[Support Request]: SAML2 Group mapping seems ignored #2531

Closed
opened 2026-02-05 04:25:27 +03:00 by OVERLORD · 4 comments
Owner

Originally created by @justsem on GitHub (Dec 15, 2021).

Attempted Debugging

  • I have read the debugging page

Searched GitHub Issues

  • I have searched GitHub for the issue.

Describe the Scenario

When using SAML2 as authentication backend using Authentik as idP group syncing seems flawed.

What I've done

  • I have a group called "bookstack-admin" in my idP. When using SAML2_DUMP_USER_DETAILS=true in .env I can see this group being passed received by BookStack. (See below for dump output)
  • I've created a role with Display name "Bookstack Admin" and altered the DB to add in the external_auth_id as 'bookstack-admin' for the role since the app didn't let me set that for some reason.

The expected result

  • I expected this group to be automatically mapped to my user (the role has the required permissions) to my SAML user - but it doesn't and I'm at a loss to find out why

Noteworthy

  • I notices that the 'attrs_after_parsing' all end up to be 'user@mydomain.com' - I'm not sure if that's normal. At first I though I messed something up with the mapping but after trying different values (The Authentik docs lists most attributes as starting with a capital letter i.e.) the results remain the same.

Relevant output

.env file

APP_KEY=base64:/<redacted>

APP_URL=https://bookstack.mydomain.com

DB_HOST=<redacted>
DB_DATABASE=bookstack
DB_USERNAME=bookstack
DB_PASSWORD=<redacted>
STORAGE_TYPE=local_secure
MAIL_DRIVER=smtp
AVATAR_URL=false

MAIL_FROM_NAME="BookStack"
MAIL_FROM=bookstack@mydomain.com
MAIL_HOST=<redacted>.servers.mydomain.com
MAIL_PORT=1025
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null

ALLOW_ROBOTS=false

AUTH_METHOD=saml2
SAML2_NAME=SAML
SAML2_EMAIL_ATTRIBUTE=email
SAML2_EXTERNAL_ID_ATTRIBUTE=uid
SAML2_DISPLAY_NAME_ATTRIBUTES=Name
SAML2_IDP_ENTITYID=https://idp.mydomain.com/api/v3/providers/saml/4/metadata/?download
SAML2_AUTOLOAD_METADATA=true
SAML2_USER_TO_GROUPS=true
SAML2_GROUP_ATTRIBUTE=Groups
SAML2_REMOVE_FROM_GROUPS=true
APP_DEBUG=true

SAML2 JSON Dump

  "id_from_idp": "user@mydomain.com",
  "attrs_from_idp": {
    "http://schemas.xmlsoap.org/claims/Group": [
      "authentik Admins",
      "MFA Enabled",
      "bookstack-admin"
    ],
    "http://schemas.goauthentik.io/2021/02/saml/uid": [
      "1"
    ],
    "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname": [
      "my"
    ],
    "http://schemas.goauthentik.io/2021/02/saml/username": [
      "my"
    ],
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": [
      "My User"
    ],
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": [
      "user@mydomain.com"
    ],
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": [
      "user@mydomain.com"
    ]
  },
  "attrs_after_parsing": {
    "external_id": "user@mydomain.com",
    "name": "user@mydomain.com",
    "email": "user@mydomain.com",
    "saml_id": "user@mydomain.com"
  }
}

Exact BookStack Version

v21.11.2

Log Content

No response

PHP Version

PHP 8.0.13 via PHP-FPM

Hosting Environment

Backend

  • Debian 11.1 on amd64
  • Nginx 1.21.4
  • PHP 8.0 FPM

Frontend

  • Debian 11.1 on amd64
  • Nginx 1.21.4 as reverse proxy.

DB

  • Debian 11.1 on amd64
  • MariaDB 15.1

IDP

  • Latest Authentik version in Docker
  • Debian 11.1 on amd64
Originally created by @justsem on GitHub (Dec 15, 2021). ### Attempted Debugging - [X] I have read the debugging page ### Searched GitHub Issues - [X] I have searched GitHub for the issue. ### Describe the Scenario When using SAML2 as authentication backend using Authentik as idP group syncing seems flawed. ### What I've done - I have a group called "bookstack-admin" in my idP. When using SAML2_DUMP_USER_DETAILS=true in .env I can see this group being passed received by BookStack. (See below for dump output) - I've created a role with Display name "Bookstack Admin" and altered the DB to add in the external_auth_id as 'bookstack-admin' for the role since the app didn't let me set that for some reason. ### The expected result - I expected this group to be automatically mapped to my user (the role has the required permissions) to my SAML user - but it doesn't and I'm at a loss to find out why ### Noteworthy - I notices that the 'attrs_after_parsing' all end up to be 'user@mydomain.com' - I'm not sure if that's normal. At first I though I messed something up with the mapping but after trying different values (The Authentik docs lists most attributes as starting with a capital letter i.e.) the results remain the same. ### Relevant output **.env file** ``` APP_KEY=base64:/<redacted> APP_URL=https://bookstack.mydomain.com DB_HOST=<redacted> DB_DATABASE=bookstack DB_USERNAME=bookstack DB_PASSWORD=<redacted> STORAGE_TYPE=local_secure MAIL_DRIVER=smtp AVATAR_URL=false MAIL_FROM_NAME="BookStack" MAIL_FROM=bookstack@mydomain.com MAIL_HOST=<redacted>.servers.mydomain.com MAIL_PORT=1025 MAIL_USERNAME=null MAIL_PASSWORD=null MAIL_ENCRYPTION=null ALLOW_ROBOTS=false AUTH_METHOD=saml2 SAML2_NAME=SAML SAML2_EMAIL_ATTRIBUTE=email SAML2_EXTERNAL_ID_ATTRIBUTE=uid SAML2_DISPLAY_NAME_ATTRIBUTES=Name SAML2_IDP_ENTITYID=https://idp.mydomain.com/api/v3/providers/saml/4/metadata/?download SAML2_AUTOLOAD_METADATA=true SAML2_USER_TO_GROUPS=true SAML2_GROUP_ATTRIBUTE=Groups SAML2_REMOVE_FROM_GROUPS=true APP_DEBUG=true ``` **SAML2 JSON Dump** ```{ "id_from_idp": "user@mydomain.com", "attrs_from_idp": { "http://schemas.xmlsoap.org/claims/Group": [ "authentik Admins", "MFA Enabled", "bookstack-admin" ], "http://schemas.goauthentik.io/2021/02/saml/uid": [ "1" ], "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname": [ "my" ], "http://schemas.goauthentik.io/2021/02/saml/username": [ "my" ], "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": [ "My User" ], "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": [ "user@mydomain.com" ], "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": [ "user@mydomain.com" ] }, "attrs_after_parsing": { "external_id": "user@mydomain.com", "name": "user@mydomain.com", "email": "user@mydomain.com", "saml_id": "user@mydomain.com" } } ``` ### Exact BookStack Version v21.11.2 ### Log Content _No response_ ### PHP Version PHP 8.0.13 via PHP-FPM ### Hosting Environment **Backend** - Debian 11.1 on amd64 - Nginx 1.21.4 - PHP 8.0 FPM **Frontend** - Debian 11.1 on amd64 - Nginx 1.21.4 as reverse proxy. **DB** - Debian 11.1 on amd64 - MariaDB 15.1 **IDP** - Latest Authentik version in Docker - Debian 11.1 on amd64
OVERLORD added the 🐕 Support label 2026-02-05 04:25:27 +03:00
Author
Owner

@ssddanbrown commented on GitHub (Dec 15, 2021):

Hi @justSem,
Based upon the dumped details your SAML2_GROUP_ATTRIBUTE value will need to be as follows:

SAML2_GROUP_ATTRIBUTE="http://schemas.xmlsoap.org/claims/Group"

So use the full property name/url in the option. You'll need to make similar changes for any other attribute options.
Let me know how that goes.

@ssddanbrown commented on GitHub (Dec 15, 2021): Hi @justSem, Based upon the dumped details your `SAML2_GROUP_ATTRIBUTE` value will need to be as follows: ```bash SAML2_GROUP_ATTRIBUTE="http://schemas.xmlsoap.org/claims/Group" ``` So use the full property name/url in the option. You'll need to make similar changes for any other attribute options. Let me know how that goes.
Author
Owner

@justsem commented on GitHub (Dec 15, 2021):

Yes! That worked like a charm - It's a bit odd that Authentik would pass the full property name though.

Thank you!

@justsem commented on GitHub (Dec 15, 2021): Yes! That worked like a charm - It's a bit odd that Authentik would pass the full property name though. Thank you!
Author
Owner

@ssddanbrown commented on GitHub (Dec 15, 2021):

@justSem Awesome!

It's a bit odd that Authentik would pass the full property name though.

To be fair ActiveDirectory does the same I'm pretty sure, Wouldn't be too surprised if they've followed suite for compatibility.

@ssddanbrown commented on GitHub (Dec 15, 2021): @justSem Awesome! > It's a bit odd that Authentik would pass the full property name though. To be fair ActiveDirectory does the same I'm pretty sure, Wouldn't be too surprised if they've followed suite for compatibility.
Author
Owner

@justsem commented on GitHub (Dec 15, 2021):

@justSem Awesome!

It's a bit odd that Authentik would pass the full property name though.

To be fair ActiveDirectory does the same I'm pretty sure, Wouldn't be too surprised if they've followed suite for compatibility.

I'll make a PR for some docs this week. At least for Authentik but might be interesting for BookStack as well. Thanks again :)

@justsem commented on GitHub (Dec 15, 2021): > @justSem Awesome! > > > > > It's a bit odd that Authentik would pass the full property name though. > > > > To be fair ActiveDirectory does the same I'm pretty sure, Wouldn't be too surprised if they've followed suite for compatibility. I'll make a PR for some docs this week. At least for Authentik but might be interesting for BookStack as well. Thanks again :)
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/BookStack#2531