Debugging and fixing common SSO issues


(Simon Cossar) #1

As the administrator of a forum that is using SSO, you may occasionally get reports from users that when they attempt to login to the forum, they are greeted by this screen:


Enabling verbose sso logging

To debug the issue, the first thing you need to do is to enable the ‘verbose sso logging’ Site Setting on Discourse. If this setting was previously enabled, you can go directly to your site logs at Admin/Logs/Error Logs. If the setting was not previously enabled, you will need to ask the user to attempt logging in again so that you can generate a log entry of their failing login attempt.

Reading the log entry

Go to Admin/Logs/Error Logs and look for a recent log entry that starts with Verbose SSO log: Record was invalid. If you have trouble finding the entry, enter ‘Record was invalid’ into the search box at the bottom of the logs page. Click on the log entry. Then click on the ‘info’ tab on the logs toobar:

The information that you will need is the reason (given in the log entry), and the email and external_id (found in the info section.)

Solving require_activation SSO login issues

A common issue with SSO login is: Record was invalid: User {:primary_email=>"has already been taken"}.

This can happen when the require_activation parameter in the SSO payload is set to true and the user has an existing account on Discourse that either does not yet have a single_sign_on_record associated with it, or has a single_sign_on_record, but the record’s external_id doesn’t match the external_id of the user who is trying to login.

To confirm this, enter your forum’s Rails console, and search for a user who has the email address that was used in the failed SSO login attempt:

u = User.find_by_email('')

Now, check if there is a single_sign_on_record for this user:

sso_record = u.single_sign_on_record

If the user exists on your forum, but does not have an SSO record, you can create a record for them using the values from the SSO log:

SingleSignOnRecord.create(user_id: 2, external_id: 2, external_email: '', last_payload: '')

The user should now be able to login.

If there is an existing SSO record for the user, but its external_id doesn’t match the external_id from the failed login attempt, you will need to look into why this has happened. One way this can happen is if a user’s account has been deleted and then recreated on the SSO provider site. In this case, you can update the SSO record to use the new external_id:

sso_record.external_id = <failed-sso-login-record-external_id>!

The user should now be able to login.

Users unable to login using Wordpress SSO
SSO to Joomla site
Login error, possibly related to Wordpress SSO (for single user)
Wp-discourse getting odd data from wp - debug help?
(Jordan) #2

I wasn’t sure how to enter the Rails console, but found the answer over here and thought I’d publish for anyone else who doesn’t know how to get into the Rails console.

  1. SSH into your site
  2. Login as root user then do the following:
  3. sudo -s
  4. cd /var/discourse/
  5. ls
  6. ./launcher enter app
  7. rails c

That should get you into the Rails console!

(Jordan) #3

I was doing this and it was not working, but I finally got it to work when I replaced this:

sso_record.external_id = <failed-sso-login-record-external_id>

with this:

sso_record.external_id = 91

Where “91” was the external_id of the user who was unable to login.

Thanks so much for this helpful discussion @Simon_Cossar! :raised_hands:

(Simon Cossar) #4

Yes, <failed-sso-login-record-external_id> is meant to be replaced with the external_id from the log entry.

(Jordan) #5

:man_facepalming: I was trying it with the " < > " and it wasn’t working, of course ツ