⚠ Discourse has successfully integrated with SAML for many enterprises, but SAML integration is often complex, error prone, and typically requires customization / changes for that organization's specific implementation of SAML. This work is best undertaken by software developers familiar with Discourse. We are highly familiar with Discourse, and available to do that work on an enterprise hosting plan.
A Discourse Plugin to enable authentication via SAML
Setting up your idp:
The entity-id should be: http://example.com
The consumer assertion service url should be: https://example.com/auth/saml/callback
You may need to set your idp to send an extra custom attribute 'screenName', that will become the users id.
For idp-initated SSO, use the following URL:
https://example.com/auth/saml/callback
For Docker based installations:
Add the following settings to your app.yml
file in the Environment Settings section:
## Saml plugin setting
DISCOURSE_SAML_TARGET_URL: https://idpvendor.com/saml/login/
DISCOURSE_SAML_CERT_FINGERPRINT: "43:BB:DA:FF..."
#DISCOURSE_SAML_REQUEST_METHOD: post
#DISCOURSE_SAML_FULL_SCREEN_LOGIN: true
DISCOURSE_SAML_CERT: "-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----"
The DISCOURSE_FULL_SCREEN_LOGIN
option allows the SSO login page to be presented within the main browser window, rather than a popup. If SAML is your only authentication method this can look neater, as when the user clicks the Log In button the login page will follow through within the main browser window rather than opening a pop-up. This setting is commented out by default - if you want full screen login uncomment that line and set the value to true (as per the example above).
For non docker:
Add the following settings to your discourse.conf
file:
saml_target_url
DISCOURSE_SAML_SYNC_GROUPS
: Sync groups. Defaults to false.DISCOURSE_SAML_GROUPS_ATTRIBUTE
: SAML attribute to use for group sync. Defaults tomemberOf
DISCOURSE_SAML_GROUPS_FULLSYNC
: Should the assigned groups be completely synced including adding AND removing groups based on the IDP? Defaults to false. If set to true,DISCOURSE_SAML_SYNC_GROUPS_LIST
and SAML attributegroups_to_add
/groups_to_remove
are not used.DISCOURSE_SAML_SYNC_GROUPS_LIST
: Groups mentioned in this list are synced if they are referenced by the IDP (inmemberOf
SAML attribue). Any other groups will not be removed/updated.
DISCOURSE_SAML_SP_CERTIFICATE
: SAML Service Provider CertificateDISCOURSE_SAML_SP_PRIVATE_KEY
: SAML Service Provider Private KeyDISCOURSE_SAML_AUTHN_REQUESTS_SIGNED
: defaults to falseDISCOURSE_SAML_WANT_ASSERTIONS_SIGNED
: defaults to falseDISCOURSE_SAML_LOGOUT_REQUESTS_SIGNED
: defaults to falseDISCOURSE_SAML_LOGOUT_RESPONSES_SIGNED
: defaults to falseDISCOURSE_SAML_NAME_IDENTIFIER_FORMAT
: defaults to "urn:oasis:names:tc:SAML:2.0:protocol"DISCOURSE_SAML_DEFAULT_EMAILS_VALID
: defaults to trueDISCOURSE_SAML_VALIDATE_EMAIL_FIELDS
: defaults to blank. This setting accepts pipe separated group names that are supplied inmemberOf
attribute in SAML payload. If the group name specified in the value matches that frommemberOf
attribute than theemail_valid
is set totrue
, otherwise it defaults tofalse
. This setting overridesDISCOURSE_SAML_DEFAULT_EMAILS_VALID
.DISCOURSE_SAML_BUTTON_TITLE
: 'with SAML'DISCOURSE_SAML_TITLE
: 'SAML'DISCOURSE_SAML_SYNC_MODERATOR
: defaults to false. If set totrue
user get moderator role if SAML attributeisModerator
(or attribute specified byDISCOURSE_SAML_MODERATOR_ATTRIBUTE
) is 1 or true.DISCOURSE_SAML_MODERATOR_ATTRIBUTE
: defaults toisModerator
DISCOURSE_SAML_SYNC_TRUST_LEVEL
: defaults to false. If set totrue
user's trust level is set to the SAML attributetrustLevel
(or attribute specified byDISCOURSE_SAML_TRUST_LEVEL_ATTRIBUTE
) which needs to be between 1 and 4.DISCOURSE_SAML_TRUST_LEVEL_ATTRIBUTE
: defaults totrustLevel
If the idp has an RSA key split up as modulus and exponent, this javascript library makes it easy to convert to pem:
https://www.npmjs.com/package/rsa-pem-from-mod-exp
MIT