Issue: SAML, anonymized user and blocked

sso
1

Steps to reproduce:

  • User A, a SAML user exists
  • Admin want, that User A is no longer able to use discourse
  • Admin uses the “anonymize user” function for user A (all entries are no anonymized => thats good)
  • Admin want to block further access of user A and therefore want to block him (block user function)

Note: the user was not removed from SAML server and is still active

Expected:
Even that the user does still exist on SAML server, the user should not be able to log in because he/she is blocked.

Current behavior:
The user is able to log in.

3

Have you tried suspending the user account within Discourse?

4

sorry, Instead of “block” I mean “suspend”.
Yes, I tried this.

The issue is, that the user gets anonymized and therefore the username changes. I guess, saml doesn’t recognize this and adds a new user because saml can not find the user with its username (= because the user was anonymized before).

I guess, discourse-saml tries to find the user based on the username at https://github.com/discourse/discourse-saml/blob/230a58b2d86465ec8aa75fb755558d4fdda73773/lib/saml_authenticator.rb#L96

I think there need to be a way to match a anonymized user with the saml user data. Does someone know how and which attribute to validate?

5

Sorry for bumping, but we are facing exactly this problem.

  • Users only log-in through sso provider.
  • UserA is blocked from the forum, but not from the sso.
  • UserA requests user data deletion, so we anonymize the account.
  • UserA is able to create a new account using sso login.

Is there a way to manually suspend an email without an account?

6

Just suspend the new account?

1 Like
7

Yeah, you don’t want the user to have the chance to interact with the forum, and you don’t want to constantly monitor who are the new users.

There should be a way to suspend emails, the same way you can block IPs.

8

It sounds as though you don’t understand how to handle user-requested deletions and when/where it doesn’t apply.

When a user signs up for your site you have the right to process their provided information (email and username) for the purpose of the registration. That processing doesn’t end when they are suspended and try to leave, taking their toys with them.

You aren’t obligated to remove the email of a banned or suspended user. The right to be forgotten doesn’t supersede the processing purpose.

9

And how is that compatible with the GDPR and the right of users to ask for their data deletion?

If you keep their account, this is still associated with their data and you keep their information even when they have requested a user data deletion.

Honestly asking, I’m no legal expert.

10

The user can withdraw their consent for the processing of personal data, but consent is only one of the grounds that can make data processing legal under the GDPR.

Another ground can be the legitimate interest of the controller (article 6.1, f: processing is necessary for the purposes of the legitimate interests pursued by the controller). Such a legitimate interest can be making sure the user cannot create a new account. Otherwise the user could misuse the GDPR to have all records erased, including the fact that they have misbehaved.

GDPR article 17, emphasis mine.

  1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (…)
    the data subject withdraws consent on which the processing is based (…) and where there is no other legal ground for the processing;

Which basically means: yes, the forum has to remove the users data upon their request, but since the forum has suspended the user they need a way to make sure that the user does not create a new account, so they have a good reason to keep the email address of the suspended user on file, despite the request of the user.

One way to do this in Discourse is to anonymize the (already suspended) user and then change the anonymized email address back to their real email address. You might also want to keep their registration IP, based on the same ground, and add it to the block list.