SG Desktop SSO login window not remembering preferences

kporangehat · November 10, 2022, 5:55pm

We use SSO with Okta at WBA. Whenever I sign in with SG Desktop, the login flow never saves any of my preferences. My username, my preference for sending a push notification for Okta, nothing. So I have to do it all again every time I login. This is a minor thing, but annoying nonetheless.

I’m not sure if this is an issue with the implementation of the SSO login flow in SG Desktop or if it’s the way our identity team has coded our login page. However when signing in to other web sites, VPN, etc. the preferences are remembered fine so it seems this is specific to SG Desktop.

Does anyone else using SSO experience this?

cheers,
kp

kporangehat · December 21, 2022, 12:21am

I’m surprised nobody else has commented on this. It’s so painful and I even watch our users grimace through this.

These are the steps one has to go to login every time. Cookies don’t get saved or read for some reason in the SG Desktop login window. And to be clear, this all works fine when logging in through the SG web app so it seems to me to be SG Desktop that is the issue.

Screen 1 - Autodesk Identity Site

type in their email (Autodesk ID)

Screen 2 - Company SSO Login

type in their email
type in their password
click “Remember me” checkbox (which does nothing to remember anything)

Screen 3 - Company Okta 2FA

click “Send push notification automatically” checkbox (which does nothing for next time)
click “Send push notification” button for Okta push notification

It may not seem like a big deal, but even not having to retype your email and do 2 extra clicks to send a push notification every time would save so much anguish.

@patrick-hubert-adsk is there anything you all could do for this?

cheers,
kp

patrick-hubert-adsk · December 23, 2022, 4:12pm

Hi @kporangehat

As you know, ShotGrid Desktop uses Qt’s WebEngine (based on Chromium) to show the login flow. This environment is different from regular browsers in subtle and mysterious ways.

As to why your email is not saved in your company SSO login page, someone on our side would need to be able to repro and investigate.

But I may have a way to lessen the pain a bit… But it depends on your site’s user base. 2 cases:

All of the users have emails from your company email domain (e.g. everyone uses an @foobar.com email address).
You have a mix of internal staff (with the @foobar.com emails) and external vendors/contributors with their own emails that your company does not own/control.

The easiest case is the first, where everyone has an email on the same domain. There is a change in the Site Preferences that can be done that will benefit all of the ShotGrid site users (when using the web and other SG-connected apps). In the Site Prefs, in the Advanced section, your will see this setting:

Just fill it in with your company domain. Then whenever connecting to SG, the initial Autodesk Identity page that asks your email will be skipped to bring you over directly to your company SSO system.

The downside of this setting : should you ever invite someone from outside the company, they will no be able to login as they would always be redirected to your SSO.

If your situation is the second one, then there is an environment variable that can be set in the SG Desktop user’s environment. There are actually 2 environment variables that may prove useful (they are mutually exclusive):

TK_SHOTGRID_SSO_DOMAIN:
This is to set the SSO domain for that specific machine user. This has a similar effect as the site preference mentioned earlier, but it only impact that user and not all of the site’s users.

e.x. export TK_SHOTGRID_SSO_DOMAIN=foobar.com

TK_SHOTGRID_DEFAULT_LOGIN:
This can be used by external contributor, vendors or regular employees. It pre-fills the Autodesk Identity dialog box with the defined email, so you just need to click ‘NEXT’.
But you will still need to enter the SSO email field if prompted (if the remember me flag does not work)… But you can use the pre-filled value and copy-paste it. More of a hack, I know…

e.x. export TK_SHOTGRID_DEFAULT_LOGIN=firstname.lastname@foobar.com

Hoping this helps, and happy holidays

-Patrick

Ricardo_Musch · January 1, 2023, 9:05pm

I would like to add that it would be much better if SG desktop could open a web page in the default browser and get authenticated there (like github or other sites do).
That way our password managers would also work and it avoids any QT issues as well.

patrick-hubert-adsk · January 3, 2023, 8:41pm

Hi @Ricardo_Musch

I totally agree with you, using the system browser instead of the Qt one makes total sense and allows re-use of valid Autodesk Identity sessions (based on the browser’s cookies) and allows seamless integration with password managers (and also authentication devices which requires plugins which exist for most common browsers but not for Qt, such as yubikey).

My suggestion to both you and @kporangehat is to make that request to your respective Autodesk CSM partner. So that they can raise the priority on that work.

-Patrick

Ricardo_Musch · January 4, 2023, 12:27am

How do I find out who our CSM partner is?

patrick-hubert-adsk · January 5, 2023, 9:18pm

Hi @Ricardo_Musch

I would guess that one would need to create a support request for that… CSM partner do exist only for major clients (those with EBAs and such I guess). For those without a CSM, I would guess that the path for feature requests is via a support request.

Sorry for the vagueness… as a developer, I very far from the support team and process. I admit that things were clearer to me when ShotGrid had its dedicated “Street support” team.

-Patrick