Shibboleth SSO with Discourse

Hi All,

I finally got my Discourse site integrated with Shibboleth. It was simple, … once I figured it out :joy:.

  1. Get Shibboleth working on one web server (need not be the same as your discourse server). Lets call it shib.univ.edu.

  2. Get a directory on shib.univ.edu for doing the Discourse SSO. Let’s call it discourse-sso.

  3. Protect this directory using Shibboleth. If you’re using Apache, it usually means putting something like this in discourse-sso/.htaccess:

     # Shibboleth header
     AuthType Shibboleth
     ShibRequireSession On
     ShibApplicationId default
     ShibExportAssertion On
    
     require shib-user ~ ^.+@univ\.edu$
    
  4. Get a library that does the signing work described in the official Discourse SSO guide. I use cviebrock/discourse-php. Create sso.php in here copied from the usage instructions.

  5. Your username and email will be in the environment variable eppn. So if you followed the usage instructions described in cviebrock/discourse-php (link above), then you should just set

     // Insert your user authentication code here ...
     // Required and must be consistent with your application
     $userEmail = getenv( 'eppn' );
    
     // Required and must be unique to your application
     $userId = strstr( $userEmail, '@', true );
    
  6. Enable the SSO from the official Discourse SSO guide. Make your sso url point to https://shib.univ.edu/discourse-sso/sso.php and you should be good.

GI

7 Likes