External SAML Logout: Redirect to invalid URL Error #1626

New Issue

OVERLORD · 2026-02-05T01:27:32+03:00

OVERLORD commented

2026-02-05 01:27:32 +03:00

Originally created by @BrentOates on GitHub (Apr 4, 2020).

Describe the bug
I'm using several applications including BookStack behind SAML2 via Keycloak, however when another application starts a logout flow, BookStack gives a "Redirect to invalid URL" error on OneLogin\Saml2\Error

If a user logs out using BookStack's interface, the logout is successful across all applications, and the error only happens when it is another application that a user clicks logout in, and the error only happens in BookStack as the process completes if BookStack's SAML is disabled to test.

The url of the error is <app_url>/saml2/sls?SAMLRequest so it is hitting the right LogoutService Url.

Steps To Reproduce
Steps to reproduce the behavior:

Have multiple applications behind Keycloak and use a Saml2 client for BookStack
Click logout in another application i.e. a WordPress Site / NextCloud etc.
Receive the Redirect to invalid URL error.

Expected behavior
When logging out of any application, BookStack should also logout, or at least not error

Your Configuration (please complete the following information):

Exact BookStack Version (Found in settings): v0.28.3
PHP Version: 7.3
Hosting Method (Nginx/Apache/Docker): Apache

Additional context
Not 100% sure what information is needed or safe to put up, but happy to provide anything as needed.

The SAML lines from my .env are

AUTH_METHOD=saml2

SAML2_NAME=Keycloak

SAML2_EMAIL_ATTRIBUTE= email
SAML2_EXTERNAL_ID_ATTRIBUTE= username
SAML2_DISPLAY_NAME_ATTRIBUTES= firstName|lastName

SAML2_IDP_ENTITYID=<keycloak_rooturl>/auth/realms/norvrandt/protocol/saml/descriptor

SAML2_AUTOLOAD_METADATA=true

Originally created by @BrentOates on GitHub (Apr 4, 2020). **Describe the bug** I'm using several applications including BookStack behind SAML2 via Keycloak, however when another application starts a logout flow, BookStack gives a "Redirect to invalid URL" error on OneLogin\Saml2\Error If a user logs out using BookStack's interface, the logout is successful across all applications, and the error only happens when it is another application that a user clicks logout in, and the error only happens in BookStack as the process completes if BookStack's SAML is disabled to test. The url of the error is <app_url>/saml2/sls?SAMLRequest so it is hitting the right LogoutService Url. **Steps To Reproduce** Steps to reproduce the behavior: 1. Have multiple applications behind Keycloak and use a Saml2 client for BookStack 2. Click logout in another application i.e. a WordPress Site / NextCloud etc. 3. Receive the Redirect to invalid URL error. **Expected behavior** When logging out of any application, BookStack should also logout, or at least not error **Your Configuration (please complete the following information):** - Exact BookStack Version (Found in settings): v0.28.3 - PHP Version: 7.3 - Hosting Method (Nginx/Apache/Docker): Apache **Additional context** Not 100% sure what information is needed or safe to put up, but happy to provide anything as needed. The SAML lines from my .env are ``` AUTH_METHOD=saml2 SAML2_NAME=Keycloak SAML2_EMAIL_ATTRIBUTE= email SAML2_EXTERNAL_ID_ATTRIBUTE= username SAML2_DISPLAY_NAME_ATTRIBUTES= firstName|lastName SAML2_IDP_ENTITYID=<keycloak_rooturl>/auth/realms/norvrandt/protocol/saml/descriptor SAML2_AUTOLOAD_METADATA=true ```

OVERLORD added the 🐛 Bug 🚪 Authentication 🏭 Back-End 🔍 Pending Validation labels 2026-02-05 01:27:32 +03:00

OVERLORD closed this issue

2026-02-05 01:27:33 +03:00

OVERLORD commented

2026-02-05 01:27:37 +03:00

@marcolertora commented on GitHub (Apr 14, 2020):

I have the same problem.
I think the problem is in the initialization of singleLogoutService->responseUrl (here https://github.com/BookStackApp/BookStack/blob/master/app/Config/saml2.php#L104) to empty string instead of null during saml config generation.
Empty string skip the isset condition here https://github.com/onelogin/php-saml/blob/master/lib/Saml2/Auth.php#L622 leaving redirect without a valid url.
Setting responseUrl to null make it work at least in my scenario.

@marcolertora commented on GitHub (Apr 14, 2020): I have the same problem. I think the problem is in the initialization of singleLogoutService->responseUrl (here https://github.com/BookStackApp/BookStack/blob/master/app/Config/saml2.php#L104) to empty string instead of null during saml config generation. Empty string skip the isset condition here https://github.com/onelogin/php-saml/blob/master/lib/Saml2/Auth.php#L622 leaving redirect without a valid url. Setting responseUrl to null make it work at least in my scenario.

OVERLORD commented

2026-02-05 01:27:40 +03:00

@BrentOates commented on GitHub (Apr 14, 2020):

@marcolertora I've just set that to null and its now working as intended - thanks for the quick workaround for that!

@BrentOates commented on GitHub (Apr 14, 2020): @marcolertora I've just set that to null and its now working as intended - thanks for the quick workaround for that!

OVERLORD commented

2026-02-05 01:27:44 +03:00

@ssddanbrown commented on GitHub (Sep 5, 2020):

Thanks for the detail @marcolertora,

Have confirmed this and tested via keycloak myself. Patch applied to be part of the next release.

@ssddanbrown commented on GitHub (Sep 5, 2020): Thanks for the detail @marcolertora, Have confirmed this and tested via keycloak myself. Patch applied to be part of the next release.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#1626