Share

Migrating to Identity - FAQ

Q. How can I tell if Authentication has been turned off?

An easy way to tell if Flow Production Tracking Authentication has been turned off is by looking at your Flow Production Tracking login page, where it will note that This Flow Production Tracking Site uses Autodesk Identity. Sign in to enter your credentials.

Autodesk Identity

Q. How can I tell when my site has been migrated if I am not an Administrator?

You will need to ask your Flow Production Tracking site Administrator for confirmation. However, as an end user, you can see if you've migrated to Autodesk Identity by referring to the previous question.

A site Administrator will be able to let you know if your site has been linked properly—see How can I tell if my site has been linked properly?

Q. What happens if users do not create an Autodesk Identity account?

If users do not create an Autodesk Identity account, they will be deactivated in Flow Production Tracking. Site Administrators will need to ensure they have enough seats purchased through https://manage.autodesk.com, then activate the user in Flow Production Tracking via the people page, and resend invite by right-clicking on the person via the people page.

Q. How can I tell if my site has been linked properly?

There are a couple of ways for Administrators to see when their Flow Production Tracking sites have been linked properly:

  1. You can visit https://shotgrid.autodesk.com/, and if the site is listed there, it has been linked properly.

  2. When a site has been linked correctly from https://manage.autodesk.com, site Administrators will see a seat count at the top left of the people page on their Flow Production Tracking site. The seat count can be seen by:

    • Any user with the Admin permission group (even if this permission role has been renamed)
    • Users with in permission roles that have the Access admin functionality turned on under Advanced permissions.

seat count

admin permission

Q. What is the impact of using Autodesk Identity for authentication in Flow Production Tracking Desktop, Create, RV and iOS Review?

Flow Production Tracking Desktop, Flow Production Tracking Create, RV, and iOS Review all support Autodesk Identity. If you have your own SSO configured with Autodesk Identity, it is also supported.

Q. How does SSO work with Autodesk Identity?

Enterprise SSO is supported by Autodesk Identity. However, you must be eligible to use SSO to configure it for your domain. The use of SSO is optional for Flow Production Tracking, but you can configure Flow Production Tracking to require it; this was the behavior before the transition to Autodesk Identity.

Q. Does 2FA work with Autodesk Identity?

Two-step verification is supported by Autodesk Identity at the user account level. Site administrators can configure Flow Production Tracking to require all users to use two-step verification; this was the behavior before the transition to Autodesk Identity.

Q. I have client users who access my Flow Production Tracking site to review and approve assets (on the Client Review Site). Are they required to use Autodesk Identity as well?

No. Client review workflows remain unchanged with the transition to Autodesk Identity.

Q. Do I need to access additional services, other than Flow Production Tracking, to authenticate with Autodesk Identity?

Yes. Authentication requires users to have access to the Autodesk Identity service, which relies on multiple sub-domains. If your studio restricts access to specific domains only, you must add *.autodesk.com to your allowed list. If your studio uses Enterprise SSO, you must also add autodesk-prod.okta.com.

Q. Is there a list of IP addresses I need to allow to access Identity/Account/Manage?

No. There is no fixed list of IP addresses. You must allow access to the *.autodesk.com domain, and optionally to autodesk-prod.okta.com if your studio uses Enterprise SSO.

Q. What happens to my scripts that use script_name/api_keys for authentication? Will they continue to work?

Yes. They will continue to work as they did previously, except they can no longer be used to set the status of a user to "Active"—only scripts authenticated using a username/password can activate users.

Q. What happens to my scripts that use username/password for authentication? Will they continue to work?

For those scripts to continue to work, you must configure your Personal Access Token in your Flow Production Tracking profile. This one-time operation allows all your scripts to work for your site afterwards. For more information, see Configure your Personal Access Token.

Q. Are there changes to the API behavior for my scripts that use script_name/api_keys to authenticate?

Yes. Scripts that use script_name/api_keys to authenticate will not be able to Activate users anymore. If the API tries to create a new Active user, that user is created as Inactive.

To activate a user, you must be logged in with your Autodesk Identity and use one of the following methods:

  • Logged in through the Flow Production Tracking user interface.
  • Logged in through scripts using username/password with a configured Personal Access Token.

When using sudo_as_user, you cannot use the target user to Activate other users—you must use your authenticated Autodesk Identity user to perform these operations.

Q. Are there changes in API behavior for my scripts that use username/password to authenticate?

Yes. You must configure your Personal Access Token; otherwise, your calls to the API will fail. Additionally, any call that sets users to Active will fail if there is no license available for that user.

Ensure to test for call success and failure in your scripts, and to handle failures accordingly. When using sudo_as_user (using Flow Production Tracking as another user), you cannot use the target user to Activate other users; you need to use your logged-in Autodesk Identity user to perform those operations.

Q. Is sudo_as_login being deprecated?

No. While its use within Flow Production Tracking remains unchanged, we cannot allow user A to impersonate user B outside that boundary. Inviting users and assigning licenses does fall outside the scope of Flow Production Tracking, and must be performed by the actual user.

Q. Does the change impact any custom permissions I have set up for particular Shotgun user roles and/or users?

No. Custom permissions do not change.

Q. Will the field login on HumanUser still used with Autodesk Identity to log in?

If you are using scripts that use username/password for authentication, the login field will be used in conjunction with the Personal Access Token.

Q. Can I use multiple users?

You can use the same Autodesk Identity user as multiple Flow Production Tracking users on the same site.

This usage pattern is recommended if you want to use multiple Flow Production Tracking users who all have different roles: for example one Admin user and one Artist user. To switch users, simply sign out of Flow Production Tracking and enter the site again where you will be presented with a user selector. When using the REST or Python APIs, use distinct legacy login names for each user.

You can also have more than one Autodesk Identity and use them on the same Flow Production Tracking site. However, with Autodesk Identity, you can be logged in as only one user at a time in a given browser. To switch users, you must first sign out of your Autodesk Identity profile.

Note:

Signing out of Flow Production Tracking does not sign you out of Autodesk Identity.

Q. Our users have their new invitation from the migration process—do we also need to send invitations through the Autodesk account?

No. Inviting and activating users through the Flow Production Tracking site (via the People page) will automatically generate the user within the Admin's Autodesk account (https://manage.autodesk.com/).

Q. Are there any changes to the Desktop tool and API after migrating—any new updates?

Ensure you have the minimum versions:

  • 1.5.3 of Flow Production Tracking Desktop
  • v2.1.5 of tk-framework-desktopstartup
  • v0.20.3 of tk-core

Q. Should we manage our users access for within the Autodesk account or site after migrating?

Manage user access through the Flow Production Tracking site. The Flow Production Tracking site will automatically deactivate, assign, and add users to and from your Autodesk account. Assigning a seat within the Autodesk account will not activate them in the site, but unassigning a seat from the Autodesk account will deactivate the user on the Flow Production Tracking site.

Q. Will my site URL change now?

As of now, your Flow Production Tracking site's URL will not change. Sites created before July 7th will retain their shotgunstudio.com affix. Newer sites get spun up with .shotgrid.autodesk.com affix.

Q. I cannot see the migration lock icon within my site—what can be the cause of this?

You have completed the migration and have already turned off Flow Production Tracking authentication.

If further issues comes up, please reach out to support for troubleshooting.

Q. Will there be any downtime for my artists during the sites migration?

There is no downtime during the migration. Once the site's legacy Flow Production Tracking login is deactivated, users will need to log back into their Flow Production Tracking site using an Autodesk ID. However the site will remain active.

Q. What will happen for users who have not created their Autodesk account when the studios migration process is in progress—will the migration process complete?

As long as an invitation was sent to a user, they will remain active on the site after Flow Production Tracking sign in has been turned off. A site can still migrate without the completion of their user's new Autodesk login. However, users within the site will still need to accept an invitation or be added to the new site for their account to map onto their Autodesk account. This site will also require an Autodesk account login for access.

Q. How do users get mapped to an existing active site and with the new creation of their Autodesk account?

Fully migrated Flow Production Tracking sites will link their active users' email to their Autodesk account and admin's product subscription. If users do not have an Autodesk account, an invitation will deliver prompting them to finish creating one. Invitations sent through the Flow Production Tracking site will ensure the artist's email is sync'd with access to the Flow Production Tracking site.

When a user is on an email domain which is configured with SSO, the user will not be prompted to complete their account, it will be fully created from the start.

Q. Are migrating a login and site and linking the site to an active subscription both mandatory steps?

Yes. Admins must fully deactivate their legacy Flow Production Tracking login for the site, and then link their site with an active Autodesk subscription.

Q. Are there any post-migration gateway setup needs for my site to remain unblocked by our firewall?

We advise IT and admins to allow-list the following URL and look over any network protocol relevant to you, here.

Was this information helpful?