Trouble configuring SSO with discourse-saml plugin / Okta

I’m trying to configure a self-hosted Docker instance of Discourse to authenticate users with SAML, using Okta as the IdP. At first my setup looked identical to what @runofthemill posted here: Discourse-saml + Okta endless redirect. But then, thanks @skoota, I re-set all the native SSO configs to the defaults, since I understand want to be relying just on the plugin.

So now plugin is successfully installed, and SAML appears as a login option, but I get this error when I try to use it:

I took a look at the library this error seems to orginate from, and it’s not obvious to me what’s going wrong. But I’m not a rubyist, so maybe (hopefully!) I’m missing something obvious.

Suggestions? Thanks in advance.

Did you end up getting Okta working? Configuring Discourse + Okta is on my todo list. Thanks.

Nope, couldn’t figure it! Thanks for asking though. If you do wind up figuring out how to make them work nicely together, I’d be interested to know what you discover.

1 Like

I was able to get Okta and Discourse working together nicely via OpenID Connect. I couldn’t figure out Okta via SAML, but it seems like that should be possible.

@Chris_Reilly , were you able to get groups to push somehow via Okta?

Wondering if this works:

Group Sync requires SAML. OpenId does not support group sync. Okta can do SAML but requires a separate integration and SAML plugin/enterprise plan.

1 Like

Could you please share configure from okta side ? How did you create app and assigned it ? I can login from discourse using openid option, but can’t initiate auth from Okta to Discourse.

We ended up using Auth0 instead, but I wasn’t able to get users a launchpad link directly to it outside of a “Bookmark” app. If they didn’t have a discourse session and hit on an protected URL it should create a new session. I had disabled all other login options in Discourse which makes it so the user never even sees the login modal. It ended up being a smooth setup for our POC, but we never got around to figuring out the single logout scenario.

1 Like