Keep randomly asking to Log In, after SSO enabled for the site

We have the SSO enabled for the site, but the problem is, the log in dialog keep prompt in randomly once a day, asking to logging in with Username and Password. Which is really annoy. And you have to do it for all application, desktop, website, RV, Any reason why this is happening ?

Hi Sun,

May I ask for clarifications ? Is the undesired login prompt happening on the Shotgun web app, RV or Shotgun Desktop (or one of the applications started from the Shotgun Desktop) ? Can you share the name of your shotgun site, ? (perhaps in a direct message to me or by opening a support ticket by writing to support@shotgunsoftware.com). This is so I can look at its SSO configuration and see if there is something I can spot.

I am trying to ascertain if what you are seeing is a bug, due to a misconfiguration or if this is an unfortunate side-effect of using SSO.

First let me address the last part of your comment: the Shotgun Desktop, RV and the Web Application unfortunately do not share the same authentication process (and it would be difficult to achieve given limitations from the Browser, and the complexity of sharing between individual applications). This is why you must enter your credentials for each of them.

If you are using Windows, then the low-hanging fruit (my apologies if this is getting too technical) would be to use IWA authentication with your SSO backend. This means that users enter their credentials only once : when logging into their Windows machine at the beginning of their day. From that point on, they can connect to Shotgun, via Browser or SG Desktop or RV or Shotgun Create, without the need to enter their credentials. This requires your IT/Security team to do some non-trivial work. So this is dependent on your company, not on Shotgun itself.

As for using SSO… Do keep in mind that there are two sides to that coin : it makes (in theory) user’s life easier by not having to re-enter their credentials constantly or remembering a plethora of username/passwords. But it also serves security purposes. One of which is to control session duration. When SSO is enabled for Shotgun, it no longer controls session duration. It defers to the SSO backend for that. So if the session duration is set to 2 hours, your corporate security department decided on that (for what I assume are good reasons). Shotgun has no choice but to respect that.

If everything is configured correctly in Shotgun, while RV / Shotgun Desktop / Shotgun Create / Shotgun Web Application is running, you should not have to re-authenticate. It is only when the application is closed and re-opened later on that you may be prompted for credentials.

This can be tested easily (assuming a SSO session duration of 2 hours) :

  • Start RV (or one of the other app)
  • Log in if needed
  • Close the application
  • If you:
    ** Wait 115 minutes and re-start the application: you will not be prompted for your credentials.
    ** Or wait for 125 minutes and re-start the application: you will be prompted for your credentials.

In that case, you should ask your Security team to extend the session duration, if possible.

Hoping this clarifies things a bit.

-Patrick

6 Likes