Enabling federated login for ethforum

shibboleth
addis
(Mario Torrisi) #1

Hello @AlazarAlemayehu_295d,

I'm opening this topic to continue the discussion started by email on Enabling Federated Authentication for ethforum.sci-gaia.eu. We can continue our discussion here and you can ask for support.

As @brucellino suggested me you can have a look at the https://github.com/fmarco76/DiscourseSSO, @MarcoFargetta_0c9b1 developed this application that allows SSO features in our forum. Furthermore here you can find the official guide in how to enable SSO authentication in discourse application.

Cheers
Mario.

(Bruce Becker) #2

Thanks @MarioTorrisi_f8dd

@AlazarAlemayehu_295d - most of Discourse SSO is done with Ruby on Rails Devise plugins, if I remember correctly.

The steps are

  1. Get discourse
  2. Install the DiscourseSSO application : git clone https://github.com/fmarco76/DiscourseSSO
  3. configure the DiscourseSSO application, and Apache HTTPD
  4. Configure Discourse to hand off Authentication to Shibboleth : See https://meta-s3-cdn.global.ssl.fastly.net/optimized/2X/e/e79ff70dff74f97fc700d8a17b8e00ef4060f158_1_690x207.png
    The steps might be a bit more explicit in this role that we wrote for Ansible - take a look at the tasks to see what they do.

Of course, you also need an Identity Provider to be able to log into, and this needs to be configured in the shibboleth service.

(Mario Torrisi) #3

Hello @brucellino,

I know I'm resuming an ancient post, but I'm working on ethforum to enable federated authenticaton.
I managed to configure DiscourseSSO plugin, and @MarcoFargetta_0c9b1 added the sp metadata in the federation.

But I'm facing a problem with new users.. They cannot signin through their federate credentials. This is the message the see `Login Error

There is a problem with your account. Please contact the site's administrator.
While in /logs I can see ?
Verbose SSO log: Record was invalid: User {:primary_email=>"is invalid"} Attributes: {"name"=>"<givenName sn>", "username"=>"userid", "admin"=>false, "moderator"=>false, "title"=>nil}

And this appens both with new or already registered users.

Any suggestions on that?

Cheers,

(Mario Torrisi) #4

I managed to allow new users to access ethforum, thanks to the suggestion I got from Discourse guys here the discussion I had with them.

To do this I've edited https://github.com/fmarco76/DiscourseSSO plugin to map just one email. But I'm trying to understand how to make it works also with multiple emails registerd in the IDP.