SSO with Roles translating to Groups

I have SSO set up (externally) through a JWT provider. My application uses a role based system for authentication and I’d like to translate this to discourse as well.

I believe using groups does this well. I can set up appropriate groups (manually if required / through the API), for this to work. However I don’t want to manually add users to a group.

  • If the groups are handled through the session cookie, can I have a field in my JWT (jwt-omniauth sso) to give the appropriate groups to the users?
  • Or will calling an API to add them to the group be the way to go?

Per Official Single-Sign-On for Discourse (sso), you could have your SSO provider include the groups, add_groups, and/or remove_groups keys to modify Discourse group membership based on the roles in your application (see the section in the top post there titled Specifying group membership).

1 Like

Exactly what I was looking for! Thanks!

It’s been a while since I read the official SSO post. Should’ve just gone back to it to take a look.
This is less of a feature post I suppose. Can someone retag it to support or is that not a big deal?