Session_controller: Force SSL setting messes up SSO process

Hi,

i have a fully working discourse instance with SSO support.
Everything is https.
Recently I activated the force_https option in the settings, because some browser promted the user, that parts of the website aren’t secure.
Enabling this settings fixed this error, but resulted in a new one:

The SSO process is broken, if I activate the force_https setting.

How can this be the case?

My php scripts redirects the user as usual:
https://domain.com/session/sso_login?sso=". $payload ."&sig=". $return_sig
But discourse opens up and doesn’t login the user, nor shows any kind of erros.

The logging shows only one single difference at the backtraces for the following line:
NOT WORKING:

/var/www/discourse/app/controllers/session_controller.rb:38:insso’`

WORKING:

/var/www/discourse/app/controllers/session_controller.rb:165:insso_login’`

Why does the session_controller messes up the sso process?

Thanks a lot for your support :slight_smile:

Did you update your SSO to connect to the HTTPS address for Discourse?

Thank you for your instant reply :smiley:

Yes of course I updated it, it is set on https since the beginning.
The exact php redirect code is:

header("Location: https://domain.com/session/sso_login?sso=". $payload ."&sig=". $return_sig);

I don’t understand it.
Without force_https the process is working, but with it is not :frowning:

The paylog and sig must be correct, because it works perfectly without this option enabled.
Everything is all https: Discourse (of course), the external login page (receives sso data correctly) and the redirect url after the login from the external page.
But discourse ignores it…

Does anyone why this behaves in such a buggy way? :slight_smile:

Has anyone an idea on how the force_https option influences the SSO process?

Why can it be the case that a functional https://domain.com/session/sso_login?.. request, that works perfectly without this options enabled, get surprisingly rejected if the options gets enabled?

Thanks a lot for your support :slight_smile:

You should watch your network traffic to find the difference.

1 Like

I’m facing this exact same problem using the latest version of Discourse: v2.4.0.beta4

Does anyone here have any clues about how to solve this?