尝试在使用 SAML 插件时自动创建账户

支持 SSO
1

继续讨论来自 SAML plugin in repo. Multisite

我尝试在 SAML 插件中使用以下代码,以便在用户成功认证后自动创建账户,这样用户就不会遇到登录对话框,从而无法更改其电子邮件、用户名和姓名。我更希望用户无法控制这些设置,而是根据 SAML 认证自动设置它们。

我的 app.yml 文件包含以下内容:

  ...
  # 强制从 SAML 断言中使用 fullName 属性来覆盖 name 属性,以便
  # 用户的全名将映射到 Discourse 的 Name 字段,并有助于
  # 增强帖子上的数字 User Name 字段。
  DISCOURSE_SAML_ATTRIBUTE_STATEMENTS: "name:fullName"

  DISCOURSE_SAML_AUTO_CREATE_ACCOUNT: true
  ...

当我测试此功能时,在日志中看到了以下错误:

Completed 500 Internal Server Error in 175ms (ActiveRecord: 0.0ms)
ActiveRecord::NotNullViolation (PG::NotNullViolation: ERROR:  null value in column "uid" violates not-null constraint
DETAIL:  Failing row contains (2, 3, null, saml, user@company.com, Smith, John, 2019-06-03 21:40:55.44066, 2019-06-03 21:40:55.44066).
: INSERT INTO "oauth2_user_infos" ("user_id", "provider", "email", "name", "created_at", "updated_at") VALUES (3, 'saml', 'user@company.com', 'Smith, John', '2019-06-03 21:40:55.440660', '2019-06-03 21:40:55.440660') RETURNING "id")
/var/www/discourse/vendor/bundle/ruby/2.6.0/gems/rack-mini-profiler-1.0.2/lib/patches/db/pg.rb:69:in `async_exec_params'
Failed to handle exception in exception app middleware : PG::NotNullViolation: ERROR:  null value in column "uid" violates not-null constraint
DETAIL:  Failing row contains (2, 3, null, saml, user@company.com, Smith, John, 2019-06-03 21:40:55.44066, 2019-06-03 21:40:55.44066).
: INSERT INTO "oauth2_user_infos" ("user_id", "provider", "email", "name", "created_at", "updated_at") VALUES (3, 'saml','user@company.com', 'Smith, John', '2019-06-03 21:40:55.440660', '2019-06-03 21:40:55.440660') RETURNING "id"

是否有任何建议,我是否需要配置插件以强制通过 SAML 断言中的某个属性来设置 “uid”?

DISCOURSE_SAML_AUTO_CREATE_ACCOUNT 设置为 false 或不存在时,基于 SAML 的认证可以正常工作,但用户会看到可以修改其电子邮件、用户名和姓名的对话框。

image
image569×539 36.8 KB

2

Problem has been solved. We had inadvertently had removed from the ADFS IdP configuration the “nameid” from the SAML response. Once we added that back in, the auto create account feature worked fine!

With both the create account option set to true and the other settings shown below in our app.yml, we’re able to avoid having both login dialog windows being displayed. Now new users just click “Login”, authenticate via the IdP and then are put into their new Discourse account all without being able to override username, name and email address in an intervening dialog.

Once a user gets into Discourse, they cannot edit their email address, but we are allowing them to change their username so that they can have a more recognizable “nickname” in @ mentions and such.

  ...
  # Force fullName attribute from SAML assertion to override name attribute so that
  # the user's full name will be mapped to Discourse's Name field and will help
  # augment the numeric User Name field on posts.
  DISCOURSE_SAML_ATTRIBUTE_STATEMENTS: "name:fullName"

  DISCOURSE_SAML_AUTO_CREATE_ACCOUNT: true
  ...
  - exec: rails r "SiteSetting.login_required=true"
  - exec: rails r "SiteSetting.enable_local_logins=false"

  - exec: rails r "SiteSetting.email_editable=false"

  - exec: rails r "SiteSetting.display_name_on_posts=true"
  - exec: rails r "SiteSetting.prioritize_username_in_ux=true"
  ...