Configure OneLogin's SAML for Discourse

Here’s how to configure Discourse to allow login and registration with OneLogin’s SAML.

Configure OneLogin

Create OneLogin account

Go to OneLogin and create an account.

Create new app: SAML Test Connector (IdP w/attr)

From your dashboard create new app.

image1936×564 25.2 KB

Search for SAML Test Connector (IdP w/attr)

image1766×392 24.2 KB

Configure app

Let’s assume that the URL of our Discourse instance is http://discourse.example.com. Let’s configure it.

Switch to Configuration tab and fill out these details:

• Audience: http://discourse.example.com
• Recipient: http://discourse.example.com/auth/saml/callback
• ACS (Consumer) URL Validator: ^http:\/\/discourse\.example\.com\/auth\/saml\/callback\/$
• ACS (Consumer) URL: http://discourse.example.com/auth/saml/callback

image1964×1406 188 KB

Copy certificate info and SAML 2.0 Endpoint

Switch to SSO tab.

Click on View Details link under certificate and copy SHA fingerprint and X.509 Certificate. Note them down, it will be used when configuring Discourse app.

image1962×596 43.9 KB

Copy and note SAML 2.0 Endpoint (HTTP) URL.

Configure Discourse

Install discourse-saml plugin

Follow this guide to install discourse-saml plugin.

Configure discourse-saml plugin

The plugin can be configured in two ways:

Option 1: Site Settings (recommended)

After installing and rebuilding, go to your Discourse admin panel and navigate to Admin → Plugins → SAML. Enable the saml_enabled setting and configure the following:

• saml_target_url: the SAML 2.0 Endpoint URL copied from OneLogin SSO tab
• saml_cert_fingerprint: the SHA fingerprint copied from OneLogin SSO tab → Certificate section
• saml_cert: the X.509 Certificate copied from OneLogin SSO tab → Certificate section
• saml_log_auth: enable for debugging

Option 2: Environment Variables

Alternatively, you can configure the plugin via environment variables in app.yml. Note that when environment variables are used, all SAML site settings are hidden from the admin UI.

Edit app.yml

cd /var/discourse
vim containers/app.yml

and add these variables under env section:

DISCOURSE_SAML_TITLE: "Example SAML"
DISCOURSE_SAML_TARGET_URL: {SAML 2.0 Endpoint URL}
DISCOURSE_SAML_LOG_AUTH: "true"
DISCOURSE_SAML_CERT_FINGERPRINT: {SHA fingerprint}
DISCOURSE_SAML_CERT: {X.509 Certificate without line breaks}

• replace {SAML 2.0 Endpoint URL} with SAML 2.0 Endpoint URL copied from OneLogin SSO tab
• replace {SHA fingerprint} with SHA fingerprint copied from OneLogin SSO tab → Certificate section
• replace {X.509 Certificate without line breaks} with X.509 Certificate copied from OneLogin SSO tab → Certificate section, note that there must be no line breaks and remove begin and end marker

Rebuild app

For changes to take effect rebuild app

cd /var/discourse
./launcher rebuild app

Voila!

You should be able to login now using OneLogin’s SAML.

image1448×632 26.7 KB

Last edited by @JammyDodger 2024-05-26T07:29:26Z

Check document

Perform check on document: