracking takes for granted that the IdP is the authoritative reference for information about the users. When a user connects to Flow Production Tracking, we will synchronize the information your Flow Production Tracking site has about that user with what the IdP provides. While logged on, the user will be automatically re-authenticated against the IdP. Should access to Flow Production Tracking be removed for that user, they will be automatically logged out of Flow Production Tracking at the time of re-authentication. This process happens roughly every 4.5 minutes.

Even with SSO enabled, the Flow Production Tracking Administrators will still need to manage users. It will be necessary to provide users access to projects, and optionally manage their permission group. When transitioning an existing site to SSO, it may be necessary to modify some user information to ensure a seamless transition.

While automatic provisioning is possible in Flow Production Tracking, it may not be the ideal option. Users thusly created will likely not have the proper access to their Flow Production Tracking projects, resulting in support calls for the Administrators. You may want to create the users in Flow Production Tracking, as was done before, in order to ensure that they are assigned to the correct projects and have the proper Permission Group. Access to the Flow Production Tracking site itself is still managed at the IdP level.

Provisioning

When using automatic provisioning, user accounts are only created at the moment when the user first connects to the Flow Production Tracking site.

Automatic de-provisioning is not supported. When an employee leaves or is assigned to another project, their access to Flow Production Tracking should be removed. But the Flow Production Tracking user will stay present and active until an Administrator explicitly deactivates the account.

Note:

You will be charged for the user until it is deactivated.

To learn more, please see Single Sign-On configuration and Single Sign-On troubleshooting.

Parent page: Single Sign On (SSO)

Was this information helpful?