I followed the Official SSO thread but can’t seem to get the universal login page to show up.
When I just enabled oAuth it worked. I logged in using “with Auth0” button with no problem. When I enabled SSO, it redirected to the Auth0 page but just gives me an error page with " invalid_request : Invalid parameter: client_id must be a string". My first thought is that I’m putting in the wrong “sso_url”. I honestly have no idea what is supposed to be there so i put “https://.auth0.com/authorize”
Anyone run into an issue like this? or have any ideas?
sso url should be set to the URL you have configured on your SSO provider site to handle the Discourse SSO request.
Discourse’s implementation of SSO does not use OAuth. It’s possible that is what’s causing confusion.
What language or framework is your SSO provider site using? It’s possible there is already an implementation of SSO for it that you can use.
My SSO provider is Auth0.com. I followed this topic to get oAuth2 set up and then tried to add SSO.
Maybe I need to look further into the Auth0 side because I only set up an application and domain (tenant); I didnt see anything about SSO.
That makes sense. Auth0 and Discourse SSO are completely seperate systems. You can’t enable them both on your site. It sounds like all you need to do is make sure that Auth0 is correctly configured on your site.
As a new user to setting up Discourse I share your confusion in misunderstanding the SSO feature. There’s a topic on it, but it still didn’t really convey it’s difference well, especially since some of the SSO settings are for using Discourse as the SSO provider(sort of like how you want to use Auth0).
To use external identity provider for the SSO feature, you need an intermediary service, such as discourse-sso-oidc-bridge, I got that working today with Keycloak instead of Auth0, should be roughly the same.
If you just want to use Auth0 like the social logins such as Google/Facebook/Github, then what you probably want to use is the
discourse-openid-connect plugin. You’ll need to install that and use the settings it provides, I tried that with Keycloak before the separate SSO feature. It doesn’t need the bridge inbetween, and might give you what you want(as long as you don’t want details on Discourse to update/sync when a user logs in again, which is the only time Discourse will sync account details).
Users will be prompted to create an account, but all the form fields will be filled out from your auth provider, a future update to the plugin intends to skip this and just create the account(provided it’s the only login option) like the existing SSO feature does.