Discourse SSO Provider doesn't redirect to return_sso_url as user logs in with custom SSO

As far as I know, the same problem has been mentioned two times, and was said to have been fixed in 2018 (Discourse doesn't redirect to return_sso_url after user logs in on private site) and in 2015 (Login redirect during sso provider login). But I am still facing the same issue.

I have installed in our organization a Discourse. We have our own user accounts database, so we use our custom made SSO login website to allow users to login Discourse, using the instructions as in DiscourseConnect - Official Single-Sign-On for Discourse (sso). It works well.

Then, we also have WordPress, Rocket Chat and a custom made Tornado web app. They depend on Discourse as the SSO provider.

For WordPress, we are using wp-discourse. For Rocket Chat and the Tornado web app, we have followed the instructions in Using Discourse as an identity provider (SSO, DiscourseConnect).

The login flow worked well if the user has already logged in to Discourse. However, if the user has not already logged in to Discourse, none of the login flow of the services (e.g. WordPress/Rocket Chat/Tornado web app) worked well. When a user tries to login to WordPress, Rocket Chat or the Tornado web app, they will be redirected to discourse.com/login. Then, the user will click the login button, which will redirect the user to our custom SSO site. There they will perform a login, after which they will be redirected to discourse.com, but not the desired service (e.g. WordPress, Rocket Chat or Tornado web app).

Just a little side track, the wp-discourse Sync Logout with Discourse function does not work. When a user logs out WordPress, they remained logged in to Discourse.

I have been facing this issue for several months after several Discourse updates. Now I am seeking for help. Please let me know if any details are needed.

My current workaround is instead of redirecting the user to /session/sso_provider, redirect them to /session/sso?return_path=customurl. The downside is that it always asks the user to login even if they have already logged in Discourse.

2 Likes

During the custom SSO login, the login app actually read and extracted the return_sso_url from the cookie sso_payload. That return_sso_url is embedded in the sso payload to be sent to /session/sso_login?. I could actually observe in /logs that return_sso_url was correctly set, but the redirection was not observed. Below I am pasting the log:

add_groups:
admin:
moderator:
avatar_force_update:
avatar_url:
bio:
card_background_url:
email: xxx@xxx
external_id: 42
groups:
locale:
locale_force_update:
logout:
name: xxx
nonce: b4c758723a8abf665b079dc41a585dbc
profile_background_url:
remove_groups:
require_activation:
return_sso_url: https://customurl
suppress_welcome_message:
title:
username: xxx
website:
location:

1 Like