SSO authentication with Centrify

support
1

Hi,
We are trying to use our SSO provider Centrify with Discourse. And we’re having some problems.
We installed the SAML plugin (https://github.com/discourse/discourse-saml)
We have Discourse version v1.8.0.beta9 +25
Below are screenshots of the discourse login setup and some of the logs we currently see.

sso.png1600×2318 491 KB

The SAML assertion is sending the NameID(user identifier) variable as our active directory samaccountname(email minus domain @f…com). Main thing is that it seems like the SAML assertion goes to the correct place but discourse is not configured properly to process it. Normally, it gives the ‘Bad CSRF’ which I’m not entirely what it means.

Assertion URL: http: // discourse_web_url/auth/saml/callback
Issuer: http: // cloud.centrify.com/SAML/AppName
Audience: http: // discourse_web_url
Recipient: http: // discourse_web_url/auth/saml/callback

Identity Provider Info:
Sign-In URL: https: // aac0995.my.centrify.com/applogin/appKey/xxxxx-xxxx-xxxxxx-xxxxxxx/customerId/XXXXXXXX
And it has also an associated sign-in certificate

Any help would be greatly appreciated!!

Thank you,
Matthieu

2

From your screenshots you are entering in invalid settings in both “sso url” and “sso secret”…

Quickly reading the instructions and code here - neither of these settings are used for SAML:
https://github.com/discourse/discourse-saml

I would suggest checking the readme again and ensuring you have followed the steps:
https://github.com/discourse/discourse-saml/blob/master/README.md

3 Likes
3

Thank you Dean for your help.

If I remove the ‘sso url’ setting, then going to the discourse page, Chrome gives me an error with “too many redirects”
I can remove the ‘sso secret’ safely (‘enable sso provider’ is not enabled).

I checked the app.yml settings.
The DISCOURSE_SAML_TARGET_URL is set with the same “sign-in URL” or “SSO URL” above.
The DISCOURSE_SAML_CERT_FINGERPRINT and DISCOURSE_SAML_CERT are set (correctly I hope, I went to SAML X.509 Certificate Fingerprint - Online SHA1 Decoder | SAMLTool.com to generate the fingerprint).
And DISCOURSE_SAML_FULL_SCREEN_LOGIN is set to true

4

This is caused by a page redirecting to another page which then redirects again.

This might be the same page redirecting to itself or two pages bouncing between each other.

It might be helpful to find out which URL’s are directing to work out where the source of the problem might be.

To do this open Google Chrome Developer tools, have the Network tab open then visit the page.

5

Hi Matthieu and Dean,

I am a Product Manager and a Developer Advocate with Centrify. It seems that Dean has the Discourse side of things covered here, but I wanted to get in touch and tell you that if at any point you need help with the Centrify side of the configuration, please loop me in and I am happy to help. I can set up a call for all of us to work through this too if that is helpful. You can reach me at devsupport@centrify.com.

1 Like