Discourse-saml + Okta endless redirect


#1

Hi there - I’m trying to get the discourse-saml plugin working with Okta; I’ve scoured the existing threads, and can’t seem to figure out what’s going on.

When I go to the login page, it prompts me to log in with my Okta credentials. Upon logging in, the page gets stuck in a loop between forums.trusa.io (the Discourse URL) and teamrubiconusa.okta.com (the Okta login).

Here’s how Okta is configured:

Here’s the Login settings in Discourse:

Here’s the app.yml settings:

The logs don’t show anything informative:

Halp! :confused:

@skoota - I saw you had some issues with the plugin, perhaps you might be able to lend a hand?

Thanks!


Trouble configuring SSO with discourse-saml plugin / Okta
#2

Happy to help, as it took me a while getting this working too :slight_smile:

I think the issue could be the SSO configuration in the Discourse settings - remove all the custom configuration for SSO that you have made, as SSO is being handled by the plugin instead. This is what mine looks like:

…as you can see, nothing is enabled or configured.

Let me know how it goes!


#3

Thanks! That seems to fix the problem, although now it’s pulling in the wrong data for user email when a new user registers, and it won’t let the registration complete since there’s an invalid value in the email field, which isn’t editable :\

I appreciate the help! Trying to debug the email issue now, will post back with any updates.


#4

No worries. That sounds like a problem on the SAML provider end of things. Let me know how you get on.


#5

I made a workaround by forking the plugin and changing the email value in plugin.rb to an attribute that Okta sends:

result.email = auth[:info].email || uid
if auth.extra.present? && auth.extra[:raw_info].present?
  result.email = auth.extra[:raw_info].attributes['screenName']
end
result.email_valid = true

Not the best solution, but works for now :stuck_out_tongue:


#6

So it’s now pulling in the correct data for the email field, but gives “Something went wrong” when the user proceeds to create a new account.

The logs show an error with "Undefined method 'strip' in /app/controllers/users_controller" at line 311, and I think it’s because strip expects a string, and it’s getting an object. But if I add .to_s to result.email = auth.extra[:raw_info].attributes['screenName'], the new user’s email shows up as ["jeremy.miller+test@teamrubiconusa.org"] so that’s not quite the right solution…

I’m not a Ruby or Rails developer, so I’m not sure the correct way to handle this; any thoughts?

Edit: turns out this is all I needed to do:

result.email = auth.extra[:raw_info].attributes['screenName'].try(:first)

(Neil Lalonde) #7

Sorry for reviving an old topic… @runofthemill Isn’t this something that could have been fixed in the SAML application settings in Okta? Seems like Screen Name has email as the value.


#8

Thanks for the response @neil - we’ve shut down the forum this was in reference to, but if we revive it I will certainly check this out. =D