I’ve set up my instance of discourse to use SSO with my own external site for authentication purposes. This is working as expected and I have no issues with it. Getting it set up was easy. Great work!
My goal with using SSO is to always have the users of my discourse forum (1) create their discourse user accounts via SSO’ing via my external site and (2) only use SSO to log on. I also want my external site to be the only place where users can change their email and user name, so I have also set “sso_overrides_email” to true, “sso_overrides_username” to true, and “email_editable” to false. This is all working as expected.
The whole notion of invites in discourse (at least as they are currently implemented) doesn’t play nicely with discourse as I have set it up. As an admin, moderator, or user with a trust level greater than two, a user can send invites out to any email address. When the link in these invites is used, a user account is then auto-generated for that email on my discourse instance, but this is bad since no corresponding user with that email address is guaranteed to be already created on my external site (that is used SSO).
There are most likely multiple solutions for this, but what would likely be easiest to implement (and totally A-OK for my needs) would be a simple “Disable Invites” checkbox in the admin User settings.
One last note:
I read on semi-related thread that one could disable invites by enabling “must_approve_users”, but that doesn’t work in my case for two reasons. (1) When “must_approve_users” is enabled, if a user tries to login via sso for the first time, they are just dropped back on the discourse page and are not logged in. They is no notification that they just had their account created and an admin now must activate there account. (2) For our situation, we don’t want to have to activate each and every user. Anyone with an account on our external site should be allowed to have an account on our discourse instance.