I run an independent Discourse community https://physicswithethan.discourse.diy which previously allowed institutional email addresses and external SSO.
I now want to move toward ordinary local Discourse accounts using personal email addresses, and avoid relying on institutional SSO or institutional email domains for new registrations.
The issue I am trying to handle safely is account continuity and impersonation risk:
- many existing users have an institutional email address as their primary email;
- I would like new users to use personal email addresses instead;
- I want to avoid people registering accounts using someone else’s name or institutional email address;
- I also want to avoid unsafe or manual account merges unless there is clear evidence the same person controls the relevant accounts/emails.
What is the recommended Discourse-native approach here?
For example, is the best pattern:
- re-enable local logins;
- disable the external SSO provider;
- add the institutional domain to blocked email domains for new registrations;
- add a site notice asking existing users to update their primary email to a personal address;
- use manual approval / review for suspicious new accounts;
- only merge accounts where the user has verified control of both accounts or email addresses?
I am especially interested in avoiding a setup where a user can trigger emails to someone else’s institutional mailbox, or create a misleading account in another person’s name.
Are there existing settings or workflows that people recommend for this kind of transition?