Groups not being added to new users

SwisherSweet · July 30, 2017, 4:00pm

I have implemented SSO in ASP.net MVC using the sample code on this site as a guide.

The SSO authentication feature works great, however my group membership is not working.

Here’s the relevant code:

string returnPayload = "nonce=" + Server.UrlEncode(nonce) +
                        "&email=" + Server.UrlEncode(email) +
                        "&external_id=" + Server.UrlEncode(externalId) +
                        "&username=" + Server.UrlEncode(username) +
                        "&bio=" + Server.UrlEncode(bio) +
                        "&avatar_url=" + Server.UrlEncode(avatar_url) +
                        "&name=" + Server.UrlEncode(name);

// process groups
if (CurrentUser.IsAdministrator)
{
    returnPayload += "&add_groups=admins,moderators,staff";
}
else if (CurrentUser.IsStaff)
{
    returnPayload += "&remove_groups=admins&add_groups=moderators,staff";
}

For us, Staff is similar to moderator and Admin is the highest privileged user. My goal is to remove any obsolete groups while adding appropriate groups.

When a user logs in, all the other attributes are set, but groups are not.

Am I removing and assigning groups correctly?

Is it possible to assign admin, moderator, and staff groups this way?

Thank you.

pfaffman · July 30, 2017, 5:05pm

No. You can’t pass automatic groups in the SSO payload (see AND NOT automatic in the code below).

https://github.com/discourse/discourse/blob/master/app/models/discourse_single_sign_on.rb#L113

I think you’ll either need to make your own custom group, which I don’t think will do what you want, assign admin/moderator rights in Discourse by hand (easiest if you don’t have lots and they don’t change often), or use API calls to manage those.

SwisherSweet · July 31, 2017, 12:23pm

Thank you, Jay.

So that I’m 100% clear, any group other than a custom groups is considered an automatic group and cannot be assigned via the add_groups using SSO.

I found this list of automatic groups:

2017-07-31_07-22-51

sam · July 31, 2017, 4:29pm

Yes, this feature is only intended for custom non automatic groups.

If you need to flag a user as admin or moderator you would use the dedicated flags:

https://github.com/discourse/discourse/blob/5012d46cbd3bcf79b7351f7d2d41003496a796c5/spec/models/discourse_single_sign_on_spec.rb#L102-L122

Topic		Replies	Views
SSO users aren't automatically added to email domain-based groups Bug	7	1659	July 5, 2018
Users are not added to the moderators groups when registering with SSO Bug sso , discourseconnect	3	2211	May 17, 2016
Automatically assigning users to a group Support	4	2066	January 28, 2019
Login for Staff and Moderators after enabling SSO Support	11	59	September 24, 2024
SSO groups without completely overriding Support	9	1514	January 8, 2021

Groups not being added to new users

Related topics