Two Discourses with SSO: avoid admin/moderator sync

RGJ · 2019 年4 月 15 日 19:02

We have two Discourses set up, where one uses SSO against the other one.
However, we do not want to synchronize admin and moderator privs, but they are synced every time a user logs in on the SSO client forum.

sso_overrides_groups has been disabled. It does not seem to work for admin and moderator privileges, when I look at the code those are implemented separately (https://github.com/discourse/discourse/blob/master/app/models/discourse_single_sign_on.rb#L78-L102)

Is this by design, or is this a bug? Does anyone know a way around this?

codinghorror · 2019 年4 月 15 日 23:44

Any thoughts on this @sam?

sam · 2019 年4 月 16 日 00:07

We are going to need 2 extra site settings here:

https://github.com/discourse/discourse/blob/74c4ef6b5019b110819c24a4df8efc2b7e87ebd5/app/controllers/session_controller.rb#L62-L64

sso_provider_include_groups
sso_provider_include_staff_flags

I think the default is correct though.

RGJ · 2019 年9 月 4 日 17:55

Is a PR for this still welcome @sam ?

sam · 2019 年9 月 14 日 23:04

Yes, I support adding something here, it will clearly have to live on the consumer side. I do struggle a bit with naming though.

sso_sync_staff, sso_sync_groups maybe? Trouble with sso_sync_groups is that there is naming clash with sso_overrides_groups.

So maybe instead we go with sso_incoming_scopes with a default of staff,groups... then you can select which incoming scopes you allow.

话题		回复	浏览量
SSO groups without completely overriding Support	9	1597	2021 年1 月 8 日
Technical lift of migrating whitelisted discourse to SSO General	1	843	2022 年1 月 12 日
Users are not added to the moderators groups when registering with SSO Bug sso , discourseconnect	3	2226	2016 年5 月 17 日
Does `sso overrides groups` work with Oauth2? SSO	13	2446	2021 年11 月 19 日
What happens to trust level and staff groups when using sso overrides groups? Support	5	512	2021 年1 月 8 日

Two Discourses with SSO: avoid admin/moderator sync

相关话题