Unless the default WordPress New User Notification email is sent as a part of your WordPress registration process, the plugin sets the SSO parameter require_activation to true. There is a hook that you can use to bypass this. The hook is called discourse_email_verification. It passes two parameters:
$require_activation - whether or not the email address has been validated by WordPress
$user - the WordPress user object
If you want to disable email validation for all users, then you don’t need to use the parameters. You can add something like this to your theme’s functions.php file or a plugin:
Note: don’t use this unless you know that your user’s email addresses are valid.
add_filter( 'discourse_email_verification', 'wpdc_custom_disable_email_verification' );
function wpdc_custom_disable_email_verification() {
return false;
}
Before you add the code, you need to be sure that email addresses are being verified when users create an account on your WordPress site. If you are sure that emails are being verified, then all you need to do is copy the above code into your theme’s functions.php file.
If you are not sure about this, it’s best to either leave things as they are, or to use the default WordPress login system. If you use the default WordPress login system, the WP Discourse plugin will recognize that user’s email addresses are verified and will not require an activation email to be sent when users first login to Discourse.
I am using SSO through wordpress as well as the wordpress login. However, once a user logs in for the first time, discourse requires them to approve their email when they try and access the forum part of the site. I’ve looked around but can’t find a solution besides removing the email verification altogether.
If this is the registration process you are using, then users should not be having to verify their email address before first logging into Discourse.
There are quite a few front-end registration plugins for WordPress that will create an account and automatically login a user without requiring the user to verify their email address. Woocommerce is an example of a plugin that does this. This can be a security risk for Discourse.
@simon I will be trying this solution soon. But I am also having a problem with 2FA and SSO.
Do you know if there I a way to make all this work with 2FA (2-factor authentication)?
I have 2FA enable for administrators only, but it creates a loop and admins cannot log in to wp-admin. For all other users, it works fine (but I don’t have 2FA for other users, only admins).
When I disable 2FA for the admins then they can sign in to back-end no problem.
The 2FA is being implemented through iThemes security.
Do you know if there is a way to fix this issue? I want to leave 2FA for all admins because they have access to back end.
And just for a peace of mind, I want to mention that the only reason I am doing this is because I have SSO activated through Wordpress and Wordpress is doing the email verification in addition to that. In addition, I also disabled public registrations meaning that the only way to create an account is through Wordpress.
Having extra security for admins could be a good idea. There have been issues reported previously about conflicts between the iThemes Security plugin and WP DIscourse SSO. I’d like to try it out to see if it can be made to work. I’ll let you know what I find.
On the Discourse end, all you need to do is select the ‘enable sso’ Site Setting. When that setting is enabled, Discourse only allows accounts to be created through SSO.
Thank you so much @simon for splitting the topic to keep each issue separated.
When it comes to this:
I see you mentioned “that it could be good idea”…
Is this not standard practice in the Wordpress world?
I just ask because I may just simply be over killing it in the security aspect. I am truly not sure if that is standard practice. I am use to 2FA everything in my path since my previous job was security analyst for digital fraud operations at one of the largest banks in the US so I just want to protect as much as possible. But it may be that I just have security paranoia and need to ease up a bit . I still have 2 different offsite backups and other security settings through iThemes.
for this:
Thanks so much! I appreciate you taking the extra time to look into this. Please do let me know, I am interested in seeing what you find out.
Finally for this:
I will recheck my settings to go with your suggestions.
Thanks so much for all your help. This community is truly a lifesaver!
I have tested this with the MiniOrange Google Authenticator plugin. I’m not having any trouble with SSO login when I have to enter an authentication code before logging into WordPress. It could be that there is an issue specific to the iThemes Security plugin. I’d like to test that out, but the plugin requires an signing up for a yearly subscription.
I’ll test this with any up to date security plugins that can be installed free of charge.