@sigurdur Thanks, that helps. I had the following enabled
sso overrides email
sso overrides username,
sso overrrides name
which caused whomever to come in via SSO to impersonate my account. Their avatar would appear on my old posts etc.
Since I disabled that, the problem is clearer but not resolved. Whoever logs into my main site and then goes to discourse via SSO logs in as my account.
I need to look closer at my sso implementation to see what’s going wrong, but the following line is clearly wrong:
“&external_id=” + HttpUtility.UrlEncode(theCurrentUser.ToString()) +