We have two Discourses set up, where one uses SSO against the other one.
However, we do not want to synchronize admin and moderator privs, but they are synced every time a user logs in on the SSO client forum.
sso_overrides_groups has been disabled. It does not seem to work for admin and moderator privileges, when I look at the code those are implemented separately (https://github.com/discourse/discourse/blob/master/app/models/discourse_single_sign_on.rb#L78-L102)
Is this by design, or is this a bug? Does anyone know a way around this?
Any thoughts on this @sam?
We are going to need 2 extra site settings here:
I think the default is correct though.
Is a PR for this still welcome @sam ?
Yes, I support adding something here, it will clearly have to live on the consumer side. I do struggle a bit with naming though.
sso_sync_groups maybe? Trouble with
sso_sync_groups is that there is naming clash with sso_overrides_groups.
So maybe instead we go with
sso_incoming_scopes with a default of
staff,groups... then you can select which incoming scopes you allow.