FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978)

The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2025-02-25 18:55:32 -06:00 · 2021-02-08 10:04:33 +00:00
parent 205db66864
commit 821bb1e8cb
71 changed files with 421 additions and 355 deletions
--- a/app/assets/javascripts/admin/addon/controllers/admin-user-index.js
+++ b/app/assets/javascripts/admin/addon/controllers/admin-user-index.js
@@ -590,7 +590,7 @@ export default Controller.extend(CanCheckEmails, {

    deleteSSORecord() {
      return bootbox.confirm(
-        I18n.t("admin.user.sso.confirm_delete"),
+        I18n.t("admin.user.discourse_connect.confirm_delete"),
        I18n.t("no_value"),
        I18n.t("yes_value"),
        (confirmed) => {
--- a/app/assets/javascripts/admin/addon/templates/user-index.hbs
+++ b/app/assets/javascripts/admin/addon/templates/user-index.hbs
@@ -70,8 +70,8 @@
        {{/if}}
      </div>
      <div class="controls">
-        {{#if siteSettings.sso_overrides_email}}
-          {{i18n "user.email.sso_override_instructions"}}
+        {{#if siteSettings.auth_overrides_email}}
+          {{i18n "user.email.auth_override_instructions"}}
        {{else if model.email}}
          {{html-safe (i18n "admin.user.visit_profile" url=preferencesPath)}}
        {{/if}}
@@ -105,8 +105,8 @@
      <div class="controls">
        {{#if model.email}}
          {{#if model.secondary_emails}}
-            {{#if siteSettings.sso_overrides_email}}
-              {{i18n "user.email.sso_override_instructions"}}
+            {{#if siteSettings.auth_overrides_email}}
+              {{i18n "user.email.auth_override_instructions"}}
            {{else}}
              {{html-safe (i18n "admin.user.visit_profile" url=preferencesPath)}}
            {{/if}}
@@ -646,11 +646,11 @@

 {{#if model.single_sign_on_record}}
  <section class="details">
-    <h1>{{i18n "admin.user.sso.title"}}</h1>
+    <h1>{{i18n "admin.user.discourse_connect.title"}}</h1>

    {{#with model.single_sign_on_record as |sso|}}
      <div class="display-row">
-        <div class="field">{{i18n "admin.user.sso.external_id"}}</div>
+        <div class="field">{{i18n "admin.user.discourse_connect.external_id"}}</div>
        <div class="value">{{sso.external_id}}</div>
        {{#if model.can_delete_sso_record}}
          <div class="controls">
@@ -658,22 +658,22 @@
              class="btn-danger"
              action=(action "deleteSSORecord")
              icon="far-trash-alt"
-              label="admin.user.sso.delete_sso_record"
+              label="admin.user.discourse_connect.delete_sso_record"
            }}
          </div>
        {{/if}}
      </div>
      <div class="display-row">
-        <div class="field">{{i18n "admin.user.sso.external_username"}}</div>
+        <div class="field">{{i18n "admin.user.discourse_connect.external_username"}}</div>
        <div class="value">{{sso.external_username}}</div>
      </div>
      <div class="display-row">
-        <div class="field">{{i18n "admin.user.sso.external_name"}}</div>
+        <div class="field">{{i18n "admin.user.discourse_connect.external_name"}}</div>
        <div class="value">{{sso.external_name}}</div>
      </div>
      {{#if canAdminCheckEmails}}
        <div class="display-row">
-          <div class="field">{{i18n "admin.user.sso.external_email"}}</div>
+          <div class="field">{{i18n "admin.user.discourse_connect.external_email"}}</div>
          {{#if ssoExternalEmail}}
            <div class="value">{{ssoExternalEmail}}</div>
          {{else}}
@@ -687,12 +687,12 @@
        </div>
      {{/if}}
      <div class="display-row">
-        <div class="field">{{i18n "admin.user.sso.external_avatar_url"}}</div>
+        <div class="field">{{i18n "admin.user.discourse_connect.external_avatar_url"}}</div>
        <div class="value">{{sso.external_avatar_url}}</div>
      </div>
      {{#if sso.last_payload}}
        <div class="display-row">
-          <div class="field">{{i18n "admin.user.sso.last_payload"}}</div>
+          <div class="field">{{i18n "admin.user.discourse_connect.last_payload"}}</div>
          <div class="value">
            {{#each ssoPayload as |line|}}
              {{line}}<br>
--- a/app/assets/javascripts/discourse/app/components/invite-panel.js
+++ b/app/assets/javascripts/discourse/app/components/invite-panel.js
@@ -221,7 +221,7 @@ export default Component.extend({
  ) {
    if (!canInviteViaEmail) {
      // can't invite via email, only existing users
-      return I18n.t("topic.invite_reply.sso_enabled");
+      return I18n.t("topic.invite_reply.discourse_connect_enabled");
    } else if (isPM) {
      // inviting to a message
      return I18n.t("topic.invite_private.email_or_username");
--- a/app/assets/javascripts/discourse/app/controllers/application.js
+++ b/app/assets/javascripts/discourse/app/controllers/application.js
@@ -13,7 +13,7 @@ export default Controller.extend({
    return (
      !this.siteSettings.invite_only &&
      this.siteSettings.allow_new_registrations &&
-      !this.siteSettings.enable_sso
+      !this.siteSettings.enable_discourse_connect
    );
  },

--- a/app/assets/javascripts/discourse/app/controllers/login.js
+++ b/app/assets/javascripts/discourse/app/controllers/login.js
@@ -392,7 +392,7 @@ export default Controller.extend(ModalFunctionality, {
    }

    const skipConfirmation =
-      options && this.siteSettings.external_auth_skip_create_confirm;
+      options && this.siteSettings.auth_skip_create_confirm;

    const createAccountController = this.createAccount;
    createAccountController.setProperties({
--- a/app/assets/javascripts/discourse/app/controllers/preferences/account.js
+++ b/app/assets/javascripts/discourse/app/controllers/preferences/account.js
@@ -71,7 +71,8 @@ export default Controller.extend(CanCheckEmails, {
      return false;
    } else {
      return (
-        !this.siteSettings.enable_sso && this.siteSettings.enable_local_logins
+        !this.siteSettings.enable_discourse_connect &&
+        this.siteSettings.enable_local_logins
      );
    }
  },
--- a/app/assets/javascripts/discourse/app/models/user.js
+++ b/app/assets/javascripts/discourse/app/models/user.js
@@ -755,7 +755,7 @@ const User = RestModel.extend({

  @discourseComputed("can_delete_account")
  canDeleteAccount(canDeleteAccount) {
-    return !this.siteSettings.enable_sso && canDeleteAccount;
+    return !this.siteSettings.enable_discourse_connect && canDeleteAccount;
  },

  delete: function () {
--- a/app/assets/javascripts/discourse/app/routes/application.js
+++ b/app/assets/javascripts/discourse/app/routes/application.js
@@ -243,7 +243,7 @@ const ApplicationRoute = DiscourseRoute.extend(OpenComposer, {
  },

  handleShowLogin() {
-    if (this.siteSettings.enable_sso) {
+    if (this.siteSettings.enable_discourse_connect) {
      const returnPath = encodeURIComponent(window.location.pathname);
      window.location = getURL("/session/sso?return_path=" + returnPath);
    } else {
@@ -254,7 +254,7 @@ const ApplicationRoute = DiscourseRoute.extend(OpenComposer, {
  },

  handleShowCreateAccount() {
-    if (this.siteSettings.enable_sso) {
+    if (this.siteSettings.enable_discourse_connect) {
      const returnPath = encodeURIComponent(window.location.pathname);
      window.location = getURL("/session/sso?return_path=" + returnPath);
    } else {
--- a/app/assets/javascripts/discourse/app/templates/preferences/account.hbs
+++ b/app/assets/javascripts/discourse/app/templates/preferences/account.hbs
@@ -15,7 +15,7 @@
  {{/if}}
 </div>

-{{#unless siteSettings.sso_overrides_avatar}}
+{{#unless siteSettings.discourse_connect_overrides_avatar}}
  <div class="control-group pref-avatar">
    <label class="control-label" id="profile-picture">{{i18n "user.avatar.title"}}</label>
    <div class="controls">
@@ -94,8 +94,8 @@
      {{/if}}

      <div class="instructions">
-        {{#if siteSettings.sso_overrides_email}}
-          {{i18n "user.email.sso_override_instructions"}}
+        {{#if siteSettings.auth_overrides_email}}
+          {{i18n "user.email.auth_override_instructions"}}
        {{/if}}
        {{i18n "user.email.instructions"}}
      </div>
--- a/app/assets/javascripts/discourse/tests/acceptance/create-account-external-test.js
+++ b/app/assets/javascripts/discourse/tests/acceptance/create-account-external-test.js
@@ -32,7 +32,7 @@ acceptance("Create Account - external auth", function (needs) {
  });

  test("when skip is enabled", async function (assert) {
-    this.siteSettings.external_auth_skip_create_confirm = true;
+    this.siteSettings.auth_skip_create_confirm = true;
    await visit("/");

    assert.ok(
--- a/app/assets/javascripts/discourse/tests/helpers/site-settings.js
+++ b/app/assets/javascripts/discourse/tests/helpers/site-settings.js
@@ -29,7 +29,7 @@ const ORIGINAL_SETTINGS = {
  enable_twitter_logins: true,
  enable_facebook_logins: true,
  enable_github_logins: true,
-  enable_sso: false,
+  enable_discourse_connect: false,
  min_username_length: 3,
  max_username_length: 20,
  min_password_length: 8,
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -439,12 +439,12 @@ class Admin::UsersController < Admin::AdminController
  end

  def sync_sso
-    return render body: nil, status: 404 unless SiteSetting.enable_sso
+    return render body: nil, status: 404 unless SiteSetting.enable_discourse_connect

    begin
      sso = DiscourseSingleSignOn.parse("sso=#{params[:sso]}&sig=#{params[:sig]}")
    rescue DiscourseSingleSignOn::ParseError => e
-      return render json: failed_json.merge(message: I18n.t("sso.login_error")), status: 422
+      return render json: failed_json.merge(message: I18n.t("discourse_connect.login_error")), status: 422
    end

    begin
@@ -453,7 +453,7 @@ class Admin::UsersController < Admin::AdminController
    rescue ActiveRecord::RecordInvalid => ex
      render json: failed_json.merge(message: ex.message), status: 403
    rescue DiscourseSingleSignOn::BlankExternalId => ex
-      render json: failed_json.merge(message: I18n.t('sso.blank_id_error')), status: 422
+      render json: failed_json.merge(message: I18n.t('discourse_connect.blank_id_error')), status: 422
    end
  end

--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -739,11 +739,11 @@ class ApplicationController < ActionController::Base
  def redirect_to_login
    dont_cache_page

-    if SiteSetting.external_auth_immediately && SiteSetting.enable_sso?
+    if SiteSetting.auth_immediately && SiteSetting.enable_discourse_connect?
      # save original URL in a session so we can redirect after login
      session[:destination_url] = destination_url
      redirect_to path('/session/sso')
-    elsif SiteSetting.external_auth_immediately && !SiteSetting.enable_local_logins && Discourse.enabled_authenticators.length == 1 && !cookies[:authentication_data]
+    elsif SiteSetting.auth_immediately && !SiteSetting.enable_local_logins && Discourse.enabled_authenticators.length == 1 && !cookies[:authentication_data]
      # Only one authentication provider, direct straight to it.
      # If authentication_data is present, then we are halfway though registration. Don't redirect offsite
      cookies[:destination_url] = destination_url
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@@ -338,7 +338,7 @@ class GroupsController < ApplicationController

    if emails.any?
      if SiteSetting.enable_sso?
-        raise Discourse::InvalidParameters.new(I18n.t("no_invites_with_sso"))
+        raise Discourse::InvalidParameters.new(I18n.t("no_invites_with_discourse_connect"))
      elsif !SiteSetting.enable_local_logins?
        raise Discourse::InvalidParameters.new(I18n.t("no_invites_without_local_logins"))
      end
--- a/app/controllers/invites_controller.rb
+++ b/app/controllers/invites_controller.rb
@@ -268,7 +268,7 @@ class InvitesController < ApplicationController

    if user.has_password?
      send_activation_email(user) unless user.active
-    elsif !SiteSetting.enable_sso && SiteSetting.enable_local_logins
+    elsif !SiteSetting.enable_discourse_connect && SiteSetting.enable_local_logins
      Jobs.enqueue(:invite_password_instructions_email, username: user.username)
    end
  end
--- a/app/controllers/session_controller.rb
+++ b/app/controllers/session_controller.rb
@@ -24,19 +24,19 @@ class SessionController < ApplicationController
    session.delete(:destination_url)
    cookies.delete(:destination_url)

-    if SiteSetting.enable_sso?
+    if SiteSetting.enable_discourse_connect?
      sso = DiscourseSingleSignOn.generate_sso(return_path)
-      if SiteSetting.verbose_sso_logging
+      if SiteSetting.verbose_discourse_connect_logging
        Rails.logger.warn("Verbose SSO log: Started SSO process\n\n#{sso.diagnostics}")
      end
-      redirect_to sso_url(sso)
+      redirect_to discourse_connect_url(sso)
    else
      render body: nil, status: 404
    end
  end

  def sso_provider(payload = nil)
-    if SiteSetting.enable_sso_provider
+    if SiteSetting.enable_discourse_connect_provider
      begin
        if !payload
          params.require(:sso)
@@ -44,15 +44,15 @@ class SessionController < ApplicationController
        end
        sso = SingleSignOnProvider.parse(payload)
      rescue SingleSignOnProvider::BlankSecret
-        render plain: I18n.t("sso.missing_secret"), status: 400
+        render plain: I18n.t("discourse_connect.missing_secret"), status: 400
        return
      rescue SingleSignOnProvider::ParseError => e
-        if SiteSetting.verbose_sso_logging
+        if SiteSetting.verbose_discourse_connect_logging
          Rails.logger.warn("Verbose SSO log: Signature parse error\n\n#{e.message}\n\n#{sso&.diagnostics}")
        end

        # Do NOT pass the error text to the client, it would give them the correct signature
-        render plain: I18n.t("sso.login_error"), status: 422
+        render plain: I18n.t("discourse_connect.login_error"), status: 422
        return
      end

@@ -138,7 +138,7 @@ class SessionController < ApplicationController
  end

  def sso_login
-    raise Discourse::NotFound.new unless SiteSetting.enable_sso
+    raise Discourse::NotFound.new unless SiteSetting.enable_discourse_connect

    params.require(:sso)
    params.require(:sig)
@@ -146,26 +146,26 @@ class SessionController < ApplicationController
    begin
      sso = DiscourseSingleSignOn.parse(request.query_string)
    rescue DiscourseSingleSignOn::ParseError => e
-      if SiteSetting.verbose_sso_logging
+      if SiteSetting.verbose_discourse_connect_logging
        Rails.logger.warn("Verbose SSO log: Signature parse error\n\n#{e.message}\n\n#{sso&.diagnostics}")
      end

      # Do NOT pass the error text to the client, it would give them the correct signature
-      return render_sso_error(text: I18n.t("sso.login_error"), status: 422)
+      return render_sso_error(text: I18n.t("discourse_connect.login_error"), status: 422)
    end

    if !sso.nonce_valid?
-      if SiteSetting.verbose_sso_logging
+      if SiteSetting.verbose_discourse_connect_logging
        Rails.logger.warn("Verbose SSO log: Nonce has already expired\n\n#{sso.diagnostics}")
      end
-      return render_sso_error(text: I18n.t("sso.timeout_expired"), status: 419)
+      return render_sso_error(text: I18n.t("discourse_connect.timeout_expired"), status: 419)
    end

    if ScreenedIpAddress.should_block?(request.remote_ip)
-      if SiteSetting.verbose_sso_logging
+      if SiteSetting.verbose_discourse_connect_logging
        Rails.logger.warn("Verbose SSO log: IP address is blocked #{request.remote_ip}\n\n#{sso.diagnostics}")
      end
-      return render_sso_error(text: I18n.t("sso.unknown_error"), status: 500)
+      return render_sso_error(text: I18n.t("discourse_connect.unknown_error"), status: 500)
    end

    return_path = sso.return_path
@@ -180,10 +180,10 @@ class SessionController < ApplicationController
        end

        if SiteSetting.must_approve_users? && !user.approved?
-          if SiteSetting.sso_not_approved_url.present?
-            redirect_to SiteSetting.sso_not_approved_url
+          if SiteSetting.discourse_connect_not_approved_url.present?
+            redirect_to SiteSetting.discourse_connect_not_approved_url
          else
-            render_sso_error(text: I18n.t("sso.account_not_approved"), status: 403)
+            render_sso_error(text: I18n.t("discourse_connect.account_not_approved"), status: 403)
          end
          return
        elsif !user.active?
@@ -192,7 +192,7 @@ class SessionController < ApplicationController
          session["user_created_message"] = activation.message
          redirect_to(users_account_created_path) && (return)
        else
-          if SiteSetting.verbose_sso_logging
+          if SiteSetting.verbose_discourse_connect_logging
            Rails.logger.warn("Verbose SSO log: User was logged on #{user.username}\n\n#{sso.diagnostics}")
          end
          if user.id != current_user&.id
@@ -206,7 +206,7 @@ class SessionController < ApplicationController
            uri = URI(return_path)
            if (uri.hostname == Discourse.current_hostname)
              return_path = uri.to_s
-            elsif !SiteSetting.sso_allows_all_return_paths
+            elsif !SiteSetting.discourse_connect_allows_all_return_paths
              return_path = path("/")
            end
          rescue
@@ -223,11 +223,11 @@ class SessionController < ApplicationController

        redirect_to return_path
      else
-        render_sso_error(text: I18n.t("sso.not_found"), status: 500)
+        render_sso_error(text: I18n.t("discourse_connect.not_found"), status: 500)
      end
    rescue ActiveRecord::RecordInvalid => e

-      if SiteSetting.verbose_sso_logging
+      if SiteSetting.verbose_discourse_connect_logging
        Rails.logger.warn(<<~EOF)
        Verbose SSO log: Record was invalid: #{e.record.class.name} #{e.record.id}
        #{e.record.errors.to_h}
@@ -245,17 +245,17 @@ class SessionController < ApplicationController
      # If there's a problem with the email we can explain that
      if (e.record.is_a?(User) && e.record.errors[:primary_email].present?)
        if e.record.email.blank?
-          text = I18n.t("sso.no_email")
+          text = I18n.t("discourse_connect.no_email")
        else
-          text = I18n.t("sso.email_error", email: ERB::Util.html_escape(e.record.email))
+          text = I18n.t("discourse_connect.email_error", email: ERB::Util.html_escape(e.record.email))
        end
      end

-      render_sso_error(text: text || I18n.t("sso.unknown_error"), status: 500)
+      render_sso_error(text: text || I18n.t("discourse_connect.unknown_error"), status: 500)

    rescue DiscourseSingleSignOn::BlankExternalId

-      render_sso_error(text: I18n.t("sso.blank_id_error"), status: 500)
+      render_sso_error(text: I18n.t("discourse_connect.blank_id_error"), status: 500)

    rescue => e
      message = +"Failed to create or lookup user: #{e}."
@@ -266,7 +266,7 @@ class SessionController < ApplicationController

      Rails.logger.error(message)

-      render_sso_error(text: I18n.t("sso.unknown_error"), status: 500)
+      render_sso_error(text: I18n.t("discourse_connect.unknown_error"), status: 500)
    end
  end

@@ -445,7 +445,7 @@ class SessionController < ApplicationController
  def destroy
    redirect_url = params[:return_url].presence || SiteSetting.logout_redirect.presence

-    sso = SiteSetting.enable_sso
+    sso = SiteSetting.enable_discourse_connect
    only_one_authenticator = !SiteSetting.enable_local_logins && Discourse.enabled_authenticators.length == 1
    if SiteSetting.login_required && (sso || only_one_authenticator)
      # In this situation visiting most URLs will start the auth process again
@@ -498,7 +498,7 @@ class SessionController < ApplicationController
    return if user&.admin?

    if (check_login_via_email && !SiteSetting.enable_local_logins_via_email) ||
-        SiteSetting.enable_sso ||
+        SiteSetting.enable_discourse_connect ||
        !SiteSetting.enable_local_logins
      raise Discourse::InvalidAccess, "SSO takes over local login or the local login is disallowed."
    end
--- a/app/controllers/uploads_controller.rb
+++ b/app/controllers/uploads_controller.rb
@@ -19,7 +19,7 @@ class UploadsController < ApplicationController
    # 50 characters ought to be enough for the upload type
    type = params.require(:type).parameterize(separator: "_")[0..50]

-    if type == "avatar" && !me.admin? && (SiteSetting.sso_overrides_avatar || !SiteSetting.allow_uploaded_avatars)
+    if type == "avatar" && !me.admin? && (SiteSetting.discourse_connect_overrides_avatar || !SiteSetting.allow_uploaded_avatars)
      return render json: failed_json, status: 422
    end

--- a/app/controllers/user_api_keys_controller.rb
+++ b/app/controllers/user_api_keys_controller.rb
@@ -23,7 +23,7 @@ class UserApiKeysController < ApplicationController
    unless current_user
      cookies[:destination_url] = request.fullpath

-      if SiteSetting.enable_sso?
+      if SiteSetting.enable_discourse_connect?
        redirect_to path('/session/sso')
      else
        redirect_to path('/login')
@@ -115,7 +115,7 @@ class UserApiKeysController < ApplicationController
    unless current_user
      cookies[:destination_url] = request.fullpath

-      if SiteSetting.enable_sso?
+      if SiteSetting.enable_discourse_connect?
        redirect_to path('/session/sso')
      else
        redirect_to path('/login')
--- a/app/controllers/users/omniauth_callbacks_controller.rb
+++ b/app/controllers/users/omniauth_callbacks_controller.rb
@@ -40,7 +40,7 @@ class Users::OmniauthCallbacksController < ApplicationController

    preferred_origin = request.env['omniauth.origin']

-    if SiteSetting.enable_sso_provider && payload = cookies.delete(:sso_payload)
+    if SiteSetting.enable_discourse_connect_provider && payload = cookies.delete(:sso_payload)
      preferred_origin = session_sso_provider_url + "?" + payload
    elsif cookies[:destination_url].present?
      preferred_origin = cookies[:destination_url]
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -179,7 +179,7 @@ class UsersController < ApplicationController
    end
  rescue Discourse::InvalidAccess
    if current_user&.staff?
-      render_json_error(I18n.t('errors.messages.sso_overrides_username'))
+      render_json_error(I18n.t('errors.messages.auth_overrides_username'))
    else
      render json: failed_json, status: 403
    end
@@ -412,8 +412,8 @@ class UsersController < ApplicationController
      ))
    else
      if current_user&.staff?
-        message = if SiteSetting.enable_sso
-          I18n.t("invite.disabled_errors.sso_enabled")
+        message = if SiteSetting.enable_discourse_connect
+          I18n.t("invite.disabled_errors.discourse_connect_enabled")
        elsif !SiteSetting.enable_local_logins
          I18n.t("invite.disabled_errors.local_logins_disabled")
        end
@@ -436,8 +436,8 @@ class UsersController < ApplicationController
      render json: MultiJson.dump(invites: serialize_data(invites.to_a, InviteLinkSerializer), can_see_invite_details:  guardian.can_see_invite_details?(inviter))
    else
      if current_user&.staff?
-        message = if SiteSetting.enable_sso
-          I18n.t("invite.disabled_errors.sso_enabled")
+        message = if SiteSetting.enable_discourse_connect
+          I18n.t("invite.disabled_errors.discourse_connect_enabled")
        elsif !SiteSetting.enable_local_logins
          I18n.t("invite.disabled_errors.local_logins_disabled")
        end
@@ -909,7 +909,7 @@ class UsersController < ApplicationController

  def account_created
    if current_user.present?
-      if SiteSetting.enable_sso_provider && payload = cookies.delete(:sso_payload)
+      if SiteSetting.enable_discourse_connect_provider && payload = cookies.delete(:sso_payload)
        return redirect_to(session_sso_provider_url + "?" + payload)
      elsif destination_url = cookies.delete(:destination_url)
        return redirect_to(destination_url)
@@ -958,7 +958,7 @@ class UsersController < ApplicationController
        elsif destination_url = cookies[:destination_url]
          cookies[:destination_url] = nil
          return redirect_to(destination_url)
-        elsif SiteSetting.enable_sso_provider && payload = cookies.delete(:sso_payload)
+        elsif SiteSetting.enable_discourse_connect_provider && payload = cookies.delete(:sso_payload)
          return redirect_to(session_sso_provider_url + "?" + payload)
        end
      else
@@ -1095,7 +1095,7 @@ class UsersController < ApplicationController
    user = fetch_user_from_params
    guardian.ensure_can_edit!(user)

-    if SiteSetting.sso_overrides_avatar
+    if SiteSetting.discourse_connect_overrides_avatar
      return render json: failed_json, status: 422
    end

@@ -1276,7 +1276,7 @@ class UsersController < ApplicationController
  end

  def list_second_factors
-    raise Discourse::NotFound if SiteSetting.enable_sso || !SiteSetting.enable_local_logins
+    raise Discourse::NotFound if SiteSetting.enable_discourse_connect || !SiteSetting.enable_local_logins

    unless params[:password].empty?
      RateLimiter.new(nil, "login-hr-#{request.remote_ip}", SiteSetting.max_logins_per_ip_per_hour, 1.hour).performed!
@@ -1448,7 +1448,7 @@ class UsersController < ApplicationController
  end

  def second_factor_check_confirmed_password
-    raise Discourse::NotFound if SiteSetting.enable_sso || !SiteSetting.enable_local_logins
+    raise Discourse::NotFound if SiteSetting.enable_discourse_connect || !SiteSetting.enable_local_logins

    raise Discourse::InvalidAccess.new unless current_user && secure_session_confirmed?
  end
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -548,7 +548,7 @@ module ApplicationHelper
  def can_sign_up?
    SiteSetting.allow_new_registrations &&
    !SiteSetting.invite_only &&
-    !SiteSetting.enable_sso
+    !SiteSetting.enable_discourse_connect
  end

  def rss_creator(user)
--- a/app/jobs/regular/export_csv_file.rb
+++ b/app/jobs/regular/export_csv_file.rb
@@ -113,7 +113,7 @@ module Jobs
        condition = { trust_level: trust_level }
      end

-      if SiteSetting.enable_sso
+      if SiteSetting.enable_discourse_connect
        # SSO enabled
        User.where(condition).includes(:user_profile, :user_stat, :user_emails, :single_sign_on_record, :groups).find_each do |user|
          user_info_array = get_base_user_array(user)
@@ -232,7 +232,7 @@ module Jobs
    def get_header(entity)
      if entity == 'user_list'
        header_array = HEADER_ATTRS_FOR['user_list'] + HEADER_ATTRS_FOR['user_stats'] + HEADER_ATTRS_FOR['user_profile']
-        header_array.concat(HEADER_ATTRS_FOR['user_sso']) if SiteSetting.enable_sso
+        header_array.concat(HEADER_ATTRS_FOR['user_sso']) if SiteSetting.enable_discourse_connect
        user_custom_fields = UserField.all
        if user_custom_fields.present?
          user_custom_fields.each do |custom_field|
--- a/app/jobs/regular/export_user_archive.rb
+++ b/app/jobs/regular/export_user_archive.rb
@@ -384,7 +384,7 @@ module Jobs
    def get_header(entity)
      if entity == 'user_list'
        header_array = HEADER_ATTRS_FOR['user_list'] + HEADER_ATTRS_FOR['user_stats'] + HEADER_ATTRS_FOR['user_profile']
-        header_array.concat(HEADER_ATTRS_FOR['user_sso']) if SiteSetting.enable_sso
+        header_array.concat(HEADER_ATTRS_FOR['user_sso']) if SiteSetting.enable_discourse_connect
        user_custom_fields = UserField.all
        if user_custom_fields.present?
          user_custom_fields.each do |custom_field|
--- a/app/models/concerns/second_factor_manager.rb
+++ b/app/models/concerns/second_factor_manager.rb
@@ -54,19 +54,19 @@ module SecondFactorManager
  end

  def totp_enabled?
-    !SiteSetting.enable_sso &&
+    !SiteSetting.enable_discourse_connect &&
      SiteSetting.enable_local_logins &&
      self&.user_second_factors.totps.exists?
  end

  def backup_codes_enabled?
-    !SiteSetting.enable_sso &&
+    !SiteSetting.enable_discourse_connect &&
      SiteSetting.enable_local_logins &&
      self&.user_second_factors.backup_codes.exists?
  end

  def security_keys_enabled?
-    !SiteSetting.enable_sso &&
+    !SiteSetting.enable_discourse_connect &&
      SiteSetting.enable_local_logins &&
      self&.security_keys.where(factor_type: UserSecurityKey.factor_types[:second_factor], enabled: true).exists?
  end
--- a/app/models/discourse_single_sign_on.rb
+++ b/app/models/discourse_single_sign_on.rb
@@ -6,11 +6,11 @@ class DiscourseSingleSignOn < SingleSignOn
  class BannedExternalId < StandardError; end

  def self.sso_url
-    SiteSetting.sso_url
+    SiteSetting.discourse_connect_url
  end

  def self.sso_secret
-    SiteSetting.sso_secret
+    SiteSetting.discourse_connect_secret
  end

  def self.generate_sso(return_path = "/")
@@ -120,7 +120,7 @@ class DiscourseSingleSignOn < SingleSignOn
    # The user might require approval
    user.create_reviewable

-    if bio && (user.user_profile.bio_raw.blank? || SiteSetting.sso_overrides_bio)
+    if bio && (user.user_profile.bio_raw.blank? || SiteSetting.discourse_connect_overrides_bio)
      user.user_profile.bio_raw = bio
      user.user_profile.save!
    end
@@ -170,7 +170,7 @@ class DiscourseSingleSignOn < SingleSignOn
  end

  def apply_group_rules(user)
-    if SiteSetting.sso_overrides_groups
+    if SiteSetting.discourse_connect_overrides_groups
      synchronize_groups(user)
      return
    end
@@ -219,7 +219,7 @@ class DiscourseSingleSignOn < SingleSignOn

        user = User.create!(user_params)

-        if SiteSetting.verbose_sso_logging
+        if SiteSetting.verbose_discourse_connect_logging
          Rails.logger.warn("Verbose SSO log: New User (user_id: #{user.id}) Params: #{user_params} User Params: #{user.attributes} User Errors: #{user.errors.full_messages} Email: #{user.primary_email.attributes} Email Error: #{user.primary_email.errors.full_messages}")
        end
      end
@@ -233,7 +233,7 @@ class DiscourseSingleSignOn < SingleSignOn
            Jobs.enqueue(:download_avatar_from_url,
              url: avatar_url,
              user_id: user.id,
-              override_gravatar: SiteSetting.sso_overrides_avatar
+              override_gravatar: SiteSetting.discourse_connect_overrides_avatar
            )
          end

@@ -273,13 +273,13 @@ class DiscourseSingleSignOn < SingleSignOn
  def change_external_attributes_and_override(sso_record, user)
    @email_changed = false

-    if SiteSetting.sso_overrides_email && user.email != Email.downcase(email)
+    if SiteSetting.auth_overrides_email && user.email != Email.downcase(email)
      user.email = email
      user.active = false if require_activation
      @email_changed = true
    end

-    if SiteSetting.sso_overrides_username? && username.present?
+    if SiteSetting.auth_overrides_username? && username.present?
      if user.username.downcase == username.downcase
        user.username = username # there may be a change of case
      elsif user.username != username
@@ -287,7 +287,7 @@ class DiscourseSingleSignOn < SingleSignOn
      end
    end

-    if SiteSetting.sso_overrides_name && user.name != name && name.present?
+    if SiteSetting.auth_overrides_name && user.name != name && name.present?
      user.name = name || User.suggest_name(username.blank? ? email : username)
    end

@@ -297,18 +297,18 @@ class DiscourseSingleSignOn < SingleSignOn

    avatar_missing = user.uploaded_avatar_id.nil? || !Upload.exists?(user.uploaded_avatar_id)

-    if (avatar_missing || avatar_force_update || SiteSetting.sso_overrides_avatar) && avatar_url.present?
+    if (avatar_missing || avatar_force_update || SiteSetting.discourse_connect_overrides_avatar) && avatar_url.present?
      avatar_changed = sso_record.external_avatar_url != avatar_url

      if avatar_force_update || avatar_changed || avatar_missing
-        Jobs.enqueue(:download_avatar_from_url, url: avatar_url, user_id: user.id, override_gravatar: SiteSetting.sso_overrides_avatar)
+        Jobs.enqueue(:download_avatar_from_url, url: avatar_url, user_id: user.id, override_gravatar: SiteSetting.discourse_connect_overrides_avatar)
      end
    end

    if profile_background_url.present?
      profile_background_missing = user.user_profile.profile_background_upload.blank? || Upload.get_from_url(user.user_profile.profile_background_upload.url).blank?

-      if profile_background_missing || SiteSetting.sso_overrides_profile_background
+      if profile_background_missing || SiteSetting.discourse_connect_overrides_profile_background
        profile_background_changed = sso_record.external_profile_background_url != profile_background_url
        if profile_background_changed || profile_background_missing
          Jobs.enqueue(:download_profile_background_from_url,
@@ -322,7 +322,7 @@ class DiscourseSingleSignOn < SingleSignOn

    if card_background_url.present?
      card_background_missing = user.user_profile.card_background_upload.blank? || Upload.get_from_url(user.user_profile.card_background_upload.url).blank?
-      if card_background_missing || SiteSetting.sso_overrides_profile_background
+      if card_background_missing || SiteSetting.discourse_connect_overrides_profile_background
        card_background_changed = sso_record.external_card_background_url != card_background_url
        if card_background_changed || card_background_missing
          Jobs.enqueue(:download_profile_background_from_url,
--- a/app/models/invite.rb
+++ b/app/models/invite.rb
@@ -361,7 +361,7 @@ class Invite < ActiveRecord::Base
    return if email.blank?

    if SiteSetting.enable_sso?
-      errors.add(:email, I18n.t("invite.disabled_errors.sso_enabled"))
+      errors.add(:email, I18n.t("invite.disabled_errors.discourse_connect_enabled"))
    elsif !SiteSetting.enable_local_logins?
      errors.add(:email, I18n.t("invite.disabled_errors.local_logins_disabled"))
    end
--- a/app/serializers/admin_user_list_serializer.rb
+++ b/app/serializers/admin_user_list_serializer.rb
@@ -106,7 +106,7 @@ class AdminUserListSerializer < BasicUserSerializer
  end

  def include_second_factor_enabled?
-    !SiteSetting.enable_sso &&
+    !SiteSetting.enable_discourse_connect &&
      SiteSetting.enable_local_logins &&
      object.has_any_second_factor_methods_enabled?
  end
--- a/app/serializers/current_user_serializer.rb
+++ b/app/serializers/current_user_serializer.rb
@@ -228,7 +228,7 @@ class CurrentUserSerializer < BasicUserSerializer
  end

  def include_external_id?
-    SiteSetting.enable_sso
+    SiteSetting.enable_discourse_connect
  end

  def second_factor_enabled
--- a/app/serializers/notification_serializer.rb
+++ b/app/serializers/notification_serializer.rb
@@ -44,7 +44,7 @@ class NotificationSerializer < ApplicationSerializer
  end

  def include_external_id?
-    SiteSetting.enable_sso
+    SiteSetting.enable_discourse_connect
  end

 end
--- a/app/serializers/user_serializer.rb
+++ b/app/serializers/user_serializer.rb
@@ -120,15 +120,15 @@ class UserSerializer < UserCardSerializer
  end

  def can_change_bio
-    !(SiteSetting.enable_sso && SiteSetting.sso_overrides_bio)
+    !(SiteSetting.enable_discourse_connect && SiteSetting.discourse_connect_overrides_bio)
  end

  def can_change_location
-    !(SiteSetting.enable_sso && SiteSetting.sso_overrides_location)
+    !(SiteSetting.enable_discourse_connect && SiteSetting.discourse_connect_overrides_location)
  end

  def can_change_website
-    !(SiteSetting.enable_sso && SiteSetting.sso_overrides_website)
+    !(SiteSetting.enable_discourse_connect && SiteSetting.discourse_connect_overrides_website)
  end

  def user_api_keys
--- a/app/services/user_updater.rb
+++ b/app/services/user_updater.rb
@@ -67,15 +67,15 @@ class UserUpdater
  def update(attributes = {})
    user_profile = user.user_profile
    user_profile.dismissed_banner_key = attributes[:dismissed_banner_key] if attributes[:dismissed_banner_key].present?
-    unless SiteSetting.enable_sso && SiteSetting.sso_overrides_bio
+    unless SiteSetting.enable_discourse_connect && SiteSetting.discourse_connect_overrides_bio
      user_profile.bio_raw = attributes.fetch(:bio_raw) { user_profile.bio_raw }
    end

-    unless SiteSetting.enable_sso && SiteSetting.sso_overrides_location
+    unless SiteSetting.enable_discourse_connect && SiteSetting.discourse_connect_overrides_location
      user_profile.location = attributes.fetch(:location) { user_profile.location }
    end

-    unless SiteSetting.enable_sso && SiteSetting.sso_overrides_website
+    unless SiteSetting.enable_discourse_connect && SiteSetting.discourse_connect_overrides_website
      user_profile.website = format_url(attributes.fetch(:website) { user_profile.website })
    end

--- a/app/views/session/sso_login.html.erb
+++ b/app/views/session/sso_login.html.erb
@@ -1,4 +1,4 @@
-<h1><%= t('sso.login_error') %></h1>
+<h1><%= t('discourse_connect.login_error') %></h1>

 <br/>