Sign up and local authentication disappeared after enabling SSO-based authentication


Greetings from Oxford

We have installed Discourse in one of our CentOS VMs and enabled SSO-based authentication using instructions and module provided by @fmarco76 in this post. I had to setup an SP and then authenticate using Oxford’s Idp.

Upon enabling authentication the Sign up button and local authentication disappeared. The settings clearly state that allow local registration.

The enabled SSO configs are as follow (both URL to the server doing SSO and SSO Secret is commented out)

This is how the Discourse looks like, just Login button and when you click on that it will navigate you the SSO authentication page of Oxford.

Even though the Official SSO post claims about

What if I would like SSO in conjunction with existing auth?

I could not find any instructions to state why the local auth in my end disappeared. I basically would very much want to have something like below to allow both SSO and local authentication/signup (referenced from this article)

Majority of our users will be using SSO but, there will be a few who would require local login.

One last question maybe @fmarco76 could answer this if related to his module, with SSO enabled users simply login and everything works. How can I enable user account moderation with both SSO and local signups? In other words, if the user login for the first time using SSO then an admin should approve their account in order for them to be able to make posts (I want the same with local but, first I need to find a way to enable the local sign up).

Please advise how I can enable local signup/auth in conjunctions with SSO (it disappeared after enabling SSO) as well as enable user account moderation? Do I have to make any changes to any setting files, implement a new module, tweak x or y files, rebuild or bootstrap the app? Any hint/suggestion would be very much appreciate.


(fmarco76) #2

Hi @Raf,

as far as I know discourse does not support multiple authentication mechanisms enabled, at least when I developed the module there was not that option.
Additionally, I do not think you cannot moderate the authentication of user authenticate with SSO.

Both items would require some changes in discourse code.

In our deployment we provide the minimum set of authorisations to the users and increase the authorisation level on request.

We also support multiple IdPs to include all potential users. I also manage a general purpose IdP ( to allow the authentication of people not registered in any IdP, in this way we have to manage only SSO with SAML in all our services. If you want you can use our IdP, just let me know.


(Jeff Atwood) #3

SSO and local logins (or any kind of other login in fact) are mutually exclusive. If you want multiple login methods, then build an oAuth 2 login provider, and you can show that alongside Google, Twitter, Facebook, local, etc.

SSO means “magic invisible parent site login”.


Thank you @fmarco76 and @codinghorror for the useful info. I will go ahead with SSO for the time being and when the demand for external users arise then, I will disable SSO and switch to local plus social auths.

If I disable SSO in the future, the only requirement would be that those users who registered using SSO initially will have to trigger Forgot Password and after resetting their password login locally using their email address. I tested this and it works.

Thank you for the offer. I will let you know if we decide to :wink: