index.php

<html>
<?php
if (!isset($_GET['sso']) || !isset($_GET['sig'])) {
    return;
}

// Decode signature received from Discourse
$raw_payload = urldecode($_GET['sso']);
$payload = base64_decode($raw_payload);
$signature = urldecode($_GET['sig']);

// Hash signature to match with.
$discourse_secret = "SECRET";
$discourse_signature = hash_hmac("sha256", $raw_payload, $discourse_secret);

// Validate signature.
if ($discourse_signature != $signature) {
    return;
}

// Get query data from payload
$payload_url = array();
parse_str($payload, $payload_url);

// Create new payload data to send back.
$payload_data = array();
$payload_data['nonce'] = $payload_url['nonce'];
$payload_data['email'] = 'SECRET';
$payload_data['require_activation'] = true;
$payload_data['external_id'] = 1965;
$payload_data['username'] = 'Jos';
$payload_data['name'] = 'Jos';

// Create payload and encode it
$payload_query = http_build_query($payload_data);
$return_payload = base64_encode(urlencode($payload_query));

// Create return signature
$return_signature = hash_hmac("sha256", $return_payload, $discourse_secret);

// Redirect back
$redirect_url = $payload_url['return_sso_url'] . '/?sso=' . $return_payload . '&sig=' . $return_signature;
header('Location: ' . $redirect_url);
exit;