I have the exact same issue as the people reporting here and in this thread.
The issue is not to related to the SSO implementation nor the webserver: In my case http requests are redirected to https, which is then sent through the reverse proxy. SSO works perfectly if I redirect the user to https://discourse.fqdn.top/session/sso_login?sso=PAYLOAD&sig=SIGNATURE and force_https
is false. Showing that both the SSO part and proxy work perfectly well. Only when I switch force_https
to true, it stops working. When I have a pre-existing session, I can change force_https
to true and use discourse without any issues (further cementing the point, the issue is not related to the reverse proxy). Leaving force_https
false is not an option because it breaks logos and Chrome is not happy, when assets from http and https are mixed (it shows a small alert in the address bar, that the page is not secure).