SSO and Invites?


(Lisa Wess) #1

Hey folks,

Has anyone in this community overcome the limitations wherein turning on SSO disables invites?

We are looking to use the invite feature but also use SSO which disables invites and I am just seeing if anyone has tackled this - before we try to. :slightly_smiling:

Thank you!

-Lisa


(Jeff Atwood) #2

They are fundamentally incompatible – (email) invites would bypass the parent site authentication methods by definition.


New users via API if allow new unchecked
Invites compatibility with SSO
(Michael Downey) #3

To be clear, you can still invite existing SSO-based users to topics. Just not new users (and have them pre-staged).


(Lisa Wess) #4

@downey - yes :slight_smile: I was still hoping that someone had thought about / tackled this. I do understand just how difficult this may be. Thank you! Still seeking out anyone who has had a go at this.


(Michael Downey) #5

What would the scenario look like in reality, though? Would it basically be “email this topic to someone@example.com”? Or are you thinking about how Discourse could create accounts in the master SSO directory?


(Lisa Wess) #6

@downey - it would need to create the accounts in our master system as well. I’ll be taking this to our engineering teams; I wanted to check around before I did.


(Michael Downey) #7

Yeah, it’s pretty much a one-way flow of user information the way things are currently structured.


(Lisa Wess) #8

This could be a fun challenge. We’ll see. Thank you all! If anyone else has tackled it please let me know. :slight_smile:


#9

We haven’t tackled it but are also interested. Keep us in the loop with your progress.


(Lisa Wess) #10

Hey @HAWK - I am no longer working with that community so I won’t be updating here. I am sure this could help other so I hope you’ll update if you make progress! :slight_smile:


#11

Bummer. Thanks for the follow up. I’ll keep everyone in the loop if I move with this. :slight_smile:


(John Britton) #12

We’d be really interested in support for a feature like this. Here’s how I’d see it working:

  1. Exiting member of the discourse site who is logged in with SSO clicks invite user
  2. Prompted to provide handle of the user to invite, this is the handle from our main site
  3. Discourse uses an API to fetch the email of that user from our main system
  4. Email invitation is sent

An alternative case would be inviting by email:

  1. Click invite user
  2. Enter email address
  3. Send email with link to login to discourse, include url param invited_by=login or similar
  4. Our SSO system prompts the user to sign up for an account on our parent site if they’re not logged in and don’t have an account, the invited_by=login data can optionally be used to render a page showing that the user was invited
  5. Account is created on our main site and discourse login proceeds as normal.

(Bedhed) #13

We have the following use case.
1000000 users on our main plateform.
100 on our discourse instance, with SSO enable.
1 closed category with a group of 20 people within
Someone from this group ask me to add 1 person from our 1000000 users.

Lo-tech Solution: ask the person to come twice, once to create the user on discourse side, then I put the user in the group, then the person come the second time to access the content we want for her.

High-tech Solution: use the API to create the missing user, put her in the group, send her the invite.

Later: Do it for 1000000 users and the 20 closed groups we need to manage our community.


(Sam Saffron) #14

I plan to add support for specifying groups in the SSO payload. Once that is added you can handle all of this stuff on your side. Once invited you add that to the SSO payload you send us.