Configure OneLogin's SAML for Discourse

techAPJ · August 18, 2017, 7:56am

Here’s how to configure Discourse to allow login and registration with OneLogin’s SAML.

Configure OneLogin

Create OneLogin account

Go to OneLogin and create an account.

Create new app: SAML Test Connector (IdP w/attr)

From your dashboard create new app.

Search for SAML Test Connector (IdP w/attr)

Configure app

Let’s assume that the URL of our Discourse instance is http://discourse.example.com. Let’s configure it.

Switch to Configuration tab and fill out these details:

Audience: http://discourse.example.com
Recipient: http://discourse.example.com/auth/saml/callback
ACS (Consumer) URL Validator: ^http:\/\/discourse\.example\.com\/auth\/saml\/callback\/$
ACS (Consumer) URL: http://discourse.example.com/auth/saml/callback

Copy certificate info and SAML 2.0 Endpoint

Switch to SSO tab.

Click on View Details link under certificate and copy SHA fingerprint and X.509 Certificate. Note them down, it will be used when configuring Discourse app.

Copy and note SAML 2.0 Endpoint (HTTP) URL.

Configure Discourse

Install `discourse-saml` plugin

Follow this guide to install discourse-saml plugin.

Configure `discourse-saml` plugin

Edit app.yml

cd /var/discourse
vim containers/app.yml

and add these variables under env section:

DISCOURSE_SAML_TITLE: "Example SAML"
DISCOURSE_SAML_TARGET_URL: {SAML 2.0 Endpoint URL}
DISCOURSE_SAML_LOG_AUTH: "true"
DISCOURSE_SAML_CERT_FINGERPRINT: {SHA fingerprint}
DISCOURSE_SAML_CERT: {X.509 Certificate without line breaks}

replace {SAML 2.0 Endpoint URL} with SAML 2.0 Endpoint URL copied from OneLogin SSO tab
replace {SHA fingerprint} with SHA fingerprint copied from OneLogin SSO tab → Certificate section
replace {X.509 Certificate without line breaks} with X.509 Certificate copied from OneLogin SSO tab → Certificate section, note that there must be no line breaks and remove begin and end marker

Rebuild app

For changes to take effect rebuild app

cd /var/discourse
./launcher rebuild app

Voila!

You should be able to login now using OneLogin’s SAML.

ahmed_alamiry · May 14, 2018, 8:38am

I followed all the steps, but when I authenticate with saml it gives me this message "Sorry, there was an error authorizing your account. Perhaps you did not approve authorization? "

anon20593648 · June 14, 2018, 7:39am

Is there a way to remove the

Create New Account

Button that still appears when using OneLogin?

supermathie · June 21, 2018, 2:58pm

Is the goal to force all users to authenticate via SAML?

If so, disabling Local Logins will accomplish this.

mugua · April 1, 2019, 8:47am

Why I got an error using this course ?

mugua · April 1, 2019, 8:49am

changed: no nginx, just docker(http force to https)

mugua · April 4, 2019, 8:06pm

@techAPJ Could you help to give a solution for this problem?

you can contact me via this post or my email. Thanks very much!

I used https(force http to https, just docker,no nginx proxy)

the error was as below:

codinghorror · April 4, 2019, 9:38pm

We only directly support people who purchase a hosting package on our hosting platform. Did you wish to purchase a hosting plan? www.discourse.org/buy

mugua · April 5, 2019, 9:09am

@codinghorror Only paid user can get solution?

I an a Discourse fans, and I want to use OneLogin(saml idp) to connect Discourse(saml sp) and Magento2(saml sp).

Thanks a lot.

vinothkannans · April 5, 2019, 9:23am

No, it means we can’t afford one-to-one/direct support for non-customer users. Also read the note in plugin README file.

mugua · April 5, 2019, 9:25am

@vinothkannans From the error , It showd me, I shouldn’t do anything for this, It has no error report for me.
So I can’t get the error reason now…

pfaffman · April 5, 2019, 11:31am

You don’t see any errors in the rails log?

SAML is often difficult to configure and different for each situation. If you cannot figure it out with the available documentation you might ask for help in the #marketplace.

The last one I worked on took me several hours.

mugua · April 10, 2019, 3:04am

Yeah, I find no logs about this.
I am just a little different this course(https), so I want to check:If I used http forced to https, should I do something about the discourse-saml plugin from the github?

nahimov · December 17, 2019, 8:07am

Did according to the instructions. Created a new user in OneLogin, gave him the right to use the created application.
When logging into Discourse, I see this page:

“Sorry, there was an error authorizing your account. Perhaps you did not approve authorization?”

What am I doing wrong?

Felipe_Fujii · April 26, 2021, 5:18pm

does the open source version support saml?

osioke · April 27, 2021, 7:33am

There is only one version of Discourse available, which is the open source version. What differs is hosting and some hosts choose to stay on our stable release, some stay on specific older versions and others (including us at Discourse.org) stay on the latest release test-passed.

This is explained a bit more here Hosting options (Discourse hosting vs. 3rd party hosting) - #9 by eviltrout.

Topic		Replies	Views
Discourse-saml, choosing solution support	14	1697	January 17, 2020
Discourse, Keycloak, SAML vs OAuth support	3	1640	September 24, 2020
Discourse-saml: There was an error authorizing your account sso	12	5303	December 21, 2016
Set up your DiscourseConnect(DiscourseSSO) to SimpleSAMLphp, use your Discourse forum as a SAML IDP (Identify Provider) extras	2	1903	April 9, 2024
Seeking Slack Login / SSO for Discourse sso	6	3067	March 11, 2021

Configure OneLogin's SAML for Discourse