[security] SSO and special user names like "system"

On my site, I have SSO enabled. I was wondering what would happen if someone with the user name of "system’ logged into the site, as the system user is an admin user by default. I’ve reserved that user name on our SSO server in case that would be an issue.

Are there any other user names that we need to reserve, such as “discobot”?

Would it make sense to block logins as these users on all Discourse instances?

The most likely thing to happen is that a non-admin user would be created with the username system1 and the email address that was supplied in the SSO payload. There are two things that would prevent a user being created with the username system. The first would be the presence of the system user on your site - usernames must be unique on the site. The second thing that would prevent it is the Discourse Site Setting for reserved usernames. By default that list includes the username system.

One thing to note with the reserved usernames setting is that you can add a wildcard to the setting, for example system*. If you do this, a user who tries to create an SSO account with the username system will be given a random username like 25d831d5097a3e987bec when they login with SSO.

When users first login with SSO, authentication is based off the email address, not the username. The thing to be concerned about is making sure that users are not creating accounts with unauthenticated email addresses on your SSO provider site.

2 Likes

Hello Simon,

Thanks for the clarification. Given my site’s settings, including user name overriding, it makes sense that users cannot log in as the system user. When I originally enabled SSO, I couldn’t log in as my admin user because there were no SSO credentials associated with it, so I had to delete that account and then log back in to create it as an SSO account.

Thanks, : )
Andrew