SOLVED: Attempting to Auto Create Accounts When Using SAML Plugin

sso
1

Continuing the discussion from SAML plugin in repo. Multisite:

I’m attempting to make use of the following code in the SAML plugin to automatically create an account after a user has successfully authenticated so that users are not confronted with the login dialog in which they could conceivably change their email, username and name. I’d prefer that the users don’t have control over those settings and instead have them set automatically based on the SAML authentication.

https://github.com/discourse/discourse-saml/blob/4b7dff471f486f5aa9832103b5c7fdd3d562613b/lib/saml_authenticator.rb#L142

My app.yml file has:

  ...
  # Force fullName attribute from SAML assertion to override name attribute so that
  # the user's full name will be mapped to Discourse's Name field and will help
  # augment the numeric User Name field on posts.
  DISCOURSE_SAML_ATTRIBUTE_STATEMENTS: "name:fullName"

  DISCOURSE_SAML_AUTO_CREATE_ACCOUNT: true
  ...

When I test this feature, I see the following error in the logs:

Completed 500 Internal Server Error in 175ms (ActiveRecord: 0.0ms)
ActiveRecord::NotNullViolation (PG::NotNullViolation: ERROR:  null value in column "uid" violates not-null constraint
DETAIL:  Failing row contains (2, 3, null, saml, user@company.com, Smith, John, 2019-06-03 21:40:55.44066, 2019-06-03 21:40:55.44066).
: INSERT INTO "oauth2_user_infos" ("user_id", "provider", "email", "name", "created_at", "updated_at") VALUES (3, 'saml', 'user@company.com', 'Smith, John', '2019-06-03 21:40:55.440660', '2019-06-03 21:40:55.440660') RETURNING "id")
/var/www/discourse/vendor/bundle/ruby/2.6.0/gems/rack-mini-profiler-1.0.2/lib/patches/db/pg.rb:69:in `async_exec_params'
Failed to handle exception in exception app middleware : PG::NotNullViolation: ERROR:  null value in column "uid" violates not-null constraint
DETAIL:  Failing row contains (2, 3, null, saml, user@company.com, Smith, John, 2019-06-03 21:40:55.44066, 2019-06-03 21:40:55.44066).
: INSERT INTO "oauth2_user_infos" ("user_id", "provider", "email", "name", "created_at", "updated_at") VALUES (3, 'saml','user@company.com', 'Smith, John', '2019-06-03 21:40:55.440660', '2019-06-03 21:40:55.440660') RETURNING "id"

Any idea as to whether I need to configure the plugin to force “uid” to be set via one of the attributes from the SAML assertion?

When DISCOURSE_SAML_AUTO_CREATE_ACCOUNT is either set to false or is not present, the SAML-based authentication works, but the user sees the dialog in which they can modify their email, username and name.

image
image569×539 36.8 KB

2

Problem has been solved. We had inadvertently had removed from the ADFS IdP configuration the “nameid” from the SAML response. Once we added that back in, the auto create account feature worked fine!

With both the create account option set to true and the other settings shown below in our app.yml, we’re able to avoid having both login dialog windows being displayed. Now new users just click “Login”, authenticate via the IdP and then are put into their new Discourse account all without being able to override username, name and email address in an intervening dialog.

Once a user gets into Discourse, they cannot edit their email address, but we are allowing them to change their username so that they can have a more recognizable “nickname” in @ mentions and such.

  ...
  # Force fullName attribute from SAML assertion to override name attribute so that
  # the user's full name will be mapped to Discourse's Name field and will help
  # augment the numeric User Name field on posts.
  DISCOURSE_SAML_ATTRIBUTE_STATEMENTS: "name:fullName"

  DISCOURSE_SAML_AUTO_CREATE_ACCOUNT: true
  ...
  - exec: rails r "SiteSetting.login_required=true"
  - exec: rails r "SiteSetting.enable_local_logins=false"

  - exec: rails r "SiteSetting.email_editable=false"

  - exec: rails r "SiteSetting.display_name_on_posts=true"
  - exec: rails r "SiteSetting.prioritize_username_in_ux=true"
  ...
5 Likes