Debugging and fixing common SSO issues

As the administrator of a forum that is using SSO, you may occasionally get reports from users that when they attempt to login to the forum, they are greeted by this screen:

20%20AM

Enabling verbose sso logging

To debug the issue, the first thing you need to do is to enable the ‘verbose sso logging’ Site Setting on Discourse. If this setting was previously enabled, you can go directly to your site logs at Admin/Logs/Error Logs. If the setting was not previously enabled, you will need to ask the user to attempt logging in again so that you can generate a log entry of their failing login attempt.

Reading the log entry

Go to Admin/Logs/Error Logs and look for a recent log entry that starts with Verbose SSO log: Record was invalid. If you have trouble finding the entry, enter ‘Record was invalid’ into the search box at the bottom of the logs page. Click on the log entry. Then click on the ‘info’ tab on the logs toobar:

The information that you will need is the reason (given in the log entry), and the email and external_id (found in the info section.)

Solving require_activation SSO login issues

A common issue with SSO login is: Record was invalid: User {:primary_email=>"has already been taken"}.

This can happen when the require_activation parameter in the SSO payload is set to true and the user has an existing account on Discourse that either does not yet have a single_sign_on_record associated with it, or has a single_sign_on_record, but the record’s external_id doesn’t match the external_id of the user who is trying to login.

To confirm this, enter your forum’s Rails console, and search for a user who has the email address that was used in the failed SSO login attempt:

u = User.find_by_email('sally@example.com')

Now, check if there is a single_sign_on_record for this user:

sso_record = u.single_sign_on_record

If the user exists on your forum, but does not have an SSO record, you can create a record for them using the values from the SSO log:

SingleSignOnRecord.create(user_id: 2, external_id: 2, external_email: 'sally@example.com', last_payload: '')

The user should now be able to login.

If there is an existing SSO record for the user, but its external_id doesn’t match the external_id from the failed login attempt, you will need to look into why this has happened. One way this can happen is if a user’s account has been deleted and then recreated on the SSO provider site. In this case, you can update the SSO record to use the new external_id:

sso_record.external_id = <failed-sso-login-record-external_id>
sso_record.save!

The user should now be able to login.

If you are using the WP Discourse plugin and running into the issue outlined above, see How to validate email addresses with the WP Discourse plugin for details about how to resolve the issue without having to access the Rails console.

14 Likes

I wasn’t sure how to enter the Rails console, but found the answer over here and thought I’d publish for anyone else who doesn’t know how to get into the Rails console.

  1. SSH into your site
  2. Login as root user then do the following:
  3. sudo -s
  4. cd /var/discourse/
  5. ls
  6. ./launcher enter app
  7. rails c

That should get you into the Rails console!

2 Likes

I was doing this and it was not working, but I finally got it to work when I replaced this:

sso_record.external_id = <failed-sso-login-record-external_id>

with this:

sso_record.external_id = 91

Where “91” was the external_id of the user who was unable to login.

Thanks so much for this helpful discussion @Simon_Cossar! :raised_hands:

Yes, <failed-sso-login-record-external_id> is meant to be replaced with the external_id from the log entry.

2 Likes

:man_facepalming: I was trying it with the " < > " and it wasn’t working, of course ツ

Is there an easy way to reset the SSO ties for specific accounts with the Rails console? I have a couple admin accounts that are tied to different WP accounts than I would like because originally the email addresses didn’t match properly. Can I manually set them to be tied to a different WP account?

You can find the user’s WordPress ID by going to their user page from the WordPress dashboard. The user’s ID will be displayed in the address bar of your browser as the value of the user_id query parameter.

Once you have the user’s WordPress ID, you can update their SSO record on Discourse following the steps outlined for updating the external_id at the end of the ‘Solving require_activation SSO login issues’ section of my original post. You need to be careful with this though - especially with admin accounts.

3 Likes

Hi, we tried these solutions but nothing worked… External id were the same and SSO is active. Do you have other solution please? I’m lost :frowning:

Is the problem with SSO login for a particular user, or is SSO not working at all on your site?

only for a particular user

Make sure you have enabled the verbose sso logging site setting. If you have done that, are you able to find the error in your site’s logs when the user attempts to login? If you can share the error log here, we may be able to help. If there is data in the log that you don’t want to make public, you can send it to me in a PM.

2 Likes

Does this help you? It is what you need?

It is the detail of the Log for member concerned by the situation (or at least, the only one that reported this problem)

Thank you so much!

1 Like

Thanks, that helps. It looks like your SSO provider site is a WordPress site. Are you using the WP Discourse plugin for SSO? If so, and you are using the latest version of the plugin, try going to the user’s profile page and checking the ‘Email Address Verified’ checkbox. Then be sure to click the Save button. After doing this, have the user try logging in again.

If you are not using the WP Discourse plugin, we will need to give you more detailed instructions to fix the issue.

4 Likes

You’re right, I’m using WordPress and I made the change, I will ask user to try again, thank you so much!! :smiley:

1 Like

It worked! Yeah! :smile: Thank you!

5 Likes