All my SSO Users have admin privileges


I’ve got SSO up and running but when a user logs in on my website and then clicks a link to get to my discourse site, they are given Admins, Moderators, Staff, and Trust Level 0 - Trust Level 4. Can anybody tell me how to prevent this from happening?


(Sigurður Guðbrandsson) #2

Did the user’s e-mail have an admin account before he used SSO?

(Sam Saffron) #3

are you specifying that they are admins in your SSO payload?

Creating new admin users via SSO

No they didn’t, in fact they didn’t even have a discourse account. I must have a bug in my SSO implementation since strange things are happening.

Here are a couple of questions that may help me get my head around this.

  1. If a user signs up on my main site and then clicks on the link to go my discourse site, are they automagically created as users in discourse?

  2. Does the Active tab under users show all users or just users that are currently logged in? If its the latter, where can I find all users?



@sam I don’t think so, I’m a dnn implementation and here’s my payload code:

avatarInfo = “&avatar_force_update=1”;
avatarInfo += “&avatar_url=” + HttpUtility.UrlEncode(“” + s.AvatarUrl);

string returnPayload = “nonce=” + HttpUtility.UrlEncode(nonce) +
"&email=" + HttpUtility.UrlEncode(theCurrentUser.Email) +
"&external_id=" + HttpUtility.UrlEncode(theCurrentUser.ToString()) +
"&username=" + HttpUtility.UrlEncode(theCurrentUser.Username) +
"&name=" + HttpUtility.UrlEncode(theCurrentUser.DisplayName) + avatarInfo;

(Sigurður Guðbrandsson) #6

If you have SSO enabled and your SSO implementation allows the user, then yes.

The users under Active are the ones that are not blocked or suspended.


@sigurdur Thanks, that helps. I had the following enabled
sso overrides email
sso overrides username,
sso overrrides name
sso-overrides avatar

which caused whomever to come in via SSO to impersonate my account. Their avatar would appear on my old posts etc.

Since I disabled that, the problem is clearer but not resolved. Whoever logs into my main site and then goes to discourse via SSO logs in as my account.

I need to look closer at my sso implementation to see what’s going wrong, but the following line is clearly wrong:

“&external_id=” + HttpUtility.UrlEncode(theCurrentUser.ToString()) +


That was it, I had a cut and paste error refactoring code. It should be

“&external_id=” + HttpUtility.UrlEncode(theCurrentUser.UserID.ToString()) +

(Kane York) #9

Yep, your SSO side was giving the same external_id for them as for you, so it looked for the external_id existing, and it found one! Which was your account.

You’ll have to go in the DB and nuke all the external_id records. And then probably delete the new admin accounts, because they share your email and are taking up the username.


@riking will do, thanks!

(Kane York) #11

Actually, if all your work has been on the settings, might be simpler to just toss out the database and do a rebuild to get a fresh database.

(Andrew Huling) #12

@sam How do you specify them as admins in your SSO payload? I’d like to do this and it seems like it’s possible but I’m not clear on what to include in my payload to make it happen.

(Sigurður Guðbrandsson) #13

You can set admin: true in your payload…

More info here:

Creating new admin users via SSO
(Andrew Huling) #14

Thank you @sigurdur for the confirmation that it can be done. I tried that with Python and it was admin: True as a result. Using a lower-case string solved the problem.