Can you change SSO providers?

We went live on Discourse about two years ago, and we are using SSO from our main back office system as the authentication provider. It uses an external id (GUID).

We’re getting ready to change our main back office system to another vendor. They support OAuth2/OpenID but when we convert to this new system, our user’s external ids (GUID) will change. So I’m wondering if others have been down this road and if I’ll have to somehow do a mass update of the external ids currently stored in our Discourse?

1 Like

You should be fine as long as the email address for a user remains the same.

5 Likes

Thanks, unfortunately, I’m getting the error the the “primary email has already been taken” when I test out my new SSO provider.

And I have this setting in place:

image

That’s because you’re trying to sign up when you should be logging in (since the account already exists).

But I’m not trying to sign up. I am arriving to the home page, and next I click on “Log In”; I get my SSO provider’s login page, which I can successfully authenticate with, but after entering my password I arrive to the “let’s create your account” page but I never clicked on “Sign Up”.

I also have these settings in place that I think should be appropriate.

For troubleshooting, I’d start with only the required settings. Please confirm that a user with that email exists on both sides.

Did you fill that email manually on discourse or was it automatically populated by SSO server?

What I believe is maybe happening here is that that the email is associated with a different username on discourse and your sso server is sending a new username causing this conflict.

Do you have anything in discourse logs related to SSO? It might be helpful in identifying the exact cause of this problem.

1 Like

Thanks. I verified that I can disable SSO/OpenID in Discourse and login with that same email address into Discourse. I have verified that those same credentials work with my SSO provider.

When I re-enable OpenID in Discourse, I successfully authenticate via my SSO provider but then I still end up at the Discourse screen where it wants to create an account. All three values on that screen (email, username and full name) are automatically populated by the SSO provider.

And I tried turning off all of those settings above, but no change in this behavior.

1 Like

Could you go to discourse.example.com/logs and check if there are any warnings or errors related to SSO?

1 Like

Thanks, yeah, no SSO errors, and no OIDC errors. And I have the verbose logging for OpenID turned on too.

1 Like

Sorry, I do not have any suggestions right now. Will reply if I find something.