Setting up Discourse to perform authentication via Google G-Suite using SAML is quite easy once you figure it out.
Add the discourse-saml plugin to your discourse as documented.
To configure the plugin you need some information from Google G-Suite.
In the admin console add a new SAML application and setup a "Custom application".
This will show you the information you need. The URL mentioned in SSO URL needs to
be used as the DISCOURSE_SAML_TARGET_URL. This is something like https://accounts.google.com/o/saml2/idp?idpid=XXXXX
Now you need the certificate information you put in DISCOURSE_SAML_CERT and
DISCOURSE_SAML_CERT_FINGERPRINT. This is a bit more tricky. The content for DISCOURSE_SAML_CERT
can easily be retrieved from the IDP metadata you can download. It contains a Base64 encoded version
of the certificate. Simply copy-paste this as follows:
DISCOURSE_SAML_CERT: "-----BEGIN CERTIFICATE-----
base64 content here
-----END CERTIFICATE-----"
To get the fingerprint you can download the certificate file and inspect it.
I also configured DISCOURSE_SAML_FULL_SCREEN_LOGIN: true.
And did not set DISCOURSE_SAML_REQUEST_METHOD: post as it did not work.
To complete the setup in Google G Suite you have to enter the following details. This assumes your discourse site is running at https://discourse.example.org
- ACS URL: https://discourse.example.org/auth/saml/callback
- Entity ID: https://discourse.example.org (no trailing slash)
- Start URL: https://discourse.example.org
- Name ID: Basic Information > Primary Email
- Name ID Format: EMAIL
As customer attribute I also added screenName using Basic Information > Primary Email.
And that's pretty much it.