Disable email verification for SSO

Hey,

I’ve set up discourse to use Auth0 as the SSO provider. The problem I have is that when a user registers they are recieving two verification emails. One from auth0 and one from discourse.

Is there anyway to disable the one from discourse?

Thanks in advance

If email addresses are being verified by Auth0, you can disable Discourse verification emails by selecting the oauth2 email verified site setting. There is a reference to that setting in this post: How to use Auth0 with the OAuth2 Basic Plugin.

3 Likes

Thanks for the answer @simon but I’m using SSO not Oauth2

2 Likes

The term SSO gets used for a few different authentication methods. This has caused confusion a few times in the past.

If you are using the Discourse implementation of SSO, then email verification is controlled by the require_activation SSO parameter. Set that parameter to "false" to bypass email verification.

2 Likes

Thanks again @simon

I want to avoid disabling it completely. At the moment I have it set up so that require_activation returns true false based upon whether they have been verified by auth0. This works fine and after they have clicked on the auth0 email the next time they login they get verified on discourse.

So ideally it would just be suppressing the email unless I’m missing something

1 Like

That makes sense. Our WordPress plugin handles email verification in the same way.

If you want to see how the require_activation value is used by Discourse, have a look at this file: discourse/discourse_single_sign_on.rb at master · discourse/discourse · GitHub. You’ll see that when require_activation is set to "false" when a user is first created via SSO, an active user will be created by Discourse. If it is set to "true", the user will not be activated until they click the link in the Discourse activation email.

Once a user is set to active on Discourse, the only thing that should cause a user to need to be reactivated is if you have enabled the sso_overrides_email site setting and the user updates their email address on your SSO provider site.

When set to "true", require_activation also prevents Discourse from matching existing users to users from your external site based on their email address. This can cause issues when SSO is implemented after users have already been created on the site with username/password account creation.

1 Like

Thank you that makes sense, however I’m not sure how this stops the “verify email” email from discourse getting sent?

I just want the one from auth0 to be sent

To only have the verification email sent from your SSO provider site, users will need to register on that site and verify their email address before they first login to Discourse. You will then be able to set the require_activation parameter to "false" for those users. They will be created as active users on Discourse and not get sent the Discourse activation email.

2 Likes