Syncing groups of users from external system


(Henning) #1

Continuing the discussion from SSO working, but how do I get admin and moderator-rights passed?:

What would be the best solution for syncing my external group-relations with discourse?

I need my users to belong to different groups, so the can have different rights on categories. Eg some intenal categories for the board, some for specific projects etc.

After users registerer, there will definately come new groups, for our events, projects etc, so pasing data at user creation is not an option, and wee already maintain the user/project relatation externally.

Any ideas?


(Rafael dos Santos Silva) #2

What about this:

  • SSO setting with a list of groups controlled by SSO.

  • Sso payload can send a property groups with a list (pipe delimited?) of user groups. Discourse remove user from groups not present, and add any new one. Only applies to groups on setting described on first point.


(Henning) #3

It’s something like that I’m looking for.

Is it already implemented in discourse? And if so where do I find the documentation to use it?


(Rafael dos Santos Silva) #4

I don’t think so, just come up with this spec late night. :smile:

If some staff member give a :thumbsup: to me I can try to craft a PR. It will be awesome for my instance. We’re aiming for maybe 50k users and managing groups by hand makes me :pokerface:


(Henning) #5

It sound like a good way to assign the groups a member belongs to.

In my usecase, we’ll have many groups in our backend-system. I don’t nessearily want groups to be added automatically. In my case we would then have many unused groups. That would be a bad thing, but syncing members in existing groups, and discarding non-existsing groups would be the the best solution for my use.


(Rafael dos Santos Silva) #6

Yeah, like:

You need to create groups, and allow some groups to be handled by SSO.

During SSO login, only groups who are:

  • Existing groups
  • Allowed in SSO settings

are handled.


(Henning) #7

Yeah.

Just like that.

I’d like to have our backend just pass the groups a member belongs to at SSO, and let discourse deside if it can grant access if it’s allowed.

Sound realy great.

Right now we have just a little forum that is on the way to be setup, but I’m realy hoping that this option will come :wink:


(Kane York) #8

Right now, you can assign the list of groups a user belongs to on the /admin/users/username page. Use your browser developer tools to record the request, and have your site make similar requests with an admin API key.


#9

Is there a way to add SSO users to groups automatically?

I run a website that will sometimes sell paid ranks to its users, but I would also like those paid ranks to be synchronized with Discourse. Can this be done using a specific SSO field? Or by using a custom (non-editable) user-field to set the group? If there isn’t a way, is there a “hack” to do it?


#10

Definitely wish syncing discourse groups with external groups via SSO existed. As it stands, I think we have to do this via API.


(Philip Colmer) #11

I’ve managed to make use of the new functionality in 1.7 that allows users to be added to groups when they sign in via SSO.

However, the functionality as implemented is different from the way originally proposed by @Falco in that Discourse doesn’t remove the user from groups not present in the SSO list.

There is a remove_groups key that can be used in SSO but I have no way of knowing which groups a user is in within Discourse that they now need to be removed from because they aren’t in the corresponding group on the external system.

It seems that the functionality as implemented doesn’t quite meet the needs of being able to sync group membership, unless I’ve misunderstood something or can’t think of a better way to fill out the remove_groups value?


(Rafael dos Santos Silva) #12

You can keep a list of all custom groups in Discourse (it can even be automated by calling https://meta.discourse.org/groups.json) and when you send a SSO you put the groups you want the user to be in on the add_groups key and every group not there on the remove_groups key.


(Philip Colmer) #13

Thank you for the suggestion.

Is there a way of retrieving the groups that aren’t visible to all users? Currently, the groups I’m syncing from LDAP I have set to not be visible because I only want to use them for category security. I definitely don’t want forum users to be able to see who is in one of these groups, which is why I had opted not to make them visible.


(Rafael dos Santos Silva) #14

I believe /admin/groups.json will list them all.


(Philip Colmer) #15

Just in case anyone else needs to figure this out, since it is my SSO code that needs to retrieve groups.json and since /admin/groups.json requires authentication … thus presenting a potential logic loop … the solution is to do something like this:

https://discourse.example.com/admin/groups.json?api_key=magicstringhere&api_username=fred

thus avoiding the need to directly authenticate.