Two Discourses with SSO: avoid admin/moderator sync

RGJ · April 15, 2019, 7:02pm

We have two Discourses set up, where one uses SSO against the other one.
However, we do not want to synchronize admin and moderator privs, but they are synced every time a user logs in on the SSO client forum.

sso_overrides_groups has been disabled. It does not seem to work for admin and moderator privileges, when I look at the code those are implemented separately (https://github.com/discourse/discourse/blob/master/app/models/discourse_single_sign_on.rb#L78-L102)

Is this by design, or is this a bug? Does anyone know a way around this?

codinghorror · April 15, 2019, 11:44pm

Any thoughts on this @sam?

sam · April 16, 2019, 12:07am

We are going to need 2 extra site settings here:

https://github.com/discourse/discourse/blob/74c4ef6b5019b110819c24a4df8efc2b7e87ebd5/app/controllers/session_controller.rb#L62-L64

sso_provider_include_groups
sso_provider_include_staff_flags

I think the default is correct though.

RGJ · September 4, 2019, 5:55pm

Is a PR for this still welcome @sam ?

sam · September 14, 2019, 11:04pm

Yes, I support adding something here, it will clearly have to live on the consumer side. I do struggle a bit with naming though.

sso_sync_staff, sso_sync_groups maybe? Trouble with sso_sync_groups is that there is naming clash with sso_overrides_groups.

So maybe instead we go with sso_incoming_scopes with a default of staff,groups... then you can select which incoming scopes you allow.

Topic		Replies	Views
Seeking Guidance: Dual Authentication Setup for Moderators and Students sso	4	384	December 13, 2023
SSO groups without completely overriding support	9	1332	January 8, 2021
Syncing bans from SSO provider sso	4	2182	June 29, 2017
Discourse SSO + normal login sso	1	3975	August 1, 2017
Advantage and disadvantage of enabling SSO sso	1	1737	May 22, 2018

Two Discourses with SSO: avoid admin/moderator sync

Related Topics