We want to have the only way to login via Google Auth but we also need to not allow anyone in our domain to get access. We need to add their email and the permissions they need and then they can logins using Google Auth. What we are finding now is that if I am added as a user I must register with a password first which is what we don’t want; just google auth.
We whitelisted domains that are allowed for the system but not all users in those domains are meant to have discourse access.
How do you see this working? How big is the list of allowed email addresses and how often does it change?
Admin adds user to the accounts list with a corporate email and given appropriate permissions.
User then attempts to sign in using Google. Their email matches one that exists on accounts. User logs in successfully. Else, user email does not match and user is not allowed to login.
Even better is to have a SAML integration. Slack has a great G Suite integration for example with JIT provisioning. https://get.slack.help/hc/en-us/articles/204078066-G-Suite-single-sign-on#provisioning-and-deprovisioning
Support for SCIM alongside that would be great
https://tools.ietf.org/html/rfc7643
SAML 认证确实存在,但由于其配置复杂且每个 SAML 实例都有其特殊性,因此它仅包含在我们的企业托管层级中。
