Triggering automatic authentication via SSO when linking to private topics?

We are using our own application as the SSO provider to Discourse, and we’re having an issue when linking users to private topics in our Discourse forum from our application, in that authentication is only triggered when clicking the ‘Login’ button.

  • We use our own system as the SSO provider to Discourse.
  • We have a mixture of public and private pages on our Discourse, so we don’t have login_required set.
  • If a user authenticates in to our system, and we link them to our Discourse root url, they are shown the public categories but are not logged in.
  • If a user authenticates in to our system, and we link them to our Discourse + /login, they are logged in fine, and redirected to the root Discourse URL.
  • If a user authenticates in to our system, and we link them to the URL of a private category/topic in Discourse, they are shown a page asking them to login. If they click Login, they are automatically logged in and shown the category/topic.

This last case is the problematic one. I think one of the following would be good:

  • we can link to ourdiscourse dot com/c/some-category?login=true and an auth check is performed - if user is logged in, show them the topic. If not, send them to our SSO provider, and redirect them back to the topic after logging in.
  • we can link to ourdiscourse dot com/login?redirect=c/some-category and an auth check is performed - if successful, redirect to the page on the query string, if not, redirect to SSO provider, and redirect to the page on the query string after successful authentication
  • we can link to ourdiscourse dot com/c/some-category, and if it’s a private page, Discourse performs an auth check, which if successful takes you to the category; if not successful, redirects to SSO provider, then redirects back.

Thanks!

(I’ve posted the issue before here - apologies for multiple postings, but I thought perhaps a new topic might get more response)

You can create an login link on your SSO provider site with a return_path parameter in the URL. After authentication, Discourse will redirect the user to the value set for the return_path. The link should be in this form:

<a href="https://forum.example.com/session/sso?return_path=https://forum.example.com/your-discourse-endpoint">Link Text</a>
4 Likes

Can’t they also have the SSO do something similar so that when they log in to the SSO they are also logged in to Discourse?

The only ways I know of auto logging in users to Discourse when the login to the SSO provider site seem a little hacky. With the use of SSO login links in the form I gave above and the sync_sso route for updating users without requiring them to login, I can’t see where it would be required.

1 Like

Thank you - this has worked perfectly.

I’m not sure if we are doing this - what would be the way to check?

EDIT: should have searched first… details here: Sync SSO user data with the sync_sso route

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.