OpenID Connect and SSO

I’m wanting to use OpenID Connect (Keycloak) as SSO solution with Discourse as one of the clients.
I have the OpenID Connect Authentication Plugin installed and working in Discourse, but there seem to be some aspects of SSO that are not applied and I’m not sure to what extent the features of SSO and this OIDC plugin overlap.

According to SSO synced login state tips it should be possible to login directly using SSO with a URL like fourm.example.com/session/sso but that does not seem to be present with just the OpenID Connect Authentication Plugin and trying to also setup the enable_sso and sso_url options ended up with a broken setup.

How is one supposed to use OIDC with SSO?

In discourse “SSO” means this protocol: DiscourseConnect - Official Single-Sign-On for Discourse (sso) (we are working on renaming it to DiscourseConnect… because it’s super confusing at the moment!)

To use openid-connect, do not use enable_sso or sso_url

If openid-connect is the only enabled login method, then sending the user to /login should start the authentication flow.

3 Likes

OK, thanks. Does that man that the default built-in (username/password in Discourse) authentication needs to be disabled? Or can that be kept as an option?

It’s up to you. You can control it using the enable_local_logins setting.

If you leave it enabled, then visiting /login will present the user with a choice of login options. If you disable it, openid-connect will be started immediately.

2 Likes