External SSO External ID not recognised

If following two users with correct nonce are passed to Discourse site, they are always logged onto a single account.

Verbose SSO log: User was logged on forum-u3

nonce: 60a17e6704b8b7a8e1603822ab99f2d6
name: Darryn Goble
username: Forum-u1
email: darryn@example.com
avatar_url: 
avatar_force_update: 
require_activation: 
bio: 
external_id: qatest_1947
return_sso_url: 
admin: 
moderator: 
suppress_welcome_message: 
title: 
add_groups: 
remove_groups: 
groups: 
Verbose SSO log: User was logged on forum-u3

nonce: 0c9f10fbc15ccb99aeef41eb95dbdeae
name: Darryn Goble
username: Darryn
email: darryn@example.com
avatar_url: 
avatar_force_update: 
require_activation: 
bio: 
external_id: qatest_54
return_sso_url: 
admin: 
moderator: 
suppress_welcome_message: 
title: 
add_groups: 
remove_groups: 
groups: 

We have the following setup for SSO:

How do we get Discourse to create separate users since they have separate external_id in our system ?

Well we key on email as well, so if you send us the same email address we automatically take over the account.

Sounds to me like you have untrusted emails in your sso origin. Is that the case?

3 Likes

Yeah, we don’t really validate user emails.

I think in that case we might be better off not sending emails & rely only on the external_id , would that work?

Oh, this is a big problem, sso is not what you want to use without emails. Instead you would use oauth2 or saml so the user can complete the auth flow and provide/validate an email when registering.

4 Likes

Yeah, I get what you mean.

I think for now we will keep it as it is & have them converge to the same user.

Thanks for confirming it. :+1:

I would be very careful handing out in unvalidated emails, people can hijack admin accounts that way, it is hugely risky.

5 Likes

@aseemc please take note of the warning below the ‘Enable SSO’ checkbox:

(WARNING: USERS’ EMAIL ADDRESSES MUST BE VALIDATED BY THE EXTERNAL SITE!)

5 Likes