SAML login redirect url on /saml2/acs (POST) #1654

New Issue

OVERLORD · 2026-02-05T01:31:21+03:00

OVERLORD commented

2026-02-05 01:31:21 +03:00

Originally created by @col-panic on GitHub (Apr 15, 2020).

Describe the bug
Logging in to bookstack via SAML2 delivers the wrong redirection url. As can be seen on the enclosed image, I receive the applications logo location as redirect url, instead of the bookstack base application url.

Nowhere within the SAML authenication system this logo url is set up. (We use keycloak)

Steps To Reproduce
n/a

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots

Your Configuration (please complete the following information):

Exact BookStack Version (Found in settings): 0.29.0
PHP Version: 7.2
Hosting Method (Nginx/Apache/Docker): docker

Additional context

Originally created by @col-panic on GitHub (Apr 15, 2020). **Describe the bug** Logging in to bookstack via SAML2 delivers the wrong redirection url. As can be seen on the enclosed image, I receive the applications logo location as redirect url, instead of the bookstack base application url. Nowhere within the SAML authenication system this logo url is set up. (We use keycloak) **Steps To Reproduce** n/a **Expected behavior** A clear and concise description of what you expected to happen. **Screenshots** ![2020-04-15_1054](https://user-images.githubusercontent.com/1679857/79318931-f7f8d580-7f07-11ea-81ed-cc5f58d826bf.png) **Your Configuration (please complete the following information):** - Exact BookStack Version (Found in settings): 0.29.0 - PHP Version: 7.2 - Hosting Method (Nginx/Apache/Docker): docker **Additional context** -

OVERLORD added the 🚪 Authentication 🏭 Back-End labels 2026-02-05 01:31:21 +03:00

OVERLORD closed this issue

2026-02-05 01:31:25 +03:00

OVERLORD commented

2026-02-05 01:31:28 +03:00

@ssddanbrown commented on GitHub (Apr 25, 2020):

Hi @col-panic,

Does your logo load fine when on the login page of you BookStack instance? Does the request to load the logo redirect at all?

Also, Could you confirm if you have set a STORAGE_TYPE variable in your .env or as an environment variable and, if so, confirm what STORAGE_TYPE you are currently using?

@ssddanbrown commented on GitHub (Apr 25, 2020): Hi @col-panic, Does your logo load fine when on the login page of you BookStack instance? Does the request to load the logo redirect at all? Also, Could you confirm if you have set a `STORAGE_TYPE` variable in your `.env` or as an environment variable and, if so, confirm what `STORAGE_TYPE` you are currently using?

OVERLORD commented

2026-02-05 01:31:29 +03:00

@col-panic commented on GitHub (Apr 27, 2020):

hy @ssddanbrown yes - it will show the logo - but No it will not automatically redirect to the main page. That is I have to manually enter /bookstack (when I see the logo after SAML auth) to get a valid login.

Confirmed, STORAGE_TYPE=local_secure

@col-panic commented on GitHub (Apr 27, 2020): hy @ssddanbrown yes - it will show the logo - but No it will not automatically redirect to the main page. That is I have to manually enter /bookstack (when I see the logo after SAML auth) to get a valid login. Confirmed, `STORAGE_TYPE=local_secure`

OVERLORD commented

2026-02-05 01:31:31 +03:00

@ssddanbrown commented on GitHub (Apr 27, 2020):

@col-panic Thanks for confirming. I think that since the images on local_secure are routed through the app, BookStack will therefore store the logo request and a last app call, and then redirect you to that last app call after login. Will do some testing on my end to validate this and explore a patch.

@ssddanbrown commented on GitHub (Apr 27, 2020): @col-panic Thanks for confirming. I think that since the images on `local_secure` are routed through the app, BookStack will therefore store the logo request and a last app call, and then redirect you to that last app call after login. Will do some testing on my end to validate this and explore a patch.

OVERLORD commented

2026-02-05 01:31:34 +03:00

@col-panic commented on GitHub (Apr 28, 2020):

@ssddanbrown thats great - thank you!

@col-panic commented on GitHub (Apr 28, 2020): @ssddanbrown thats great - thank you!

OVERLORD commented

2026-02-05 01:31:38 +03:00

@ssddanbrown commented on GitHub (Sep 5, 2020):

Hi @col-panic,
Apologies for my late reply.

I've done some deeper investigation, I don't think this is caused by what I thought it was. System images (app logo) are uploaded directly into the public space so the requests should not be routed through the application.

I have tested a keycloak SAML + secure_images setup and all works without issue.

On the ACS request shown in the screenshot, or the original login page get request, is there a Referer request header set at all?
On the http response for the logo image, are cookies included in the response?

@ssddanbrown commented on GitHub (Sep 5, 2020): Hi @col-panic, Apologies for my late reply. I've done some deeper investigation, I don't think this is caused by what I thought it was. System images (app logo) are uploaded directly into the public space so the requests should not be routed through the application. I have tested a keycloak SAML + secure_images setup and all works without issue. On the ACS request shown in the screenshot, or the original login page get request, is there a `Referer` request header set at all? On the http response for the logo image, are cookies included in the response?

OVERLORD commented

2026-02-05 01:31:41 +03:00

@col-panic commented on GitHub (Sep 9, 2020):

Hy @ssddanbrown thanks for your response, currently I am unable to re-enact the problem, as we had a change of setup, I will further try as I can remember that the current version still had the problem!

@col-panic commented on GitHub (Sep 9, 2020): Hy @ssddanbrown thanks for your response, currently I am unable to re-enact the problem, as we had a change of setup, I will further try as I can remember that the current version still had the problem!

OVERLORD commented

2026-02-05 01:31:44 +03:00

@IntelligentesTierMaulApollo13 commented on GitHub (Dec 18, 2020):

I've got a similar error redirecting users to the logo file after they have successfully logged in with their LDAP username and password (Samba4 as backend).

We are on 0.30.7 now, but the problem exists since we switched to local_secure storage in v 0.30.3.

I see that the problem only exists on the first login. If I log out and log in again I don't get redirected to the logo file.

@IntelligentesTierMaulApollo13 commented on GitHub (Dec 18, 2020): I've got a similar error redirecting users to the logo file after they have successfully logged in with their LDAP username and password (Samba4 as backend). We are on 0.30.7 now, but the problem exists since we switched to local_secure storage in v 0.30.3. I see that the problem only exists on the first login. If I log out and log in again I don't get redirected to the logo file.

OVERLORD commented

2026-02-05 01:31:47 +03:00

@ssddanbrown commented on GitHub (Dec 18, 2020):

@IntelligentesTierMaulApollo13 Could you try re-uploading the image in the settings area? The app logo gets uploaded into public space when local_secure is active. If you've migrated then you may have moved this out of public.

I see that the problem only exists on the first login. If I log out and log in again I don't get redirected to the logo file.

I imagine the image is cached by that point so it does not have the same affect as the browser does not need to re-quest the image from BookStack.

@ssddanbrown commented on GitHub (Dec 18, 2020): @IntelligentesTierMaulApollo13 Could you try re-uploading the image in the settings area? The app logo gets uploaded into public space when `local_secure` is active. If you've migrated then you may have moved this out of public. > I see that the problem only exists on the first login. If I log out and log in again I don't get redirected to the logo file. I imagine the image is cached by that point so it does not have the same affect as the browser does not need to re-quest the image from BookStack.

OVERLORD commented

2026-02-05 01:31:51 +03:00

@IntelligentesTierMaulApollo13 commented on GitHub (Dec 18, 2020):

@ssddanbrown Thanks a lot! That was a very quick reply. And the right one :) Re-uploading the logo file fixed it.

@IntelligentesTierMaulApollo13 commented on GitHub (Dec 18, 2020): @ssddanbrown Thanks a lot! That was a very quick reply. And the right one :) Re-uploading the logo file fixed it.

OVERLORD commented

2026-02-05 01:31:55 +03:00

@ssddanbrown commented on GitHub (Dec 18, 2020):

@IntelligentesTierMaulApollo13 Awesome! Glad that worked!

@col-panic I'll therefore close this since you were not able to re-enact and since it's been a couple months. If you get the issue again this can always be re-opened or feel free to create a new issue referencing this one.

@ssddanbrown commented on GitHub (Dec 18, 2020): @IntelligentesTierMaulApollo13 Awesome! Glad that worked! @col-panic I'll therefore close this since you were not able to re-enact and since it's been a couple months. If you get the issue again this can always be re-opened or feel free to create a new issue referencing this one.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#1654