Active Directory SSO aka Integrated Windows Login

(laktak) #1

I’ve pushed a simple IIS app to GitHub - laktak/discourse-sso: Single Sign On for Discourse with Active Directory that allows users to login using their Windows accounts without them having to enter their password.

The app has no UI except for an error page in case things go wrong.

Thanks @paully21 for the SSO code!

Disabled login, now cant login
OAuth2 and Microsoft ADFS

This is really useful for Intranet use, thanks!
Combined with the offline installation instructions from How to install Discourse on an isolated CentOS 7 server and disabling local login we now have our users transparently logged in with their Windows domain users on our secure corporate network (it even works in Chrome!)

Hopefully I can extend it to pull avatar pictures automatically from Sharepoint or some other source once I’m a bit more familiar with the code :slight_smile:


A tip for anyone struggling with restricting access to a specific AD group, Windows has a tendency to cache credentials and user tokens for a really long time, it seems like it takes up to an hour between adding or removing someone from an AD group to getting the correct results from the IIS web app after configuring the setting
<add key="Allow" value="DOMAIN\GROUP1,DOMAIN\GROUP2"/>

During my initial testing I wasn’t patient enough and wound up thinking the domain group stuff was broken, so when I got it to work and log people in with DOMAIN\Domain Users I just left it like that.

I recently tried again with a dedicated DOMAIN\Discourse Forum Users group and rebooted the IIS server after adding it, that made it work. I’m not an IIS expert so I’m not sure how to tweak those access token cache periods correctly, but it will eventually update itself if you’re not in a hurry.