Interesting SSO and suspended user behaviour


(eriko) #1

So if you are using SSO to login into a discourse site and your account on the discourse site is suspended you get blocked in a odd way. Instead of hitting a “Your (sitename) account is suspended” page you get bounced back through the sso login link. The keeps redirecting till the browser errors out with some different error based on the browser.

It seems like this not a good behaviour.


(Jeff Atwood) #2

Why would a user be suspended in Discourse, but not on the parent site? We defer to the parent site for user state.


(eriko) #3

I agree we are doing something odd. I just thing it is a little buggy to have this triggers a redirect loop.

As usual we are oddballs :confounded:. The scenario we have is that some of our users (small college) are uncomfortable with the lack of anonymity in our commons (discourse) setup. We put the persons first name on the user card. We do this to help raise the level of conversation as it is more clear that they are not anonymous even though they can change their display username but not their login username.

So we are looking at ways to allow these people to exit the commons. We are adding a setting in the source of sso data that basically says “I do not want to be part of the commons”. This system is used to manage user accounts in discourse. It creates, suspends, or deletes accounts based on a feed of data. In the case were they have not posted we will delete their account. In the case were they have topics and replies we suspend their account forever to preserve their topics and replies. In part the suspension is used to stop reactivation of their accounts if they follow a link to the commons and pass through sso.


(Jeff Atwood) #4

Perhaps a better approach is to anonymize the account at that point (scroll down the user admin page, at the bottom, next to the delete button)? Then there’s no conflict with any existing user account?


(eriko) #5

Here is the dumb but valid reason I did not go that route. Over the period of 3 to 5 years the student may change their minds. I loath to destroy the link between them and their data. That said the more I think about it the more I like it.

Start digression
I should be clear that the automation is doing a bit more than creating/deleting accounts. It also stuffing a true uid into the pluginstore to track how is actually who is actually who. Our usernames are unique a person at a point in time but not over time due some bad decisions 15 odd years ago. Some of this will go away if we are successful at our third or forth shot at replacing our home grown identity management system with MIM. Each time we get scared of the rats nest of consequences of those bad decisions and the work it will take to fix it. I think we finally have everyone at the neccessary level of fear about the imminent collapse that we will actually fix it. End digression.