Groups not being added to new users

SwisherSweet · July 30, 2017, 4:00pm

I have implemented SSO in ASP.net MVC using the sample code on this site as a guide.

The SSO authentication feature works great, however my group membership is not working.

Here’s the relevant code:

string returnPayload = "nonce=" + Server.UrlEncode(nonce) +
                        "&email=" + Server.UrlEncode(email) +
                        "&external_id=" + Server.UrlEncode(externalId) +
                        "&username=" + Server.UrlEncode(username) +
                        "&bio=" + Server.UrlEncode(bio) +
                        "&avatar_url=" + Server.UrlEncode(avatar_url) +
                        "&name=" + Server.UrlEncode(name);

// process groups
if (CurrentUser.IsAdministrator)
{
    returnPayload += "&add_groups=admins,moderators,staff";
}
else if (CurrentUser.IsStaff)
{
    returnPayload += "&remove_groups=admins&add_groups=moderators,staff";
}

For us, Staff is similar to moderator and Admin is the highest privileged user. My goal is to remove any obsolete groups while adding appropriate groups.

When a user logs in, all the other attributes are set, but groups are not.

Am I removing and assigning groups correctly?

Is it possible to assign admin, moderator, and staff groups this way?

Thank you.

pfaffman · July 30, 2017, 5:05pm

No. You can’t pass automatic groups in the SSO payload (see AND NOT automatic in the code below).

https://github.com/discourse/discourse/blob/master/app/models/discourse_single_sign_on.rb#L113

I think you’ll either need to make your own custom group, which I don’t think will do what you want, assign admin/moderator rights in Discourse by hand (easiest if you don’t have lots and they don’t change often), or use API calls to manage those.

SwisherSweet · July 31, 2017, 12:23pm

Thank you, Jay.

So that I’m 100% clear, any group other than a custom groups is considered an automatic group and cannot be assigned via the add_groups using SSO.

I found this list of automatic groups:

2017-07-31_07-22-51

sam · July 31, 2017, 4:29pm

Yes, this feature is only intended for custom non automatic groups.

If you need to flag a user as admin or moderator you would use the dedicated flags:

github.com/discourse/discourse

spec/models/discourse_single_sign_on_spec.rb

5012d46cb


      
          it "can set admin and moderator" do
            admin_group = Group[:admins]
            mod_group = Group[:moderators]
            staff_group = Group[:staff]
          
            sso = DiscourseSingleSignOn.new
            sso.username = "misteradmin"
            sso.name = "Bob Admin"
            sso.email = "admin@admin.com"
            sso.external_id = "id"
            sso.admin = true
            sso.moderator = true
            sso.suppress_welcome_message = true
          
            user = sso.lookup_or_create_user(ip_address)
            staff_group.reload
          
            expect(mod_group.users.where('users.id = ?', user.id).exists?).to eq(true)
            expect(staff_group.users.where('users.id = ?', user.id).exists?).to eq(true)
            expect(admin_group.users.where('users.id = ?', user.id).exists?).to eq(true)
          end

Topic		Replies	Views
SSO users aren't automatically added to email domain-based groups Bug	7	1689	July 5, 2018
SSO groups without completely overriding Support	9	1625	January 8, 2021
SSO and Restricted Groups SSO	2	2910	March 1, 2017
Users are not added to the moderators groups when registering with SSO Bug sso , discourseconnect	3	2234	May 17, 2016
Setting the user title(group?) based on the information that is coming from the sso payload SSO	5	1708	July 18, 2019

Groups not being added to new users

Related topics