I’m wanting to use OpenID Connect (Keycloak) as SSO solution with Discourse as one of the clients.
I have the OpenID Connect Authentication Plugin installed and working in Discourse, but there seem to be some aspects of SSO that are not applied and I’m not sure to what extent the features of SSO and this OIDC plugin overlap.
According to SSO synced login state tips it should be possible to login directly using SSO with a URL like fourm.example.com/session/sso but that does not seem to be present with just the OpenID Connect Authentication Plugin and trying to also setup the enable_sso and sso_url options ended up with a broken setup.
OK, thanks. Does that man that the default built-in (username/password in Discourse) authentication needs to be disabled? Or can that be kept as an option?
It’s up to you. You can control it using the enable_local_logins setting.
If you leave it enabled, then visiting /login will present the user with a choice of login options. If you disable it, openid-connect will be started immediately.