Creating Discourse accounts via SSO without visiting the forum URL?

So I admin a forum that uses SSO to pass username / pw credentials to our Discourse instance.

Currently, you have to log in to my main website, then click through to my forum for credential pass-through to occur and create a forum account.

My devs are working on updating our outdated API call method and updating it to Discourse’s current spec. My dev tells me that it’s possible for SSO to create a Discourse account without the user having to affirmatively click through to our forum.

Do any of you have your API set up like this? I’m wary of auto-syncing this by default. What are the upsides / downsides?

Yes, our WordPress plugin has an option that does something similar to this. The way it works is that when a user creates a WordPress account, or logs into the WordPress site, a call is made to the Discourse /admin/users/sync_sso route. If the user does not yet exist on Discourse, this creates a Discourse user. If the user already exists on Discourse, the call can be used to update details about the user that have changed on the SSO provider site. For example, it can be used to update a user’s name, username, or email address. It can also be used to add or remove the user from Discourse groups.

For a general overview of the sync_sso route, have a look at Sync SSO user data with the sync_sso route. If your devs would like to see a working example of this that’s written in PHP, have a look at this file from our WordPress plugin: wp-discourse/discourse-sso.php at master · discourse/wp-discourse · GitHub. The main function to look at in that file is the sync_sso function.

The only downsides that I am aware of is that it adds some complexity to the SSO code. With the way it is implemented in the WordPress plugin, it also adds an API call to Discourse every time a user logs into the SSO provider site. That is because it is hooked into the WordPress login event. I am not aware of this API call causing rate limit issues on any sites, but it would be possible to only make the call when a new account is created if that was causing an issue.

The upside of this approach is that it allows you to update details about your users without them having to login to Discourse via SSO. For example, it would allow you to add users to a Discourse group when they perform an action on your website.

One other approach for integrating a website with Discourse via SSO is to use SSO login links on your website. This allows you to your Discourse forum on your website that will log users into Discourse and take them to a specific page. This topic has details about how to set it up: Create an SSO login link.