From bf2bbfb06e1dd8192166d2df548fc221fa977a37 Mon Sep 17 00:00:00 2001 From: Paul Annesley Date: Mon, 26 Jan 2015 13:52:02 -0800 Subject: [PATCH] sso_secret: cryptographically authenticate, not encrypt. The sso_secret is an input to HMAC, which is a hash-based message authentication code, not encryption. --- config/locales/server.en.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml index 2dfe2267d..60eb89461 100644 --- a/config/locales/server.en.yml +++ b/config/locales/server.en.yml @@ -783,7 +783,7 @@ en: enable_sso: "Enable single sign on via an external site (WARNING: can prevent anyone from logging in if not properly configured when enabled; also disables invites)" enable_sso_provider: "Implement Discourse SSO protocol at the /session/sso_provider endpoint, requires sso_secret to be set" sso_url: "URL of single sign on endpoint" - sso_secret: "Secret string used to encrypt/decrypt SSO information, be sure it is 10 chars or longer" + sso_secret: "Secret string used to cryptographically authenticate SSO information, be sure it is 10 characters or longer" sso_overrides_email: "Overrides local email with external site email from SSO payload (WARNING: discrepancies can occur due to normalization of local emails)" sso_overrides_username: "Overrides local username with external site username from SSO payload (WARNING: discrepancies can occur due to differences in username length/requirements)" sso_overrides_name: "Overrides local name with external site name from SSO payload (WARNING: discrepancies can occur due to normalization of local names)"