starred/BookStack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2026-02-05 00:29:48 +03:00
Code Issues 305 Packages Projects Releases 10 Wiki Activity

With SAML/SSO enabled, Logout logs out of the IDP but Bookstack still thinks I am authenticated #2090

New Issue
Closed
opened 2026-02-05 02:52:01 +03:00 by OVERLORD · 9 comments
OVERLORD commented 2026-02-05 02:52:01 +03:00
Owner
Copy Link

Originally created by @tmrhymer on GitHub (Feb 11, 2021).

Describe the bug
With SAML/SSO enabled, Clicking the Logout button logs users out of the IDP but Bookstack still thinks they are authenticated and they can still navigate Bookstack, even if they close and reopen their browser. This seems to be cookie session related. If you delete the cookies for Bookstack, XSRF-TOKEN and bookstack_session, you get prompted to authenticate again.

Steps To Reproduce
With SAML/SSO enabled for authentication

  1. Logout of Bookstack
  2. Close your browser
  3. Reopen same browser
  4. Navigate to Bookstack and you will not get prompted to authenticate to the IDP.

Expected behavior
Clicking the logout button should log us out of both the IDP and Bookstack.

Your Configuration (please complete the following information):

  • Exact BookStack Version (Found in settings): 31.4
  • PHP Version: 7.3.26
  • Hosting Method (Nginx/Apache/Docker): Apache 2.4.6

Additional context
Add any other context about the problem here.

Originally created by @tmrhymer on GitHub (Feb 11, 2021). **Describe the bug** With SAML/SSO enabled, Clicking the Logout button logs users out of the IDP but Bookstack still thinks they are authenticated and they can still navigate Bookstack, even if they close and reopen their browser. This seems to be cookie session related. If you delete the cookies for Bookstack, XSRF-TOKEN and bookstack_session, you get prompted to authenticate again. **Steps To Reproduce** With SAML/SSO enabled for authentication 1. Logout of Bookstack 2. Close your browser 3. Reopen same browser 4. Navigate to Bookstack and you will not get prompted to authenticate to the IDP. **Expected behavior** Clicking the logout button should log us out of both the IDP and Bookstack. **Your Configuration (please complete the following information):** - Exact BookStack Version (Found in settings): 31.4 - PHP Version: 7.3.26 - Hosting Method (Nginx/Apache/Docker): Apache 2.4.6 **Additional context** Add any other context about the problem here.
OVERLORD commented 2026-02-05 02:52:12 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (Feb 12, 2021):

Hi @jimmyc802,

Can you confirm and details about your SSO system at all? Are you using ADFS or another popular offering?

@ssddanbrown commented on GitHub (Feb 12, 2021): Hi @jimmyc802, Can you confirm and details about your SSO system at all? Are you using ADFS or another popular offering?
OVERLORD commented 2026-02-05 02:52:17 +03:00
Author
Owner
Copy Link

@tmrhymer commented on GitHub (Feb 12, 2021):

Hey Dan! We are using Azure AD Enterprise Applications. Here is our SAML config on the Azure AD side and our SAML config in bookstack:

2021-02-11 17_33_49-Microsoft Azure

SAML2_NAME=SSO
SAML2_EMAIL_ATTRIBUTE=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
SAML2_EXTERNAL_ID_ATTRIBUTE=uid
SAML2_DISPLAY_NAME_ATTRIBUTES=http://schemas.microsoft.com/identity/claims/displayname
SAML2_IDP_ENTITYID=https://sts.windows.net/<redacted>/
SAML2_AUTOLOAD_METADATA=false
SAML2_IDP_SSO=https://login.microsoftonline.com/<redacted>/saml2
SAML2_IDP_SLO=https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
SAML2_IDP_x509=<redacted>
@tmrhymer commented on GitHub (Feb 12, 2021): Hey Dan! We are using Azure AD Enterprise Applications. Here is our SAML config on the Azure AD side and our SAML config in bookstack: ![2021-02-11 17_33_49-Microsoft Azure](https://user-images.githubusercontent.com/1918286/107713409-c8823900-6c90-11eb-8323-bd7f36d62cc5.png) ``` SAML2_NAME=SSO SAML2_EMAIL_ATTRIBUTE=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress SAML2_EXTERNAL_ID_ATTRIBUTE=uid SAML2_DISPLAY_NAME_ATTRIBUTES=http://schemas.microsoft.com/identity/claims/displayname SAML2_IDP_ENTITYID=https://sts.windows.net/<redacted>/ SAML2_AUTOLOAD_METADATA=false SAML2_IDP_SSO=https://login.microsoftonline.com/<redacted>/saml2 SAML2_IDP_SLO=https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0 SAML2_IDP_x509=<redacted> ```
OVERLORD commented 2026-02-05 02:52:20 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (Feb 12, 2021):

Thanks @jimmyc802 for the extra context.
There are various other SAML single logout issues here, particularly around Microsoft systems but authentication issues are particularly difficult & time consuming to test, review & action; especially surrounding systems that I have limited or no access to.

I'm trying to get through some of the pending SAML issues/prs in this release cycle though.
If you need something urgently it might be worth having a search across those issues or PRs as sometimes people will post patches or workarounds.

@ssddanbrown commented on GitHub (Feb 12, 2021): Thanks @jimmyc802 for the extra context. There are various other SAML single logout issues here, particularly around Microsoft systems but authentication issues are particularly difficult & time consuming to test, review & action; especially surrounding systems that I have limited or no access to. I'm trying to get through some of the pending SAML issues/prs in this release cycle though. If you need something urgently it might be worth having a search across those issues or PRs as sometimes people will post patches or workarounds.
OVERLORD commented 2026-02-05 02:52:23 +03:00
Author
Owner
Copy Link

@tmrhymer commented on GitHub (Feb 17, 2021):

I'll keep an eye out. Let me know if you hear of anything in the meantime.

@tmrhymer commented on GitHub (Feb 17, 2021): I'll keep an eye out. Let me know if you hear of anything in the meantime.
OVERLORD commented 2026-02-05 02:52:28 +03:00
Author
Owner
Copy Link

@abulgatz commented on GitHub (Feb 19, 2021):

@ssddanbrown I can provide free admin access to a Microsoft Azure AD tenant if you'd like for testing purposes.

@abulgatz commented on GitHub (Feb 19, 2021): @ssddanbrown I can provide free admin access to a Microsoft Azure AD tenant if you'd like for testing purposes.
OVERLORD commented 2026-02-05 02:52:36 +03:00
Author
Owner
Copy Link

@aswgxf commented on GitHub (Jul 27, 2022):

Are there any updates on this? We are looking into moving all of our documentation into BookStack and currently have the SAML auth configured.

@aswgxf commented on GitHub (Jul 27, 2022): Are there any updates on this? We are looking into moving all of our documentation into BookStack and currently have the SAML auth configured.
OVERLORD commented 2026-02-05 02:52:39 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (Jul 27, 2022):

@aswgxf Some further changes were made in #2902. Looks like I tested AFDS with SLS at that time, So not sure if this issue is actually relevant any more.

@ssddanbrown commented on GitHub (Jul 27, 2022): @aswgxf Some further changes were made in #2902. Looks like I tested AFDS with SLS at that time, So not sure if this issue is actually relevant any more.
OVERLORD commented 2026-02-05 02:52:44 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (Oct 3, 2022):

Upon my comment above, I'm going to go ahead and close this off.
If you are facing issues after configuring logout via SAML, please open a new issue rather than responding to this one as the details will likely have since changed.

@ssddanbrown commented on GitHub (Oct 3, 2022): Upon my comment above, I'm going to go ahead and close this off. If you are facing issues after configuring logout via SAML, please open a new issue rather than responding to this one as the details will likely have since changed.
OVERLORD commented 2026-02-05 02:52:49 +03:00
Author
Owner
Copy Link

@radiantwave commented on GitHub (Dec 6, 2023):

I have the same issue.
Which details could help here?

Using v23.10.4
These are my settings:

AUTH_METHOD=saml2
AUTH_AUTO_INITIATE=true
SAML2_NAME=authentik
SAML2_EMAIL_ATTRIBUTE=email
SAML2_EXTERNAL_ID_ATTRIBUTE=uid
SAML2_USER_TO_GROUPS=true
SAML2_GROUP_ATTRIBUTE=http://schemas.xmlsoap.org/claims/Group
SAML2_DISPLAY_NAME_ATTRIBUTES=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
SAML2_IDP_ENTITYID=https://authentik.<company>/api/v3/providers/saml/11/metadata/?download
SAML2_AUTOLOAD_METADATA=true
@radiantwave commented on GitHub (Dec 6, 2023): I have the same issue. Which details could help here? Using v23.10.4 These are my settings: ``` AUTH_METHOD=saml2 AUTH_AUTO_INITIATE=true SAML2_NAME=authentik SAML2_EMAIL_ATTRIBUTE=email SAML2_EXTERNAL_ID_ATTRIBUTE=uid SAML2_USER_TO_GROUPS=true SAML2_GROUP_ATTRIBUTE=http://schemas.xmlsoap.org/claims/Group SAML2_DISPLAY_NAME_ATTRIBUTES=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name SAML2_IDP_ENTITYID=https://authentik.<company>/api/v3/providers/saml/11/metadata/?download SAML2_AUTOLOAD_METADATA=true ```
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
🎨 Design
📖 Docs Update
🐛 Bug
🐛 Bug
:cat2:🐈 Possible duplicate
💿 Database
Open to discussion
💻 Front-End
🐕 Support
🚪 Authentication
🌍 Translations
🔌 API Task
🏭 Back-End
Upstream
🔨 Feature Request
🛠️ Enhancement
🛠️ Enhancement
🛠️ Enhancement
❤️ Happy feedback
🔒 Security
🔍 Pending Validation
💆 UX
📝 WYSIWYG Editor
🌔 Out of scope
🔩 API Request
:octocat: Admin/Meta
🖌️ View Customization
Question
🚀 Priority
🛡️ Blocked
🚚 Export System
A11y
🔧 Maintenance
> Markdown Editor
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/BookStack#2090
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?