i have a fully working discourse instance with SSO support.
Everything is https.
Recently I activated the force_https option in the settings, because some browser promted the user, that parts of the website aren’t secure.
Enabling this settings fixed this error, but resulted in a new one:
The SSO process is broken, if I activate the force_https setting.
How can this be the case?
My php scripts redirects the user as usual: https://domain.com/session/sso_login?sso=". $payload ."&sig=". $return_sig
But discourse opens up and doesn’t login the user, nor shows any kind of erros.
The logging shows only one single difference at the backtraces for the following line:
NOT WORKING:
I don’t understand it.
Without force_https the process is working, but with it is not
The paylog and sig must be correct, because it works perfectly without this option enabled.
Everything is all https: Discourse (of course), the external login page (receives sso data correctly) and the redirect url after the login from the external page.
But discourse ignores it…
Has anyone an idea on how the force_https option influences the SSO process?
Why can it be the case that a functional https://domain.com/session/sso_login?.. request, that works perfectly without this options enabled, get surprisingly rejected if the options gets enabled?