SSO has stopped working


(David Marine) #1

I have had SSO against an ASP.NET website working perfectly for years. Now, after only doing the routine upgrade (docker and Discourse) through the admin UI, trying to signing in with SSO yields the following error:

Login Error

There is a problem with your account. Please contact the site’s administrator.

When I click the “Log In” button in Discourse, I am correctly taken to my ASP.NET app’s sign in page. When I correctly sign in there, I am briefly returned to the /latest page in Discourse, but then quickly redirected to the error page. At that point, the URL in the browser address field changes to the following:

http://[my discourse domain]/session/sso_login?sso=[yadayada]&sig=[yadayada]

I have no idea where to even begin figuring this out as I have no idea what changed to make it happen.

In which logs (and where) should I look?

I appreciate any help!

Thanks,

  • David

(Régis Hanol) #2

You could enable the “verbose sso logging” site setting and then check http://your.discourse/logs.

Note: you can log in as admin via the /u/admin-login page.


(David Marine) #3

Thank you for the extremely quick reply!

Didn’t know about that login page. Tried it and got the following error:

[“BAD CSRF”]


(David Marine) #4

After entering my admin’s email address and clicking the “Send Email” button, I see the server is returning a 403 error.


(David Marine) #5

Update: If I use the /u/admin-login page on Firefox instead of Chrome, I don’t get the [“BAD CSRF”] error and the email to login as admin is sent. When I click the link in the email to log in, I am taken to a page that simply says “Error”.

This indicates to me that the issue isn’t with SSO, but instead with logging in in general. Is there a way I can SSH into the server instead and view more information about this from a log file?


(Rafael dos Santos Silva) #6

Is your site avaliable on both HTTP and HTTPS?


(David Marine) #7

Not for anything having to do with my Discourse site.

Also, I have changed nothing since it last worked. And, it worked perfectly without issue for years.

Here’s exactly what I did:

I saw on the admin page that I needed to update my Discourse site, something I’ve done many, many times before without issue.

I clicked the update link, went to the update page, and saw that docker needed updating first.

I updated docker. When it was done there was a message saying I had to update to the latest discourse through the command line. It couldn’t be done through the UI.

So I executed the following commands:

cd /var/discourse
git pull
./launcher rebuild app

When that was complete I tried to go back to the admin page and I was not able to log in. Instead I received the following error:

Login Error

There is a problem with your account. Please contact the site’s administrator.

I have since tried to log in as admin using the /u/admin-login page. I do receive the email but when I click the link to log in I arrive at a page with the word “Error” and nothing else.

Discourse has spoiled me all these years because there has never been an issue. Now there is, I am at a complete loss on how to proceed to even debug the issue.


(Rafael dos Santos Silva) #8

Is your Discourse forum available on both HTTP and HTTPS?


(David Marine) #9

I should have been clearer - my apologies. My discourse site and the ASPdotNET SSO endpoint are only HTTP.


(David Marine) #10

Regardless, nothing has changed between when it worked last and now, other than me doing a docker and a discourse upgrade.


(Rafael dos Santos Silva) #11

Can you share the full verbose log from /logs during a SSO login?


(David Marine) #12

Happy to. How do I change the log to verbose and where are the logs? I am not able to find a logs dir at the root or at /var/discourse.


(Rafael dos Santos Silva) #13

After you log into Discourse with the example.com/u/admin-login path, you can enable verbose logs on example.com/admin/site_settings/category/all_results?filter=verbose%20sso and check logs at example.com/logs.


(David Marine) #14

The thing is, is I cannot log in with the /u/admin-login path. I just get a page with the word “Error” on it.

I am thinking SSO isn’t the problem. Instead it is something more fundamental with logging in.


(David Marine) #15

I very much appreciate the help with this issue, however I am also more than willing to figure this out on my own. Unfortunately I am a bit out of my element with Discourse. Where can I find the logs that would contain any errors associated with logging in? Please keep in mind that I am unable to log in at all, whether as admin or other, and so cannot set the verbosity of logging or view the logs through the web UI.


(Rafael dos Santos Silva) #16
cd /var/discourse
./launcher enter app
cd log
tail -f *.log

Now try a SSO login, and the terminal will output the error.


(David Marine) #17

Thank you Rafael. I very much appreciate you taking the time to help.

Turns out the issue was my error due to not knowing what happened when a user was deleted.

Here’s what happened:

Someone reported a spammy post to my discourse instance, so I checked out the post and also impersonated the user in the web app that handles SSO for the discourse instance. This then recorded the spammer’s last IP address as mine and so when I deleted them, my IP address was blocked!

Now that I’ve unblocked my IP address, I have been able to login as admin. Strangely I am no longer able to log in from Chrome, only from Firefox and Edge. Even after clearing out the cache and cookies from Chrome for my discourse and SSO-handling website I still cannot log in from Chrome. This is unexpected and frustrating, however it is not a show stopper.

Thank you again for the time and help.