As an admin, I want to be able to invite non-registered users to my Discourse site that uses SSO for authentication so that they can be added to a group on account creation.
Currently, there is no way to specify user groups to which a user should belong before creating them. Well, actually, there is – inviting users. But if a Discourse installation uses SSO, the invitation system is disabled. As a result, I have to wait for users to first manually sign in via SSO before I can add them to groups. This creates a two-step effort to get users access to the content they need right away, introduces unnecessary delay, and leaves a bad first impression of Discourse for those users.
Ultimately, it seems like the invitation system needs to be made compatible with SSO.
I don’t really understand how this would work. Since the parent site has to create the account before it is handed to us, how exactly does an invitation URL work in that scenario? Can you describe how it would work, step by step starting with how the URL is formed in the email invite?
I am sympathetic to @downey’s original request here. Its less about invitations and more about “pre-staging” of particular emails into a group. It can be technically done but requires a new place to store this information.
I guess
On discourse side we store a directive saying that bob.bob@gmail.com goes in the “superman” group
After sign in from sso we trigger a group refresh if its meets 1)
Don’t we already have this “if the user is in a certain email domain and their email is verified, add them to the X group” feature? I am pretty sure we do, it is an option in the groups edit dialog.
Would it be simpler to support upload of a list of email addresses or usernames that need to be in a specific group? Say “these 50 random emails in this file, if matching existing accounts, need to be in the X group”.
Maybe if you could add email addresses to a group as well as usernames.
The motivation for this option is that there are some features missing in Discourse when SSO is enabled, most notably to invite someone by email (not only by username) at the end of the topic. In this scenario, when you enter an email to the invite field, Discourse will send an email to the invited person with a link to the external registration system (not to itself) combined with your username as a part of that url. After that SSO can pass to Discourse a field “invitedby” which will contain the same username.
But on second thought, there are too many parameters for it which are depending on an external system, so maybe it’s better not to implement it in Discourse itself, but in a plug-in.
This would be great. I’m just in the process of activating a new, only-visible-to-group, category on our forum, and the rest of the forum is largely irrelevant to the target group here. (So it’s suboptimal to tell them first to go sign up on the forum, because it will give them the “wrong” idea initially of what the forum is about - but that’s the necessary workflow right now)
Is this a planned feature?
Sure I totally support adding that. Semantics are a bit tricky though … something like:
groups:a,b,c
The tricky thing semantically is how to “remove” users from the groups if you sync SSO?
Perhaps couple an optional setting of “sso_allowed_groups” that lists the groups that are “settable” via sso. Then when you specify groups we can also ensure you are not mistakenly in any other sso_allowed_groups
I have OKTA setup as my SSO provider for authentication. OKTA connects to my company’s active directory environment and so I decided to use PowerShell to make scheduled tasks pre-staging users, placing them into groups, and also making them watchers of categories based on what group they are in.
I’ll share with you some of the PowerShell Snippets I have
Here are some Utility functions
Here is what I use for pre-staging users, the utility script gets called to this.
If the user already exists, Discourse won’t create another one. I might utilize my pgSQL connection to check if the user exists before calling the user creation.
And here is my group sync with AD groups
Probably not the most efficient script but it works well.