SSO - "There is a problem with your account. Please contact the site's administrator."

SSO
1

I just setup SSO on my discourse forum that I deployed through docker using the latest “stable” version (1.5). To clarify, I have my own SSO service that I am using to log into discourse. I am not using Discourse as an SSO provider. I used the cviebrock/discourse-php PHP package in order to develop the SSO service to work with discourse.

Whenever I hit login, everything redirects okay, but I land on the discourse forum with the message:

There is a problem with your account. Please contact the site’s administrator.

The address I land on is:

http://discourse.mydomain.org/session/sso_login?sso=bm9uY2U9NzFiNGIzM2UxMGQxYWJiYzc1MGI3MDFjMzE4ZTQwZTMmZXh0ZXJuYWxfaWQ9NTcw&sig=a3250a90855912afdbeb13be004449df52f404934b0414de02444c0d9be812ad

I tested messing with the signature or the sso and if I do that I get a blank page. I also tested plugging in an incorrect secret and got a different error message.

Has anyone else received this error message and know what I should do? Are there logs anywhere I can get more detailed information from?

2

Nevermind, it was a stupid implementation error on my part. I had the code:

$extraParameters = array(
    'name' => $userEmail = $_SESSION['name']
);

which should have been:

$extraParameters = array(
    'name' => $_SESSION['name']
);

I don’t khow how to delete or close this post, but would be grateful if someone else would.

1 Like
4

You can’t on your own. Here, we recommend that you ask a moderator :wink:

5

Hmm, how can we make the error message more useful in this case? Any ideas?

1 Like
7

No suggestions, but I agree it should be more descriptive!

8

@techapj can you add to your list, to look into this error message and any detail we can add to it at the time it occurs?

1 Like
9

At the moment I have a user on my Discourse instance experiencing this issue. For the SSO I’m using the official Wordpress Plugin GitHub - discourse/wp-discourse: WordPress plugin that lets you use Discourse as the community engine for a WordPress blog version 0.7

10

and now I have a new one. I’m hosting Discourse version 1.5.2

12

Possibly, not sure if @techapj had a chance to look.

14

I didn’t had the chance to improve logging here yet. It’s on my low priority list.

I recommend enabling verbose sso logging setting and debug logs.

2 Likes
16

What do you see when …

… you follow the above advice and look in /logs via your web browser?

2 Likes
18

I don’t see any email field in that sso payload - make sure that the provider has an email on file for everyone.

3 Likes
19

If the email is actually there (and not blank), perhaps that email address has been banned or blacklisted. Check your site settings and admin, logs, screened emails.

2 Likes
21

Hi,
I found another wierd behavior to get this error. And it is very annoying. Documentation sais that the SSO has to urlEncode the values of the unsigned payload.

Ok, for example I map the value of user.name:

  • Single string. Works fine
  • String with ONE space. It can either be encoded with a + or %20 (both are valid urlEncodings). Works fine
  • String with TWO or MORE spaces. When they are encoded with a +, ERROR. With %20 works fine.

One space encoded with a ‘+’ works but several ‘+’ don’t? And the logs do not raise any error about this.

I think this is worth mentioning in the SSO documentation.

Thank you

22

This generic error shows up also when hitting the registration limit from the same ip - only saw the real reason after enabling verbose logging …

23

I now get this error with SSO. Possibly related to change an account’s email address from the WordPress side.

24

The solution for my problem was:

  1. Admin -> Settings -> enable verbose SSO logging
  2. Navigate to /logs on one screen while attempting to login on the other

This found the problem, then…

  1. Delete existing account (non-sso) with the same email address
  2. Reattempt SSO login
1 Like