RGJ
(Richard - Communiteq)
April 15, 2019, 7:02pm
1
We have two Discourses set up, where one uses SSO against the other one.
However, we do not want to synchronize admin and moderator privs, but they are synced every time a user logs in on the SSO client forum.
sso_overrides_groups
has been disabled. It does not seem to work for admin and moderator privileges, when I look at the code those are implemented separately (https://github.com/discourse/discourse/blob/master/app/models/discourse_single_sign_on.rb#L78-L102 )
Is this by design, or is this a bug? Does anyone know a way around this?
4 Likes
Any thoughts on this @sam ?
1 Like
sam
(Sam Saffron)
April 16, 2019, 12:07am
3
We are going to need 2 extra site settings here:
https://github.com/discourse/discourse/blob/74c4ef6b5019b110819c24a4df8efc2b7e87ebd5/app/controllers/session_controller.rb#L62-L64
sso_provider_include_groups
sso_provider_include_staff_flags
I think the default is correct though.
4 Likes
RGJ
(Richard - Communiteq)
September 4, 2019, 5:55pm
4
Is a PR for this still welcome @sam ?
3 Likes
sam
(Sam Saffron)
September 14, 2019, 11:04pm
5
Yes, I support adding something here, it will clearly have to live on the consumer side. I do struggle a bit with naming though.
sso_sync_staff
, sso_sync_groups
maybe? Trouble with sso_sync_groups
is that there is naming clash with sso_overrides_groups.
So maybe instead we go with sso_incoming_scopes
with a default of staff,groups...
then you can select which incoming scopes you allow.
3 Likes