配置 discourse-saml 插件 / Okta 的 SSO 遇到问题

I’m trying to configure a self-hosted Docker instance of Discourse to authenticate users with SAML, using Okta as the IdP. At first my setup looked identical to what @runofthemill posted here: Discourse-saml + Okta endless redirect. But then, thanks @skoota, I re-set all the native SSO configs to the defaults, since I understand want to be relying just on the plugin.

So now plugin is successfully installed, and SAML appears as a login option, but I get this error when I try to use it:

243104×1978 1.11 MB

I took a look at the library this error seems to orginate from, and it’s not obvious to me what’s going wrong. But I’m not a rubyist, so maybe (hopefully!) I’m missing something obvious.

Suggestions? Thanks in advance.

Did you end up getting Okta working? Configuring Discourse + Okta is on my todo list. Thanks.

Nope, couldn’t figure it! Thanks for asking though. If you do wind up figuring out how to make them work nicely together, I’d be interested to know what you discover.

I was able to get Okta and Discourse working together nicely via OpenID Connect. I couldn’t figure out Okta via SAML, but it seems like that should be possible.

@Chris_Reilly，你成功通过 Okta 推送群组了吗？

想知道这是否可行：

CleanShot 2020-08-03 at 09.47.03@2x1102×208 16.6 KB

群组同步需要 SAML。OpenID 不支持群组同步。Okta 支持 SAML，但需要单独的集成以及 SAML 插件或企业版计划。

能否请您分享 Okta 端的配置详情？您是如何创建应用并分配它的？我可以通过 OpenID 选项从 Discourse 登录，但无法从 Okta 发起到 Discourse 的认证。

我们最终改用了 Auth0，但无法为用户生成直接访问的启动链接（除非通过“书签”应用）。如果用户没有 Discourse 会话并访问受保护的 URL，系统本应创建新会话。我已在 Discourse 中禁用了所有其他登录选项，因此用户甚至不会看到登录弹窗。对于我们的概念验证（POC），整体设置非常顺畅，但我们始终未能解决单点登出（single logout）的场景。