Need help to setup SSO without emails

My website (a MediaWiki-based wiki) only uses a username and password (email is optional for users to register). I have Discourse up-and-running, and have SSO enabled in admin settings. Clicking on log-in on Discourse redirects to my site’s log-in page with a nonce.

I’m going through the official Discourse SSO instructions and it says:

:warning: Discourse uses emails to map external users to Discourse users, and assumes that external emails are secure. IF YOU DO NOT VALIDATE EMAIL ADDRESSES BEFORE SENDING THEM TO DISCOURSE, YOUR SITE WILL BE EXTREMELY VULNERABLE!

I have a few questions regarding SSO:

  1. Just to clarify - once I have SSO working, all the registered users in my site can access Discourse ‘logged-in’ without having to register first in Discourse, right?
  2. I want to disable all email-related features on Discourse (since we don’t enforce email on our website). So, no emails from Discourse, or to Discourse (for replies, etc.).
  3. If I created a dummy email in my website’s SSO code (something like unique_id@domain.xyz) for each user and send that in the payload, will that be fine?
  4. How do I go about getting SSO to work in my case - any other suggestions/ tips?

Thanks!

2 Likes

No. Valid emails are required for Discourse to function at its most fundamental level. You may wish to choose different free open source software if you need no-email support.

1 Like

Thanks for your response. Jeff.

I was looking at this thread (consequences of not validating emails) and your comments in it; and I believe my situation is quite similar:

  1. I got SSO to work, and I have disabled local registrations/ log-in on Discourse. Hence, clicking on ‘log in’ on the forums redirects them to the login page of my site and after validation, they are redirected back to the forums (with the payload - including dummy, but unique, email ID).
  2. I have also disabled all emails from Discourse admin settings (thus Discourse will not be sending ANY emails at all).
  3. I haven’t set require_activation to true.

If all emails from Discourse are disabled, and I’m using SSO, will dummy emails still be an issue? And can you explain why valid emails are essential and what goes wrong with unique dummy emails?

Thanks!

2 Likes

If SSO is working that might be ok… I think you need to make these fake email addresses a specific domain address to prevent any attempt at mailing, but I can’t remember the details. Do you remember @gerhard?

1 Like

Configuring the disable_emails site setting appropriately should be enough, but it’s a good idea to use the .invalid domain extension just in case you enable outgoing emails at a later time. Something like unique_id@something.invalid for example.

1 Like