A partial archive of meta.discourse.org as of Tuesday July 18, 2017.

Discourse-saml + Okta endless redirect

runofthemill

Hi there - I'm trying to get the discourse-saml plugin working with Okta; I've scoured the existing threads, and can't seem to figure out what's going on.

When I go to the login page, it prompts me to log in with my Okta credentials. Upon logging in, the page gets stuck in a loop between forums.trusa.io (the Discourse URL) and teamrubiconusa.okta.com (the Okta login).

Here's how Okta is configured:

Here's the Login settings in Discourse:

Here's the app.yml settings:

The logs don't show anything informative:

Halp!

@skoota - I saw you had some issues with the plugin, perhaps you might be able to lend a hand?

Thanks!

skoota

Happy to help, as it took me a while getting this working too

I think the issue could be the SSO configuration in the Discourse settings - remove all the custom configuration for SSO that you have made, as SSO is being handled by the plugin instead. This is what mine looks like:

...as you can see, nothing is enabled or configured.

Let me know how it goes!

runofthemill

Thanks! That seems to fix the problem, although now it's pulling in the wrong data for user email when a new user registers, and it won't let the registration complete since there's an invalid value in the email field, which isn't editable :\

I appreciate the help! Trying to debug the email issue now, will post back with any updates.

skoota

No worries. That sounds like a problem on the SAML provider end of things. Let me know how you get on.

runofthemill

I made a workaround by forking the plugin and changing the email value in plugin.rb to an attribute that Okta sends:

result.email = auth[:info].email || uid
if auth.extra.present? && auth.extra[:raw_info].present?
  result.email = auth.extra[:raw_info].attributes['screenName']
end
result.email_valid = true

Not the best solution, but works for now

runofthemill

So it's now pulling in the correct data for the email field, but gives "Something went wrong" when the user proceeds to create a new account.

The logs show an error with "Undefined method 'strip' in /app/controllers/users_controller" at line 311, and I think it's because strip expects a string, and it's getting an object. But if I add .to_s to result.email = auth.extra[:raw_info].attributes['screenName'], the new user's email shows up as ["jeremy.miller+test@teamrubiconusa.org"] so that's not quite the right solution...

I'm not a Ruby or Rails developer, so I'm not sure the correct way to handle this; any thoughts?

Edit: turns out this is all I needed to do:

result.email = auth.extra[:raw_info].attributes['screenName'].try(:first)

neil

Sorry for reviving an old topic… @runofthemill Isn’t this something that could have been fixed in the SAML application settings in Okta? Seems like Screen Name has email as the value.