Two Discourses with SSO: avoid admin/moderator sync

RGJ · April 15, 2019, 7:02pm

We have two Discourses set up, where one uses SSO against the other one.
However, we do not want to synchronize admin and moderator privs, but they are synced every time a user logs in on the SSO client forum.

sso_overrides_groups has been disabled. It does not seem to work for admin and moderator privileges, when I look at the code those are implemented separately (https://github.com/discourse/discourse/blob/master/app/models/discourse_single_sign_on.rb#L78-L102)

Is this by design, or is this a bug? Does anyone know a way around this?

codinghorror · April 15, 2019, 11:44pm

Any thoughts on this @sam?

sam · April 16, 2019, 12:07am

We are going to need 2 extra site settings here:

https://github.com/discourse/discourse/blob/74c4ef6b5019b110819c24a4df8efc2b7e87ebd5/app/controllers/session_controller.rb#L62-L64

sso_provider_include_groups
sso_provider_include_staff_flags

I think the default is correct though.

RGJ · September 4, 2019, 5:55pm

Is a PR for this still welcome @sam ?

sam · September 14, 2019, 11:04pm

Yes, I support adding something here, it will clearly have to live on the consumer side. I do struggle a bit with naming though.

sso_sync_staff, sso_sync_groups maybe? Trouble with sso_sync_groups is that there is naming clash with sso_overrides_groups.

So maybe instead we go with sso_incoming_scopes with a default of staff,groups... then you can select which incoming scopes you allow.

Topic		Replies	Views
Seeking Guidance: Dual Authentication Setup for Moderators and Students SSO	5	504	December 13, 2023
Login for Staff and Moderators after enabling SSO Support	11	59	September 24, 2024
SSO groups without completely overriding Support	9	1514	January 8, 2021
Syncing bans from SSO provider SSO	4	2220	June 29, 2017
Discourse SSO + normal login SSO	1	4170	August 1, 2017

Two Discourses with SSO: avoid admin/moderator sync

Related topics