If SSO login fails can I redirect to any 'safe' page on Discourse?

(Ben M) #1

Some background: I’m using ActiveDirectory to authenticate users in my SSO implementation. This all works fine but if a user tries and fails to authenticate I’d like to redirect them to some page on the forums that doesn’t let them see anything.

This is vital in my case: since I have login required set to true then currently redirecting them back to any page on Discourse causes them to be sent to /session/sso again (and the loop repeats ad infinitum).

Are there any solutions that don’t involve me having to host my own page (I don’t want to show the URL of my SSO implementation in the unauthenticated user’s browser if I can possibly help it)? I suppose I’m looking for a ‘safe’ page on Discourse that non-authenticated users can see.

EDIT: the problem is really down to unauthorized users. See my comment below.

(Michael Downey) #2

Wouldn’t you want to redirect them to the login form again with an error message so they can try again? It seems like it’d be annoying otherwise, for people who type a password wrong.

(Ben M) #3

Sorry, I didn’t get my terminology right!

I’m using NTLM authentication and most of my users are using IE so the credential handshake happens with no form visible to the user. So everyone on the LAN can get authenticated, but not everyone is authorized (which I should have been clear about!). So if you fail to authorize where can I send the user? Ideally it would be to a page saying “Sorry you are not authorized to connect to these forums” or similar.

(Kane York) #4

There isn’t one of those on Discourse, /404 or /403 will still send you to /login. I guess you could send them a data: URI?

(Ben M) #5

Good idea! I’ll give that a go.

(Ben M) #6

Tried that but it’s not a good experience. The address bar will just look confusing to end-users.