SAML plugin in repo. Multisite


(eriko) #1

I noticed the new SAML plugin on github and I have a couple questions.

  • Is there any plans to make it multisite compatible?
  • Since SAML is a SSO solution do you plan on making so that if there is only one login method available the login choice dialog is not used?

Help with Okta SSO
(Sam Saffron) #2

I think @eviltrout worked on this, no plans to make it multisite compatible, but a PR is welcome.

If there is only one login method I think it is ok to skip to dialog, I thought we already did that. see: https://community.wd.com/ for example


(eriko) #3

There is some chance that we maybe moving to SAML from CAS and if that comes to be I will do some work.

Also that is great about the single login method interface.


(Robin Ward) #4

I did for a customer of ours. It’s still very much in beta and not officially supported yet. I’d love to hear if it works for you though @eriko!


(eriko) #5

One more question. During development what did you use for the saml provider. I am probably going to need to convert the cas_sso provider I wrote or switch to what you are writing. I have only cursorily looked at what to use for development saml server and did not find anything compelling.


(Robin Ward) #6

It was for a client who already had SAML set up, and I can’t say who that was unfortunately.


(eriko) #7

Fair enough. thanks.


#8

Sorry to revive this thread, but I have just got SSO via SAML working on my Discourse instance.

I am very interested to know how you setup https://community.wd.com so that when a user clicks “Log In” the SSO login page appears in the main window, rather than as a pop-up window?


(Sam Saffron) #9

not following, if you disable local logins and only have one sso provider it should automatically flow through.


#10

I have disabled local logins in the Discourse settings, and only using the discourse-saml plugin for authentication (so there is only one login option). When the user clicks the “Log In” button a pop-up appears with the login page for our SSO provider.

If possible, I don’t want the login page to appear in the pop-up - but instead just flow through (as you suggest) the same as the https://community.wd.com site.

Thanks in advance for any help :slight_smile:


(eriko) #11

Try refreshing the page. The javascript that is in the active page from before you disabled the local login is still there and is setup to open the popup and not redirect.


#12

Thanks for the suggestion. I am trying it out in Chrome Incognito mode - have also tried force refreshing the page, but the same issue still happens - the SSO opens in a pop up window.


(Sam Saffron) #13

If the auth method defines:

full_screen_login to be true, it will not pop up a window. This is a 1 line change in whatever plugin you are using.


#14

Thanks @sam. Being pretty new to plugins in Discourse, how would I go about implementing that in the discourse-saml plugin (GitHub - discourse/discourse-saml: Support for SAML in Discourse)? I can’t find any references to full_screen_login in the source code for the plugin.


(Sam Saffron) #15

Would be here:

insert line with:

:full_screen_login => true,

Discourse-saml: There was an error authorizing your account
#17

Thanks @sam, working great now.


#18

Just submitted a PR so this functionality is included in the plugin via a setting:


(Leo Giovanetti) #19

Hi all.

I’m sorry to resurrect this thread but I’m having issues with the discourse-saml plugin.

Basically, when I try to login with SAML, the page goes back to Discourse and I’m presented with the login page again. I didn’t see any error on the logs.

I wonder if I mapped the needed information from my provider to work with Discourse, or maybe that’s standarized. Is there any documentation about this available?

This is my config:

  • Application Callback URL: Talk!

Also, for more information about the other config properties that may be needed to be tweaked, here they are: SAML Configuration. I didn’t include any of them above as I’m inclined to use the default values for all of them unless I’m told otherwise.

Thanks a lot in advance!


#20

Hi @leog

So our implementation of the discourse-saml plugin worked out the box with our IDP - which is not managed by me (we used a service provider for our single sign-on services) who implements and provides SAML 2.0. So, as far as I can tell, the plugin works fine when integrated with a compliant SAML 2.0 provider.

You mention there are no errors in the logs. Are you referring to errors on the end of your SAML provider (which I assume is Auth0) or in Discourse (e.g. https://forum.example.com/logs).

Caveat, I have never used Auth0 :slight_smile:


(Leo Giovanetti) #21

Thanks for the reply @skoota.

I’ve been taking a look at both sides of the logs and I’ve corrected a few things, but then, nothing logged and the described behavior happens. Login succeeds on Auth0 logs, no error on Discourse and redirected back to login page.

Anyways, I gave a read again to Auth0 and very hidden almost in small letters says it needs the SAMLRequest to be done by POST. Configured that but now I get an error when it tries to go to /discourse_saml as a result of asking to login through SAML; there is nothing there. Came across this thread: Auth provider custom URL?. It says something about setting up a customUrl but couldn’t figure out where. Does anybody knows? Maybe @eviltrout?

Thanks in advance.