SAML plugin in repo. Multisite


#8

Sorry to revive this thread, but I have just got SSO via SAML working on my Discourse instance.

I am very interested to know how you setup https://community.wd.com so that when a user clicks “Log In” the SSO login page appears in the main window, rather than as a pop-up window?


(Sam Saffron) #9

not following, if you disable local logins and only have one sso provider it should automatically flow through.


#10

I have disabled local logins in the Discourse settings, and only using the discourse-saml plugin for authentication (so there is only one login option). When the user clicks the “Log In” button a pop-up appears with the login page for our SSO provider.

If possible, I don’t want the login page to appear in the pop-up - but instead just flow through (as you suggest) the same as the https://community.wd.com site.

Thanks in advance for any help :slight_smile:


(eriko) #11

Try refreshing the page. The javascript that is in the active page from before you disabled the local login is still there and is setup to open the popup and not redirect.


#12

Thanks for the suggestion. I am trying it out in Chrome Incognito mode - have also tried force refreshing the page, but the same issue still happens - the SSO opens in a pop up window.


(Sam Saffron) #13

If the auth method defines:

full_screen_login to be true, it will not pop up a window. This is a 1 line change in whatever plugin you are using.


#14

Thanks @sam. Being pretty new to plugins in Discourse, how would I go about implementing that in the discourse-saml plugin (GitHub - discourse/discourse-saml: Support for SAML in Discourse)? I can’t find any references to full_screen_login in the source code for the plugin.


(Sam Saffron) #15

Would be here:

insert line with:

:full_screen_login => true,

Discourse-saml: There was an error authorizing your account
#17

Thanks @sam, working great now.


#18

Just submitted a PR so this functionality is included in the plugin via a setting:


(Leo Giovanetti) #19

Hi all.

I’m sorry to resurrect this thread but I’m having issues with the discourse-saml plugin.

Basically, when I try to login with SAML, the page goes back to Discourse and I’m presented with the login page again. I didn’t see any error on the logs.

I wonder if I mapped the needed information from my provider to work with Discourse, or maybe that’s standarized. Is there any documentation about this available?

This is my config:

  • Application Callback URL: Talk!

Also, for more information about the other config properties that may be needed to be tweaked, here they are: SAML Configuration. I didn’t include any of them above as I’m inclined to use the default values for all of them unless I’m told otherwise.

Thanks a lot in advance!


#20

Hi @leog

So our implementation of the discourse-saml plugin worked out the box with our IDP - which is not managed by me (we used a service provider for our single sign-on services) who implements and provides SAML 2.0. So, as far as I can tell, the plugin works fine when integrated with a compliant SAML 2.0 provider.

You mention there are no errors in the logs. Are you referring to errors on the end of your SAML provider (which I assume is Auth0) or in Discourse (e.g. https://forum.example.com/logs).

Caveat, I have never used Auth0 :slight_smile:


(Leo Giovanetti) #21

Thanks for the reply @skoota.

I’ve been taking a look at both sides of the logs and I’ve corrected a few things, but then, nothing logged and the described behavior happens. Login succeeds on Auth0 logs, no error on Discourse and redirected back to login page.

Anyways, I gave a read again to Auth0 and very hidden almost in small letters says it needs the SAMLRequest to be done by POST. Configured that but now I get an error when it tries to go to /discourse_saml as a result of asking to login through SAML; there is nothing there. Came across this thread: Auth provider custom URL?. It says something about setting up a customUrl but couldn’t figure out where. Does anybody knows? Maybe @eviltrout?

Thanks in advance.


(Robin Ward) #22

What error do you get when it tries to go to /discourse_saml?


(Leo Giovanetti) #23

I’m getting a 500:

This page isn’t working
talk.leog.me is currently unable to handle this request.
HTTP ERROR 500


(Robin Ward) #24

Can you provide any more information from the logs? Perhaps from your /logs path?


(Leo Giovanetti) #25

@eviltrout here you go: error.pdf (56.7 KB)


(Robin Ward) #26

It’s possible the plugin doesn’t work with the login_required site setting enabled. I’m not sure we’ve tried it out in that configuration before.


(Leo Giovanetti) #27

@eviltrout Indeed, disabling login_required makes the route work.

BTW, is there any way to avoid the create account dialog for any new user that successfully signs in through SAML?

Thanks.


(Robin Ward) #28

There is no way to do this with the plugin. Maybe a better fit would be our sso system?

You could also create a new plugin based on the Saml one that would create the user account with the fields you’d prefer to use.