I have successfully configured the Discourse + Keycloak SSO + SAML plugin + Openid Connect plugin bundle. There is only one thing that overshadows this beauty - it is logout.
I do a logout from the forum, the user is deauthorized, this part works fine.
Then I look at the open sessions on Keycloak - the session of the user who left the forum is not deleted.
I suspect this is due to the logout url settings. I just don’t know where - in Discourse or Keycloak.
Yes! It’s works fine! I want to clarify that it is necessary to set the openid_connect_rp_initiated_logout_redirect variable.
@david I have one more question. Important question.
Now I’m in the final stages of testing Keycloak SSO, I need to choose a protocol - SAML or Openid Connect.
I liked Openid Connect better, but right now I have found an annoying problem with creating new users when using Openid Connect.
To understand the problem, I’ll start from the other side. When a new forum user is created using SAML, the user is created in SSO and transparently submitted for creation in Discourse. And it is immediately activated - this is important!
That is, when I click “Sign Up” on the Discourse forum, I go to Keycloak, where I create a user, confirm his mail, etc. After that, I am moved to the Discourse forum, where the user has already been created and ACTIVATED, automatically:
If that message is showing for OpenID Connect then it means that the identity provider passed an email_verified: false message to Discourse. If you enable the verbose debugging setting, it will print all the authentication data to /logs for you to examine. Hopefully there is some way to tell keycloak to pass the verification state properly.