SSO may have broken yesterday

I use SSO, and at sign-up on my main site, my users get a new account on Discourse. Since yesterday only 1 user have been created (which is wrong). I just checked my error log and it says a lot of stuff like this:

ActiveRecord::RecordInvalid: Validation failed: Signup is not allowed from this account. in users#sync_sso
ActiveRecord::RecordInvalid (Validation failed: Signup is not allowed from this account.)

I didn’t change anything. My users sign up on my own site, and I use an API call with my admin user (and his API-key) to sync them. I’ve been fine until last night, getting ~50 users per day.

Can I do anything?

EDIT: It’s the call to /admin/users/sync_sso that fails, all of a sudden. Hasn’t worked for 20 hours. However, when the user clicks “Login” he is redirected, authenticated then redirecetd back, the users is created and is then logged in. It’s only the /admin/users/sync_sso-call that fails.

There was a new change to SSO to enforce IP address restrictions for signing up. For example, if a user’s IP was banned that user wouldn’t be able to sign up. Since all your users are getting created via API, they likely are being created with the same IP address and are being screened as suspicious.

I’m working on a fix right now, will post when it’s ready. In the meantime you can increase the max_new_accounts_per_registration_ip SiteSetting and that should allow users in.

Here’s the proper fix:

https://github.com/discourse/discourse/commit/005b8bf7c3a257f1e531965e9a19bc92b2f0a587

6 Likes

Thanks man! That was quick! I think I’ll wait for it to be merged to master.

They are created when they click “Log in” though, so it’s not an emergency. I would just like to have my two user-bases in sync, and as of ~20 hours ago they weren’t.