We’ve been running our site with “SSO Overrides Username” enabled so far, and plan to disable it. A few questions before we do:
- Will the username still be initially pulled from SSO, but now be changeable in user’s profile settings?
- If so, what will happen if there is a username conflict between a pre-existing username and a new username taken from SSO?
Are there any considerations we might not have thought of?
According to my understanding:
The username provided via SSO is now considered a suggested default. Users can change it if they want. It is also modified if the username is already taken: In this case, the new user does not get the username from the SSO payload but an automatically generated alternative. (In theory, this can also happen with this setting enabled, e.g. if you have multiple similar usernames with characters not allowed in Discourse usernames.)
This should not affect anything else, as all matching between the SSO payload and Discourse users is leveraging the external ID or mail if needed.
What if we re-enable it in the future? Will usernames revert to match SSO?
If you enable the setting again, users will immediately lose the ability to change their username on your site.
On each logon, the users’ name will be reverted to the one from the payload, if possible. Of course, this might not be possible (another user might already use that username), so users might still get suggested usernames that differ from the SSO one.
Assuming your SSO only provides username that are legal in Discourse and all user log in regularly, after some time, the usernames will all match again.