mirror of
https://github.com/BookStackApp/BookStack.git
synced 2026-05-04 18:08:46 +03:00
Mix/combine AUTH_METHOD options
#2224
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @pbordon on GitHub (Apr 27, 2021).
Exist the possibility to login in a mixed method: LDAP or simple user registration, defined by user?
@ssddanbrown commented on GitHub (Apr 30, 2021):
Hi @pbordon,
Would you be able to provide insight into the environment where you'd want this within and the benefits this would bring?
@pbordon commented on GitHub (May 3, 2021):
In my organization, we have internal users, connected to an AD and external users, which are many and vary over time. Therefore I wanted to implement the login via LDAP for internal users and for external users to register separately.
@ssddanbrown commented on GitHub (Nov 8, 2022):
Updating this to be generic to methods, and merging similar issues into this.
@abulgatz commented on GitHub (Feb 5, 2023):
Any plans to add this to your roadmap or implement this? Internal SSO with guest access seems pretty common.
@ssddanbrown commented on GitHub (Feb 5, 2023):
@abulgatz Probably not anytime too soon, to be totally honest. It's high-risk, low demand, low target audience, high support & maintenance. Therefore it doesn't look worth including at this time.
@Fabsky commented on GitHub (Jul 6, 2023):
I'm in the same case, I mean I've contents for internal users (azure), and content for customers (self register)
@mfatfhg commented on GitHub (Jul 26, 2023):
Hi, I have opened #4401 and because it was closed, I would like to continue the discussion here.
One of the reasons why we would like to see this features was:
This was answered by @ssddanbrown with the following argument:
This would be like changing the electronic door locks against bearded locks in case of power failure before entering the building.
And changing a config only to access your documentation system is not what you want to do in an emergency situation. And not everyone who need access to the system in such a situation has the ability or possibility to do this.
@ssddanbrown commented on GitHub (Apr 24, 2024):
@GitTH Like this:?
Open image here
Third party auth sources work alongside primary auth options, so you may be able to use Azure/Google third party options alongside standard email auth.
@simonpa71 commented on GitHub (Apr 29, 2024):
Plus one for this feature request. LDAP may work or not, but I would like to configure a local Admin access anytime. Gitea has this feature, and it makes it easy to configure an admin for mainenance and config, without depending on LDAP, while importing local users with LDPAP. My scenario is simpler than generic mix and match, and could be a starting point.
@CamaroSS commented on GitHub (Jun 10, 2024):
This feature would be very useful. This way we would be able to sign in from our internal system using SAML2 and have external accounts who sign in using email and password.
@eoli3n commented on GitHub (Oct 29, 2024):
https://github.com/BookStackApp/BookStack/issues/5296
@eoli3n commented on GitHub (Oct 29, 2024):
I strongly disagree, this should be default to be honest. Isn't it as simple as to put a checkbox to be able to trigger local authentication for the current session ?
I worked around this, by moving the admin account as a ldap one, problem is if my AD is down, i'm locked out.
@chunter-ccps commented on GitHub (Feb 18, 2025):
+1 to this request. It is very common for a business to have SAML or LDAP accounts for employees and have email/password based signup for customer accounts.
@schlupmann commented on GitHub (Mar 25, 2025):
Since we needed backend SOAP logout functionality for BookStack, I replaced the OneLogin SAML plugin with SimpleSAMLphp. The main changes involved rewriting Saml2Controller.php and Saml2Service.php, as well as adding configuration files to the app/Config directory. The integration now works as intended with the latest SimpleSAMLphp library (LGPL-licensed) installed in the vendor folder.
This to say that we have been using SimpleSAMLphp with two different identity providers: a local LDAP (with SimpleSAMLphp acting as the IDP) and a French national education SAML ID provider. Both are running seamlessly together for Moodle and ResourceSpace. The same can be set up for Bookstack as well. SimpleSAMLphp supports multiple IDPs and SPs.
If Dan sees value in this and there’s a need for it, I’m happy to clean up the code and provide it.
Also, many thanks to Dan for creating this awesome software!
@timhallmann commented on GitHub (Mar 28, 2025):
Hello @schlupmann, thank you for mentioning your setup! I'm certainly interested in seeing how it works. If you're comfortable publishing the current version, I'd also be happy to take a look at the code as-is.
@schlupmann commented on GitHub (Mar 28, 2025):
@timhallmann,
You can have a look at the SOAP / backend logout with saml2 for Bookstack here : [BookStack_saml2_SOAP](https://github.com/BookStackApp/BookStack/compare/development...schlupmann:BookStack_saml2_SOAP:development)
This is not a cleaned-up version, and the integration with BookStack's SAML2 configuration is quite limited. I prefer working directly with SimpleSAMLphp's configuration, which I’ve set up in the added /app/Config/simplesamlphp folder. However, if there's interest, it wouldn't be too difficult to migrate most standard configuration settings into the /app/Config/saml2.php file and eliminate the "dirty" autoloading of the SimpleSAMLphp library.
To set up SimpleSAMLphp, please refer to the official documentation. The main steps are as follows:
Short explanation of backend logout flow :
Routes Configuration: Web routes in bookstacks routes/web.php define SAML endpoints that receive IdP logout requests and direct them to Saml2Controller
Saml2Controller.php:
Houses main back-channel logout logic in handleSingleLogout():
Implements logoutFromIdpBackChannel() method which:
@timhallmann commented on GitHub (Mar 31, 2025):
It's not relevant to this issue, but here is a link to my OIDC extension based on the work by @schlupmann -- thanks again!
@voxain commented on GitHub (Jul 16, 2025):
+1 on this. We want to use BookStack alongside our emergency documentation system for documentation. In case everything comes crashing down, it'd be handy to at least have a universal admin login or token that always works, just in case, preferrably without changing the login method in the config.
@kilian-goetz commented on GitHub (Jul 31, 2025):
Greetings,
I agree with this feature. We need two authentication methods at the same time: OIDC (for users) and classic authentication for the administration account, as well as a backup system in case the OIDC provider is down.
@bwint commented on GitHub (Dec 3, 2025):
+1 for this feature.
Would be great to be able to use standard/local authentication as backup in case the primary authentication provider is down.
@swtgmxat commented on GitHub (Dec 3, 2025):
Also +1 very important feature to have two LOGIN methods in parallel. E.g. LDAP is down, local admin should still work. Also for permission testing very helpful to have a local test user. all the best
@eoli3n commented on GitHub (Dec 3, 2025):
+10, this should be in top priority tier
@holger-dev commented on GitHub (Feb 2, 2026):
+10