We have a private forum at the moment where only users that have registered on our website can then log in (through SSO) to access the forum.
However, we’d like to make the forum semi-private. I would like for anyone (public) to be able to read posts on the forum, but they should have a registered account to post (private). How do I do about doing this?
I’ve been Googling for an hour and can’t find anything helpful. 
I would make that through groups and security permissions for the categories.
So for example:
Correct me someone who has better knowledge than me 
Edit: When create the group, you have an option Automatic -> Users who register with an email domain that exactly matches one in this list will be automatically added to this group:
I am not sure if it is possible to wildcard domains inside that option field? So that everyone who registers with doesn´t matter which mail adress is beeing automatically added to that group.
Will these users register through your SSO? Or are you trying to have SSO and a sign up form? You cannot have SSO and a separate sign up form. You will have to modify your SSO and switch it to a custom oauth2 provider then you can also have a sign up form for new users who are not going to use the oauth2 provider.
Then you can just make your forum public and anyone who wants to post will have to create an account.
Yes they’ll register through our web site and have an account in our user database, then log in through SSO.
Okay cool. All you need to do is uncheck the “login required” box in your admin settings. Anonymous users will then be able to read your site, but will still have to sign up to post.
Okay thanks @blake, I’ll give that a shot on my staging server and test it out.
I have a really newbie question though… how in the heck do I create “groups”? Been searching all over my admin interface but I can’t find where to do it… 
But now I can help
https://your.domain/groups
Thank you!! In the interest of learning how to fish, is there a way to get to this page through the admin interface?
Also, if I want to bulk-add members, is there a way to generate a list of current members through the Discourse interface that I can copy and paste into the bulk add field?
The link he provided is where you administer groups. That’s where to fish.
You can find posts about bulk invites that will invite people to groups. Both the users page and the admin/users page provide lists of users. You might also be interested in the data explorer plugin.
LOL Yes, but how would I (or some other newbie user) have otherwise figured that out?
Thank you for pointing out the Users page, I never saw the Export button there until you mentioned it. Sooooo many features, so little time!
Oh. That. 
Indeed. There are zillions of settings and figuring out where it “makes sense” for them to be takes a while, just like figuring out the fundamental metaphors of photo editing or spreadsheets takes time. And it’s further complicated by the fact that some of those issues are still in a state of flux.
There was recently a groups interface in admin, but it was decided that it was too confusing to know where to go to do which things having to do with groups. Categories are administered only in the categories interface (not admin), and groups are analogous to categories. (categories are collections of topics ;groups are collections of users)
Huh… Admin>Users>Groups… Which is where I went looking in the first place! 
Just thought I would actually answer your very valid question about how to find groups if its not in admin anymore.
Click on the hamburger menu and select groups:
Don’t worry it was hard for me to find at first once it was removed from admin.
Thanks @blake!
I do have a followup question about groups and SSO. If we have 2 or 3 different flags in our user database (i.e. to differentiate paying members, free accounts, staff, etc.) that we want to use to assign users to specific groups in Discourse, how would we go about doing that?
I was under the impression, and correct me if I’m wrong, that once we set “sso overrides groups” to enabled, it would only take that value from one specific data point in our user database tables.
It looks like the sso endpoint will take a comma separated list of groups:
https://github.com/discourse/discourse/blob/master/app/models/discourse_single_sign_on.rb#L110
Amazing! Thanks again @blake!
Now that I’ve got my dev environment set up again, I added a link to Admin>Users going to /groups as ‘practice’. Should I send in a PR with this change, or toss it out?
Yes, please do! Looks like this is a good compromise between this
and and not having any link from the admin dashboard.
Most definitely, thank you! 
Oops, this got buried… sent it in just now.