Discourse-saml as sole login method

(Alexander “Weej” Jones) #1

I can see from the admin settings that the built-in (non-SAML) SSO support can do things like:

  • sso overrides bio - Overrides user bio in user profile and prevents user from changing it

  • sso overrides email - Overrides local email with external site email from SSO payload on every login, and prevent local changes. (WARNING: discrepancies can occur due to normalization of local emails)

  • sso overrides username - Overrides local username with external site username from SSO payload on every login, and prevent local changes. (WARNING: discrepancies can occur due to differences in username length/requirements)

  • sso overrides name - Overrides local full name with external site full name from SSO payload on every login, and prevent local changes.

  • sso overrides avatar - Overrides user avatar with external site avatar from SSO payload. If enabled, disabling allow_uploaded_avatars is highly recommended

Is there any way to achieve the same thing with the discourse-saml plugin? Would it require source code changes?



(Jay Pfaffman) #2

I’m pretty sure that SAML plugins supports all of those settings. It’s still SSO.

(Alexander “Weej” Jones) #3

I just tested this by enabling sso overrides {bio,email,username,name}, and someone logging in for the first time via SAML still has the option to choose their username and full name. We tested setting it to something random, and it successfully created their account.

So it appears it is not actually hooked in with the SAML plugin.

(Jay Pfaffman) #4

So did none of the fields get pushed to Discourse when you created the new account? Or was it the case that the name, etc got pushed to Discourse when the account was created but the user was still able to change it?

SAML is insanely difficult to configure since it seems that everyone who uses it uses it “wrong” a different way (not my opinion, but what I inferred when helping a university configure SAML for Discourse).

(Rafael dos Santos Silva) #5

Nope, and this is a too common mistake.

SAML on Discourse is not SSO, it’s just another login strategy, like Facebook, Google or Email/Password.

If you want to use it as the one true login, I really recommend implementing our native SSO protocol.

But, if you are felling adventurous, you can try to hack on the SAML plugin to add the SSO features one by one. I recently added the group sync feature from SSO to the SAML plugin.

(Alexander “Weej” Jones) #6

Thanks for the info @Falco - it’s not actually a showstopper for us, but we may well try to contribute some features back to the SAML plugin in the near future.