Allow extra metadata from Single Sign On


(Brad Huber) #1

Maybe this already exists, but based on the SSO example, you can only send data back to Discourse like username or email… I’d like to also be able to set things like admin and moderator privileges, or even user level based on various conditions on our site (like setting a user’s level to 3 if theyre a paid subscriber on our site).

Is this possible?


(Kane York) #2

SSO can actually provide values for “custom fields”, but I don’t remember the syntax right now.

However, the privileges setting is not implemented - it should be possible with API calls, though. (Basically, your main site issues commands as an admin.)


(Timo Laine) #3

I would like this as well.

Also, it would be nice to be able to set user groups on first login. What I do now is to set them via API in an SSO login script, but this only works for the users that already exist in Discourse, i.e. users that have already logged in at least once.


(Michael Downey) #4

Agreed. This may be an edge case because many people don’t use SSO, but for those that do, I imagine it’s a pretty universal need.


(Adam Capriola) #5

You can get around this by setting a delay on the API call (i.e. wait 20 seconds before syncing permissions). That ensures the user will have an account created before you try to map their groups.


(Brad Huber) #6

Yeah, I think I’m going to check if a user exists in Discourse, and if they do, just run the code to set their groups, and if they dont, enqueue setting the user groups in our delayed job queue. This should give it about 30-60 seconds before it runs, and the user will be logged in.

edit: Though, on second thought, I’m not sure I want to risk any race conditions of two jobs overwriting each other. Maybe I’ll just run a batch job every few hours to compare discourse users to my userbase?

I dunno, I feel like there’s no good answer until we can do it via SSO


(Timo Laine) #7

Thanks for the suggestion! I think this would probably work, although there is still the problem that (depending on the delay) the user might not be in the right groups immediately after login.

The problem I am facing is that many of our users seem to give up when they don’t see what they expect to see right away. Most of our categories require group memberships, and when people don’t get what they expect right away, they seem very quick to conclude that the forum is broken and give up. They don’t wait, they don’t read the instructions, they just move on.

Also, I agree with @daybreaker that this just seems to be something that should have builtin support in Discourse SSO.