Disable local login with SAML

hi, I managed to setup SAML integration and now have a few accounts with SAML associated account.

my question is whether I can disable local login for the users who have SAML account so they can’t login with user/pwd?

Yes. If SAML is working you can disable local logins; I think that will also disable email logins, so you shouldn’t need to also do that.

yes, I know this option but it is a global option, I would need it as per user option.
half of my users is internal, half is external.
external users can use local login only, internals must use SAML, here I would like to remove (or disable) the local login possibility.

Is it possible?

How would that work? If they aren’t logged in, how could it be a per user option?

I suppose you could have a plugin that would refuse to log them in if the user was on a certain group and hadn’t used saml. I’m thinking 2 to 4 hours work? Maybe more with proper specs. But I haven’t looked. You could ask in #marketplace if you have a budget.

Hi Jay, ok, maybe I used wrong words. sorry. :slight_smile:

I am thinking about an option, something like

Disable/Disallow local login for users who have active associated SSO (external?) account(s) .

Making a plugin is a good idea, I will check it, thanks!
No, there is no budget…

1 Like

Remember that it’s not just a matter of raising the funds to get a plug-in written. You’re also going to need to maintain it so that it keeps working when Discourse is upgraded.

If you can’t afford the above and don’t have the skills to write something yourself then you may have to live with users occasionally logging in locally rather than using SSO.

yes, I am aware of it.

you are right. One option can be to change their password but I think I can’t prevent them reseting it and using the local login again.

If the SAML login is associated with their local account what’s the problem?

SAML is a central IDM and reachable only from internal (corporate) LAN, while the Discourse server is public.

We would like the internal users to be able to login only from the office (or VPN), but while they can use local login method, they can login from everywhere and we can’t disable their login via SAM/IDM (this must be done manually in the forum).

It is not a big deal, but we have a policy that order us to connect to central IDM if possible,

You could add your internal users (the ones to login through SAML) to a group. Then hide the local login section from that group using JS. You could also add JS to hide the SAML login from users not in that group.

Just a workaround, but it may be enough to discourage your users from using the wrong login.

1 Like

But since they won’t be logged in when they are on the login page, there is no way to hide the SAML login from the people who have SAML logins. It might be possible to do something to hide the SAML login from those who aren’t on the corporate IP address, but I’m not sure how to do that.

2 Likes

Ah! You are right :woman_facepalming:t4: If they use a corporate VPN, maybe checking the IP address would work but other than that, forget about my solution :sweat_smile:

3 Likes

Not sure that’s useful, because it won’t work either way. If the SSO address isn’t valid externally then the browser won’t be able to reach it across the public internet.

SAML is an authentication protocol, not an IdM or IdP - it has to consume data from somewhere else. It may be that your IdM also supports SAML, but unless you can tell us what this backend system is we’re going to struggle to help you here.

1 Like

True

Yes, I know it, the auth service is an internal ADFS. But my question is not about SAML nor ADFS since the external login works perfectly, I really like it.

I would like to know whether there’s a way to enable only one auth source in an account and disable all the others or with other words, disable local login on the users who have working SSO.

I understand that it can happen after a login attempt only, it wouldn’t be a problem.

You would need to create a plugin that would do something like test if they were a member of some group and then log them out of they were in the must_use_saml group and didn’t log in with saml.

It’s probably about an hour or two for a developer familiar with such, depending on how much testing is required and whether specs are created.

1 Like

thanks Jay, I will try it!

1 Like