Invitations should be compatible with SSO

As an admin, I want to be able to invite non-registered users to my Discourse site that uses SSO for authentication so that they can be added to a group on account creation.

Currently, there is no way to specify user groups to which a user should belong before creating them. Well, actually, there is – inviting users. But if a Discourse installation uses SSO, the invitation system is disabled. As a result, I have to wait for users to first manually sign in via SSO before I can add them to groups. This creates a two-step effort to get users access to the content they need right away, introduces unnecessary delay, and leaves a bad first impression of Discourse for those users.

Ultimately, it seems like the invitation system needs to be made compatible with SSO.

Maybe this can be implemented in the same way as other SSO features: with a link to the resource which is providing “invites”?

At the moment we have two following SSO “plug-ins”:

• sso not approved url
• logout redirect

Hence, there can be an invite url for external invite system?

I don’t really understand how this would work. Since the parent site has to create the account before it is handed to us, how exactly does an invitation URL work in that scenario? Can you describe how it would work, step by step starting with how the URL is formed in the email invite?

I am sympathetic to @downey’s original request here. Its less about invitations and more about “pre-staging” of particular emails into a group. It can be technically done but requires a new place to store this information.

I guess

1. On discourse side we store a directive saying that bob.bob@gmail.com goes in the “superman” group
2. After sign in from sso we trigger a group refresh if its meets 1)

Its tricky but doable.

Don’t we already have this “if the user is in a certain email domain and their email is verified, add them to the X group” feature? I am pretty sure we do, it is an option in the groups edit dialog.

We have

But its not quite targeted enough (covers a domain, not an individual user’s email) and would be a nightmare to maintain this way.

Would it be simpler to support upload of a list of email addresses or usernames that need to be in a specific group? Say “these 50 random emails in this file, if matching existing accounts, need to be in the X group”.

Maybe if you could add email addresses to a group as well as usernames.

Sure, this could work, but we would need a new UI for this.

This functionality would suit us very well, although polling an external file/db for those emails would be more flexible.

The motivation for this option is that there are some features missing in Discourse when SSO is enabled, most notably to invite someone by email (not only by username) at the end of the topic. In this scenario, when you enter an email to the invite field, Discourse will send an email to the invited person with a link to the external registration system (not to itself) combined with your username as a part of that url. After that SSO can pass to Discourse a field “invitedby” which will contain the same username.

But on second thought, there are too many parameters for it which are depending on an external system, so maybe it’s better not to implement it in Discourse itself, but in a plug-in.

Can’t SSO specify Discourse group membership these days? If so I think the original idea is no longer relevant.

Nope. Only admin / moderator

This would be great. I’m just in the process of activating a new, only-visible-to-group, category on our forum, and the rest of the forum is largely irrelevant to the target group here. (So it’s suboptimal to tell them first to go sign up on the forum, because it will give them the “wrong” idea initially of what the forum is about - but that’s the necessary workflow right now)
Is this a planned feature?

We now have this feature!

https://meta.discourse.org/t/bulk-add-to-group/34979

Are there any plans to support specifying groups via SSO?

Sure I totally support adding that. Semantics are a bit tricky though … something like:

groups:a,b,c

The tricky thing semantically is how to “remove” users from the groups if you sync SSO?

Perhaps couple an optional setting of “sso_allowed_groups” that lists the groups that are “settable” via sso. Then when you specify groups we can also ensure you are not mistakenly in any other sso_allowed_groups

Maybe better to list out the SSO group memberships in the sign in payload like this:

...
"group_memberships":
  {
    "group_a": true,
    "group_b": false
  }
...

That way listed memberships are updated, but unlisted memberships are not touched.

So I’ll share with you guys what I am doing.

I have OKTA setup as my SSO provider for authentication. OKTA connects to my company’s active directory environment and so I decided to use PowerShell to make scheduled tasks pre-staging users, placing them into groups, and also making them watchers of categories based on what group they are in.

I’ll share with you some of the PowerShell Snippets I have

Here are some Utility functions

Here is what I use for pre-staging users, the utility script gets called to this.

If the user already exists, Discourse won’t create another one. I might utilize my pgSQL connection to check if the user exists before calling the user creation.

And here is my group sync with AD groups

Probably not the most efficient script but it works well.

Finally, I have a Discourse plugin that runs every 24 hours to make sure users remain watching a category even if they change it back to normal.
https://github.com/jaredneedell/discourse-watch-category-mcneel/blob/master/plugin.rb

Are you using OKTA for SSO w/ Discourse too? What was involved in getting that set up?

Yeah, we had pay for professional services to set it up