My website (a MediaWiki-based wiki) only uses a username and password (email is optional for users to register). I have Discourse up-and-running, and have SSO enabled in admin settings. Clicking on log-in on Discourse redirects to my site’s log-in page with a nonce.
I’m going through the official Discourse SSO instructions and it says:
Discourse uses emails to map external users to Discourse users, and assumes that external emails are secure. IF YOU DO NOT VALIDATE EMAIL ADDRESSES BEFORE SENDING THEM TO DISCOURSE, YOUR SITE WILL BE EXTREMELY VULNERABLE!
I have a few questions regarding SSO:
- Just to clarify - once I have SSO working, all the registered users in my site can access Discourse ‘logged-in’ without having to register first in Discourse, right?
- I want to disable all email-related features on Discourse (since we don’t enforce email on our website). So, no emails from Discourse, or to Discourse (for replies, etc.).
- If I created a dummy email in my website’s SSO code (something like email@example.com) for each user and send that in the payload, will that be fine?
- How do I go about getting SSO to work in my case - any other suggestions/ tips?