That’s generous of you @pfaffman but I’ve no budget unfortunately.
After making the post I found in the suggested articles this Disable DiscourseConnect post from 2019. Which is helpful with it’s clear process but I’m still lacking some base understanding of how it is functioning now.
I’m fairly confident that the login is not being redirected. The login page really appears to be just the vanilla discourse login flow with lots of discourse specific assets, data-exporters, scripts etc and even a console link to the specific commit of the forum we’re running.
Discourse v3.5.0.beta3-dev — Commits · discourse/discourse · GitHub — Ember v5.12.0
This makes me quite sure that Discourse is acting as its own source of truth for authentication.
What I’m not quite understanding is how or why the DiscourseConnect config is set to override email, username etc. from the external site but also the /session/sso_provider endpoint is enabled?.. isn’t that like having Discourse simultaneously abdicating responsibility for sign-on while also acting as a source of truth? Or am I missing a core piece of understanding / documentation in how DiscourseConnect’s SSO works?
Thanks everyone for helping my learning.