If a user cannot access Rally via SSO (but they are on the exception list), when they click on a normal Rally link (not an SSO deep-link), it should take them to rally1.rallydev.com but now it takes them to our Rally specific Authenticate IDP SSO URL. This does not work for the Exception user?

Release : SAAS

Component : API FOR AGILE CENTRAL

When users access a deep link, there is no user information encoded in the link URL. In fact, there shouldn't be, since that could interfere with one user's ability to share a link to a Rally object with another user.

The id of the subscription is inferable from our links, which is how Rally decides how to authenticate an un-logged-in user accessing a deep link. If the sub's authentication policy is Rally-Only, they log in at the Rally login page, and if the policy is SSO-Only, they're directed to their IdP to log in.

The challenge comes with SSO-with-Exceptions mode, where the sub is nominally SSO, but any given user may be a direct-login exception. Without the user's id, there's no way to know whether the user accessing the link (while not logged in) is an exception or not.

The fix here uses a cookie leftover from the previous login on the browser ("_username" cookie) as a hint to try to identify SSO exception users. Doing this should fix the most common cause of this behavior, but if the user accessing the deep link wasn't the last logged-in user on that browser, it can't help.

The possible use-cases are:

The assumption is that in most cases, the last logged-in user will be the same as the current deep link user on a given browser.