Migrate LDAP to SAML #1716

New Issue

OVERLORD · 2026-02-05T01:42:09+03:00

OVERLORD commented

2026-02-05 01:42:09 +03:00

Originally created by @JtheBAB on GitHub (May 6, 2020).

Hi

I would like to change my bookstack instance with a lot of ldap users to SAML authentification.

Is this straightforward or do i need to change something so that currently existing ldap users can login with SAML?

Thank you

Originally created by @JtheBAB on GitHub (May 6, 2020). Hi I would like to change my bookstack instance with a lot of ldap users to SAML authentification. Is this straightforward or do i need to change something so that currently existing ldap users can login with SAML? Thank you

OVERLORD added the 🐕 Support ❓ Question labels 2026-02-05 01:42:09 +03:00

OVERLORD closed this issue

2026-02-05 01:42:10 +03:00

OVERLORD commented

2026-02-05 01:42:14 +03:00

@miterion commented on GitHub (Jul 16, 2020):

Hi,

our organisation switched from ldap to SAML. Users could login afterwards to their accounts created using the ldap authentication.

Matching of users is done using the SAML2_EXTERNAL_ID_ATTRIBUTE attribute, so make sure it contains the same value as the LDAP_ID_ATTRIBUTE (for the same user).

@miterion commented on GitHub (Jul 16, 2020): Hi, our organisation switched from ldap to SAML. Users could login afterwards to their accounts created using the ldap authentication. Matching of users is done using the `SAML2_EXTERNAL_ID_ATTRIBUTE` attribute, so make sure it contains the same value as the `LDAP_ID_ATTRIBUTE` (for the same user).

OVERLORD commented

2026-02-05 01:42:15 +03:00

@ssddanbrown commented on GitHub (Jul 28, 2020):

Yeah, @miterion is spot-on here. Both systems match existing users by checking their stored external_auth_id with the id provided by the LDAP/SAML system. If you're using the same attribute (That has the same values), you should be good otherwise you might need to update the external_auth_id of existing users on migration.

The external_auth_id is just stored as a column on the users table within the database, if you need a programmatic/bulk way of updating.

If you're using group/role sync then that may be an additional consideration. Is supported in SAML but there could be differences in how your auth system provides those groups to BookStack. Additionally, with LDAP we walk up the group chain to get parent groups whereas I don't think there's a standardised way to do this on the SAML side.

@ssddanbrown commented on GitHub (Jul 28, 2020): Yeah, @miterion is spot-on here. Both systems match existing users by checking their stored `external_auth_id` with the id provided by the LDAP/SAML system. If you're using the same attribute (That has the same values), you should be good otherwise you might need to update the `external_auth_id` of existing users on migration. The `external_auth_id` is just stored as a column on the `users` table within the database, if you need a programmatic/bulk way of updating. If you're using group/role sync then that may be an additional consideration. Is supported in SAML but there could be differences in how your auth system provides those groups to BookStack. Additionally, with LDAP we walk up the group chain to get parent groups whereas I don't think there's a standardised way to do this on the SAML side.

OVERLORD commented

2026-02-05 01:42:17 +03:00

@JtheBAB commented on GitHub (Jul 28, 2020):

Thank you both for the explanations. I will check if and how i will do it.

@JtheBAB commented on GitHub (Jul 28, 2020): Thank you both for the explanations. I will check if and how i will do it.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#1716