Where I would have expected to see a regular e-mail address I now see a hex-value what I presume to be the hash form of the e-mail address. I cannot continue the authenticate process with these values.
Any help on this topic would be greatly appreciated!
Hello Ronald really glad to see more and more Universities joining the Discourse family
You have quite an interesting issue! My SAML/SSO fu isn’t strong so I am not sure what is happening here, but can you try enabling the verbose sso logging site setting? It would help show some useful errors on /logs and maybe say why you’re getting this issue or tell you something more specific that you can share here and we can better help.
My guess (and my experience with saml is limited, I think I’ve only once helped someone configure it) is that the issue is on the saml side. It’s either configured to send the hash or you’re somehow using the wrong field.
After setting the sso logging to verbose, his is what I found in the production.log:
Started GET "/session/csrf" for <IP> at 2020-07-24 14:32:51 +0000
Processing by SessionController#csrf as JSON
Completed 200 OK in 1ms (Views: 0.1ms | ActiveRecord: 0.0ms | Allocations: 321)
Started POST "/auth/saml" for <IP> at 2020-07-24 14:32:51 +0000
(saml) Request phase initiated.
Started POST "/auth/saml/callback" for <IP> at 2020-07-24 14:33:23 +0000
(saml) Callback phase initiated.
Processing by Users::OmniauthCallbacksController#complete as HTML
Parameters: {"SAMLResponse"=>"<SNIP>", "provider"=>"saml"}
Redirected to https://discourse-imphys.tudelft.nl/
Completed 302 Found in 24ms (ActiveRecord: 0.0ms | Allocations: 10562)
Started GET "/" for <IP> at 2020-07-24 14:33:24 +0000
Processing by ListController#latest as HTML
Rendering list/list.erb within layouts/application
Rendered list/list.erb within layouts/application (Duration: 3.8ms | Allocations: 1991)
Rendered layouts/_head.html.erb (Duration: 1.9ms | Allocations: 911)
Rendered common/_discourse_stylesheet.html.erb (Duration: 0.4ms | Allocations: 267)
Rendered application/_header.html.erb (Duration: 2.2ms | Allocations: 1022)
Completed 200 OK in 34ms (Views: 13.1ms | ActiveRecord: 0.0ms | Allocations: 15963)
Started GET "/u/hp.json" for <IP> at 2020-07-24 14:33:24 +0000
Processing by UsersController#get_honeypot_value as JSON
Completed 200 OK in 2ms (Views: 0.2ms | ActiveRecord: 0.0ms | Allocations: 812)
Started GET "/u/check_username?username=&email=94422472fbfb32fdd22eaa2f88c723fb44be9958" for <IP> at 2020-07-24 14:33:25 +0000
Processing by UsersController#check_username as JSON
Parameters: {"username"=>"", "email"=>"94422472fbfb32fdd22eaa2f88c723fb44be9958"}
Completed 200 OK in 1ms (Views: 0.2ms | ActiveRecord: 0.0ms | Allocations: 316)
Started GET "/u/check_username?username=94422472fbfb32fdd22e&email=94422472fbfb32fdd22eaa2f88c723fb44be9958" for <IP> at 2020-07-24 14:33:25 +0000
Processing by UsersController#check_username as JSON
Parameters: {"username"=>"94422472fbfb32fdd22e", "email"=>"94422472fbfb32fdd22eaa2f88c723fb44be9958"}
Completed 200 OK in 3ms (Views: 0.2ms | ActiveRecord: 0.0ms | Allocations: 1421)
I’ve replace the cert with <SNIP> and my IP address with <IP>.
Yup! You can clearly see that SAML is sending a hash of the email and the username.
I think that there is some configuration where you map the SAML fields to the Discourse ones, so it’s conceivable that there is something you can change on the Discourse side to fix it.
After more research I found that the ‘hashed’ code in the registration form is actually the NameID send by the IdP. In the configuration of SAML on the IdP I’ve also enabled the following attributes:
It is confirmed by a third party that these attributes are actually send from the IdP. But for some reason the values of these attributes are not used in the registration form of Discourse (as shown earlier). I assumed that in the form:
Email would have the value of urn:mace:dir:attribute-def:mail;
Username the value of urn:mace:dir:attribute-def:mail and
Name either the value of urn:mace:dir:attribute-def:displayName (preferably) or urn:mace:dir:attribute-def:cn
Is there some way I can configure Discourse-SAML to map these attributes right?
really glad to see more and more Universities joining the Discourse family 
