SSO via external site vs. subfolder setup

(Thomas Abraham) #1

I have a fresh subfolder setup and connected an external SSO interface. The login and creation of the local discourse accounts is working perfectly.
But once the user gets created via session/sso_login he is not recognized as valid user. There’s no error message at all - the user just gets redirected to the last visited page - that’s it.

Is there any known issue with using external SSO in a subfolder setup? The user never is able to act as active user although written to the database and shown up in the admin panel which was opened before activating SSO. When I leave the panel and log out the admin user nobody is able to access the forum anymore until I disable the SSO option manually.

The proxy setup is rather complex. Probably this is the reason for my issue. But before discussing it I’d like to know if anybody has already confirmed that SSO in a subfolder setup is working in general.

(Sam Saffron) #2

I have not tested it in a subfolder setup, possible there may be a bug

(Thomas Abraham) #3

mhm, I’m a little bit unsatisfied and confused, but I believe that I have found a reason and a workaround for this:

After playing around heavily with several installations of Discourse in my environment the last days it seems that I hit a cookie related bug.

I’ve found the following cookies doubled each, set for the very same domain and path:

  • _t
  • _forum_session

This occured in two different browsers (Firefox and Chrome). Obviously the browsers or Discourse were not able to handle the duplication of cookies. I have no clue how this can happen.

I have removed all occurancies of _t and _forum_session and was able to log in successfully via SSO.

I’m not sure if anybody is willing to file a bug for this and to reproduce this behavior.

It has taken away two days of my live - hence probably it could be a good idea to consider having a closer look at the Discourse cookie management.

(Jeff Atwood) #4

Possible it is specific to subfolder. Can you verify @neil on one of our sites with subfolder hosting?

(Rafael dos Santos Silva) #5

I have subfolder with SSO since July and it’s working fine :thumbsup:

(Neil Lalonde) #6

TuDiabetes’ sites are also using SSO and haven’t had this problem.

(Thomas Abraham) #7

Thank you very much for your positive response.
As mentioned before, I’ve identified cookie related issues. In addition I have seen that there is an issue with the caching headers. The latter must have to do with running cascading proxy servers - very often a user has to force a reload of the page after login or logout. I cannot simplify the proxy setup, since our corporate website relies on it.

Cookies and cache are different issues. If needed I will open corresponding threads later.

I confirm that SSO is running smoothly with subfolder. Feel free to close this issue.

(Jeff Atwood) #8