Wordpress Multisite with Multiple Discourse Instances

Hi all,

I’m looking for info / feasibility on adding another discourse community to our current setup. At the moment we have a Wordpress multisite setup with one discourse community using Discourse SSO for a site dedicated to the discourse community, but with another SSO provider powering the WP login.

I’m looking to add a new WP site for a new Discourse community, but am unclear on whether or not multiple discourse forums can be joined together within this multisite setup (if that makes sense). Because SSO is a WP network setup, it seems that it’s not possible to have more than one discourse instance.

Ideally we would have:

  • WP multisite
  • 2 Discourse instances

(Users between both discourse instances should only have access to the community they’re a part of).

I’ve read some posts about having a multisite WP setup with a single-site discourse (and vice versa) but not any info on multisite WP and multiple discourse instances.

Thanks

2 Likes

It is not possible to have sites on a WordPress multisite setup function as the SSO provider for two Discourse instances. The reason for this is that on a multisite network all users are stored in a single database table. If multiple Discourse sites are allowed to function as the SSO provider for multiple sites in a network, there is no straightforward way to guarantee that the Discourse user ids saved on WordPress are unique.

3 Likes

Thanks - that’s what I was guessing. Would it be possible to allow one Discourse instance to be the SSO provider for the other instance, while maintaining proper user access to their respective communities?

1 Like

A Discourse instance can function as the SSO provider for another Discourse instance. I am assuming that the setup you are considering is having WordPress as the SSO provider for Discourse instance 1. Discourse instance 1 would be the SSO provider for Discourse instance 2. I think this is possible, but have never configured a Discourse site to be both an SSO client and an SSO provider.

With the setup I outlined above, all users on Discourse instance 1 would have access to Discourse instance 2. I don’t thing that is what you are wanting.

Another possible approach to the problem would be to use one instance of Discourse and use category group permissions to limit what parts of the forum users can access. You can pass Discourse groups in the SSO payload. It should be possible on your WordPress site to determine which sites a user has access to. You could create a Discourse group for each WordPress site and then use the wpdc_sso_params filter to add an add_groups parameter to the SSO payload.

3 Likes

Currently Discourse SSO is the SSO provider – I guess the (new) consideration would be to have Instance 1 as the SSO provider (for both Instance 1 and 2).

Essentially, keep the same SSO setup that we have now but add another Discourse instance and still have some way to limit access between instance 1 and instance 2.

1 Like

Hi @Simon_Cossar - currently implementing this and am not sure why I’m not seeing SSO Client options in the WP Discourse plugin. See screenshot below

My connection says that it’s active (API key last use shows this too). When adding the [discourse_sso_client] shortcode it appears there’s a config issue (the location response header contains the URL generated by the [discourse_sso_client] shortcode instead of the SSO payload.

This is by design. The SSO Client option is only available on multisite networks when it is configured at a site-wide level. I need to setup a multisite network in my local dev environment to double check the settings. I’ll get back to you about this later today.

2 Likes

Thanks - currently I have the plugin installed at the network level with SSO Client selected

edit: I’ve debugged it down to query-redirect.php here:

if ( empty( $this->options['sso-client-enabled'] ) || 1 !== intval( $this->options['sso-client-enabled'] ) ) {
   return;
}

It appears that this option isn’t being set correctly for me - not sure if it’s the network level setup or what.

The documentation for setting up the plugin in a multisite network is not up to date. This is a good chance to sort it out and update the WP Discourse plugin installation and setup guide.

To use the SSO client functionality on a multisite network, the plugin needs to be configured at a network level. That is done by clicking the Discourse link on your Network Dashboard:

On the Discourse network page, select the Enable Multisite Configuration option. Then enter your Discourse URL, API Key, and Publishing Username into the Connection Settings section. Scroll to the bottom of the page and click the Save Options button. You should see a ‘You are connected to Discourse!’ message at the top of the page.

To use Discourse as the SSO provider for site’s on your multisite network, scroll to the bottom of the Discourse network page and select the Enable SSO Client option. Also add a key to the SSO Secret Key setting. Save your options again.

Now go to your Discourse site and copy the secret key into the Discourse sso provider secrets site setting. Enter a * symbol as the SSO provider domain. When that setting has been saved, it should look similar to this:

Now select the enable sso provider option on Discourse.

With these settings in place, going to the WP Discourse SSO / SSO Client tab for any sites on your network should take you to a page that looks similar to this:

For a quick test, select the Add Login Link and Sync Existing Users by Email options. Then logout of your WordPress site. You should be able to log back in by clicking the ‘Login with Discourse’ link that will be displayed on your wp-login.php page.

If you are not using the default WordPress login page, try copying the [discourse_sso_client] shortcode into a post on your site. That shortcode only displays markup on the page for logged out users. You can also create a login link by constructing a link in this form:

<a href="https://example.com/?discourse_sso=1&redirect_to=https://example.comt/">Log in with Discourse</a>

That will log the user into your site with Discourse and then redirect them back to the WordPress page you have set as the value of the redirect_to parameter.

Based on your debugging, it seems that the Enable SSO Client option was not enabled on your Discourse Network page. Can you make sure that option is enabled and let me know if you’re still having trouble with it?

The code you found that was preventing the SSO Client from working for you is correct, but is a badly written condition:

if ( empty( $this->options['sso-client-enabled'] ) || 1 !== intval( $this->options['sso-client-enabled'] ) )

It should be simplified to if ( empty( $this->options['sso-client-enabled'] ) ). That’s the pattern that’s used everywhere else in the plugin.

1 Like