Two Discourses with SSO: avoid admin/moderator sync

We have two Discourses set up, where one uses SSO against the other one.
However, we do not want to synchronize admin and moderator privs, but they are synced every time a user logs in on the SSO client forum.

sso_overrides_groups has been disabled. It does not seem to work for admin and moderator privileges, when I look at the code those are implemented separately (https://github.com/discourse/discourse/blob/master/app/models/discourse_single_sign_on.rb#L78-L102)

Is this by design, or is this a bug? Does anyone know a way around this?

4 Likes

Any thoughts on this @sam?

1 Like

We are going to need 2 extra site settings here:

https://github.com/discourse/discourse/blob/74c4ef6b5019b110819c24a4df8efc2b7e87ebd5/app/controllers/session_controller.rb#L62-L64

sso_provider_include_groups
sso_provider_include_staff_flags

I think the default is correct though.

4 Likes

Is a PR for this still welcome @sam ?

3 Likes

Yes, I support adding something here, it will clearly have to live on the consumer side. I do struggle a bit with naming though.

sso_sync_staff, sso_sync_groups maybe? Trouble with sso_sync_groups is that there is naming clash with sso_overrides_groups.

So maybe instead we go with sso_incoming_scopes with a default of staff,groups... then you can select which incoming scopes you allow.

3 Likes