Discourse-saml is not multisite compatible

On a newly configured Discourse instance, SAML fails because of default Content-Security-Policy which denies the script submitting the form…

We host many customers who are using the SAML plugin successfully with CSP. Can you share the error you’re seeing in the browser console?

All our hosting uses CDNs, so my guess is that the CSP rule is not working for people without CDNs :thinking:

1 Like

Yes sorry I was planning to do so but I cannot reproduce the error message – although the error remains.
Now I only get ‘mixed content’ errors on the favicon and apple icon. The images were uploaded before the force_https was checked, but I believe this setting should take care of the source for all icons… Is this a bug?

I’m trying to reproduce the original error I got but so far no luck. The error displayed on screen is "Sorry, there was an error authorizing your account. Please try again. " I believe it’s an invalid ticket, although all configs match an existing working instance on both Discourse and Keycloak side. Weird.

Yes sorry I was planning to do so but I cannot reproduce the error message – although the error remains.

OK, I found the error. I think it comes from the setup:

  1. it’s a multisite instance with ps.zoethical.org the ‘main’ one, for which SAML is configured originally.
  2. the forum.zoonklopper.be instance has a SAML button appearing, but the scope is defined for ps.zoethical.org
(saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, https://ps.zoethical.org is not a valid audience for this Response - Valid audiences: https://forum.zonnklopper.be

If I add the ps.zoethical.org audience I get another error:

(saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, The response was received at https://forum.zonnklopper.be/auth/saml/callback instead of https://ps.zoethical.org/auth/saml/callback

The SAML plugin is not multisite compatible.

1 Like

Yes this is what I just realized. It’s very unfortunate. :frowning:

So actually, the plugin’s non-compatibility means that:

  1. it will work on the first site of a multisite (or the one for which it’s configured via DISCOURSE_HOSTNAME)
  2. the button will appear on all other instances’ login UI
  3. but those buttons will fail without a clear solution.

Since there’s no dedicated topic in #plugin for discourse-saml, I’d suggest to create one and mention this caveat in the first post. I’m pretty sure some consolidation can be made from the 50+ topics mentioning SAML. Had I known this before I would have setup my services differently.

(BTW, the original CSP error is most probably due to the fact the iframe tries to load the original site instead of the current one.)

Hide SAML Button on multisite

This is a quick fix for people who activated the SAML plugin on multisite. :slight_smile:

  1. Go to Admin > Themes and “install new”
  2. Create new component (with name: “Hide SAML Button”)
  3. Add CSS:
    #login-buttons .btn.btn-social.saml {
        display: none; /* plugin incompatible with multisite */
  4. Apply component to all themes.

Now the SAML button (which does not work on this instance) remains out of view.

This topic was automatically closed after 3 days. New replies are no longer allowed.