Hi everyone,
i was trying to automatically update the Group Assignments if they change on the IDP side. Unfortunately it only works if the User logs out and on again as the assertions are only transmitted during a login from what i understood.
Goal:
What i would like to achieve is for discourse (or the discourse-saml plugin) to consider the “Assertion Lifespan” Option and re-evaluates the assertions as needed/configured by the IDP.
Setup:
My setup is as follows and is working as of now.
I am using Keycloak as the IDP which is connected to LDAP from which it pulls the Group assignments.
Discourse is running with the following Settings
DISCOURSE_SAML_TARGET_URL: https://auth.example.com/realms/example/protocol/saml
DISCOURSE_SAML_SYNC_GROUPS: true
DISCOURSE_SAML_GROUPS_FULLSYNC: true
DISCOURSE_SAML_GROUPS_LDAP_LEAFCN: true
Already tried
I have already tried to change the Groups and log the user out and in again. That works manually with the desired result.
However, turning on the “Assertion Lifespan” Option in Keycloak (see below) doesn’t seem to change the Group assignment of the User after the group has been added/removed for the User in Keycloak/Ldap.
I have repeated this for a couple of times and waited for half an hour each time i changed the Group assignment on the user.
The only time the new Group change will be applied was when the User has actually logged off and on again.
Conjecture:
I assume that the discourse-saml Plugin (GitHub - discourse/discourse-saml: Support for SAML in Discourse) doesn’t recheck the assertion after the User logs in.
Would it be possible to implement that feature for the saml Plugin?
Thanks a lot
Bao Le