I have successfully configured the Discourse + Keycloak SSO + SAML plugin + Openid Connect plugin bundle. There is only one thing that overshadows this beauty - it is logout.
I do a logout from the forum, the user is deauthorized, this part works fine.
Then I look at the open sessions on Keycloak - the session of the user who left the forum is not deleted.
I suspect this is due to the logout url settings. I just don’t know where - in Discourse or Keycloak.
Yes! It’s works fine! I want to clarify that it is necessary to set the openid_connect_rp_initiated_logout_redirect variable.
@david I have one more question. Important question.
Now I’m in the final stages of testing Keycloak SSO, I need to choose a protocol - SAML or Openid Connect.
I liked Openid Connect better, but right now I have found an annoying problem with creating new users when using Openid Connect.
To understand the problem, I’ll start from the other side. When a new forum user is created using SAML, the user is created in SSO and transparently submitted for creation in Discourse. And it is immediately activated - this is important!
That is, when I click “Sign Up” on the Discourse forum, I go to Keycloak, where I create a user, confirm his mail, etc. After that, I am moved to the Discourse forum, where the user has already been created and ACTIVATED, automatically:
This is extremely inconvenient! What for? After all, the user’s mail has already been confirmed when creating an account on SSO. Is there any way to get rid of this window?
If that message is showing for OpenID Connect then it means that the identity provider passed an email_verified: false message to Discourse. If you enable the verbose debugging setting, it will print all the authentication data to /logs for you to examine. Hopefully there is some way to tell keycloak to pass the verification state properly.
As long as you’re 100% sure that Keycloak has verified the emails, that’s fine. If the emails aren’t verified, doing that will open up your Discourse site to attackers.
I’m not familiar with Keycloak, but either approach sounds fine. If you later want to have separate access controls for each forum, having them as separate clients might make that easier