SSO still requires email confirmation

Avatar
  • updated
  • Answered
I have been testing SSO and it appears that SSO still requires email confirmation within UserEcho. I am generating the SSO token and passing the token to UserEcho. It correctly parses the token and recognizes the username and email address. However, it does not automatically display the forum. It shows a red warning icon and that says "Confirm Email". After I confirm the email address, then I have to merge with my existing UserEcho account (with the same email address).

One of the reasons that we are interested using SSO is so that our application can manage authentication (including user registration, email confirmation, etc.). If a user is authenticated by our application and we pass the correct SSO token, then UserEcho should not require email confirmation. UserEcho should also not require merging accounts. If we have already set the email address as an acceptable email address in our forum (in the Privacy settings), and we pass the SSO token with that email address, then UserEcho should automatically let the user into the forum - it should not require email confirmation, nor should it require merging (allow that may be optional).


Pinned replies
Avatar
Sergey Stukov co-founder
  • Answer
  • Answered
We require email to be verified for security reasons. At this moment we have global user accounts. So if we trust for information provided by SSO token, it's possible to spoof accounts from another project which also can pass the same email. This issue will be solved when we implement completely isolated user accounts.

You have two solutions for your situation.

1) In your private forum privacy settings, you can set that users who authorised via SSO can user forum. This will allow users open and work with forum without any additional confirmation.

https://earthsoft.userecho.com/settings/forum/priv...



2) It's possible to provide additional SSO token parameter, so user also will immediately have access to the provided forum ID.



Give us info is this helpful for you, lets together find an optimal solution.


Avatar
Vladimir Mullagaliyev co-founder
Hello Mathew,
We did some changes, now you have ability to set user email verified for your project.
We have added new parameter to SSO "verified_email". Pass it to us ("verified_email":True) and your users email will be checked as verified for your project.

P.S.: We had no enough time for good testing. If you will have any problem feel free to ask us.
Avatar
Mathew Weaver
From my testing, it appears that the user cannot receive topic/comment email notifications until they have confirmed his/her email.

I see that the "Confirm Email" link calls the sendEmailConfirmation() JavaScript function which posts to /confirmation/email. The data that is posted is empty ({}). Is there a way to customize the text of the confirmation email (perhaps by posting a custom message?)?
Avatar
Mathew Weaver
Those settings did allow me to have the SSO user access the forum prior to confirming his/her email. 

Is it true that the user cannot receive email notifications until they do confirm his/her email?
Avatar
Sergey Stukov co-founder
  • Answer
  • Answered
We require email to be verified for security reasons. At this moment we have global user accounts. So if we trust for information provided by SSO token, it's possible to spoof accounts from another project which also can pass the same email. This issue will be solved when we implement completely isolated user accounts.

You have two solutions for your situation.

1) In your private forum privacy settings, you can set that users who authorised via SSO can user forum. This will allow users open and work with forum without any additional confirmation.

https://earthsoft.userecho.com/settings/forum/priv...



2) It's possible to provide additional SSO token parameter, so user also will immediately have access to the provided forum ID.



Give us info is this helpful for you, lets together find an optimal solution.