Discourse as an SSO provider for a set of Discourse sites


(Christopher Kampmeier) #1

We have multiple Discourse sites running on different VMs. We’d like users to only have to log into any of the sites once and reuse that login on the other sites. Our interest seems similar to a portion of the following post:

https://meta.discourse.org/t/multiple-sites-urls-but-just-1-user-account/10221?source_topic_id=33780

Our Setup

On our central “meta” Discourse site, I enabled the following settings to make this meta site an SSO provider:

On the other Discourse sites, I enabled the following settings:

Problem

When a user defined on the meta site logs into the meta site and then goes over to one of the other sites, he is automatically logged in when he clicks on the login button. This is good.

However, when a user is logged out across all sites, he logs into one of the non-meta sites and then goes over to the meta site and clicks login, he is not automatically logged in. This is the issue we’d like to address given that users will often first access the non-meta sites before accessing the meta site.

We also tried to enable SSO on the meta site, but then we encountered an endless loop when attempting to log into one of the non-meta sites.

Is there a means by which the meta site, the SSO provider in this case, can also participate in the SSO?


Five Discourse instances - one sign on?
(Christopher Kampmeier) #2

Another issue I noticed is that when a users logs into a non-meta/non-provider Discourse site, the authentication is serviced by the meta/provider site, but the user is not redirected back to the non-meta/non-provider site. He is left on the main page of the meta/provider site in a non logged in state. Once the user navigates to the non-meta/non-provider site on which he originally clicked the log in button, he sees that he is indeed logged in.

Could the SSO wiring be messed up due to our use of subfolders?


(Kane York) #3

Running multiple Discourse sites, on the same domain, with different subfolders, was not a scenario that was envisioned.

You need multiple cookie contexts for that to make any kind of sense, and you can only get that with subdomains.


(Jeff Atwood) #4

@neil your subfolder guides should definitely mention this.


(Neil Lalonde) #5

Yikes, good point! I updated the guide.


(Erlend Sogge Heggen) #6

Any useful guidelines in this topic should be added to the canonical guide:


(Erlend Sogge Heggen) #7