SAML SLS Logout #3458

New Issue

OVERLORD · 2026-02-05T06:46:56+03:00

OVERLORD commented

2026-02-05 06:46:56 +03:00

Originally created by @knuz92 on GitHub (Jan 18, 2023).

Attempted Debugging

I have read the debugging page

Searched GitHub Issues

I have searched GitHub for the issue.

Describe the Scenario

I use simplesamlphp for my SSO server. It is located on "sso.n.domain1.at". The BookStack instance is on "brain.domain2.at".

When I log in via SAML, everything works fine. Logging out via BookStack directly also works fine.

But when I logout via SAML SLS -> SAML sends a request to BookStack, it tries to delete the cookies, which is not possible because the browser does not change them for security reasons. (CSRF)

Why doesn't BookStack just delete the session server side? Is this a bug or do i have a configuration error there?

BookStack instances on the same Domain are working with fine SLS -> the Browser deletes the Cookies.

Exact BookStack Version

22.11.1

Log Content

BookStack Config:

AUTH_METHOD=saml2
AUTH_AUTO_INITIATE=true
SAML2_NAME="MY Login"
SAML2_EMAIL_ATTRIBUTE=mail
SAML2_EXTERNAL_ID_ATTRIBUTE=username
SAML2_DISPLAY_NAME_ATTRIBUTES=fullname
SAML2_IDP_ENTITYID=https://sso.n.domain1.at/sso/saml2/idp/metadata.php
SAML2_AUTOLOAD_METADATA=false
SAML2_IDP_SSO=https://sso.n.domain1.at/sso/saml2/idp/SSOService.php
SAML2_IDP_SLO=https://sso.n.domain1.at/sso/saml2/idp/SingleLogoutService.php
SAML2_IDP_x509="-----BEGIN CERTIFICATE-----
CRT HERE
-----END CERTIFICATE-----"
SAML2_USER_TO_GROUPS=true
SAML2_GROUP_ATTRIBUTE=groups
SAML2_REMOVE_FROM_GROUPS=true

Config SAML SP Remote:

$metadata['https://brain.domain2.at/saml2/metadata'] = [
'AssertionConsumerService' => 'https://brain.domain2.at/saml2/acs',
'SingleLogoutService' => 'https://brain.domain2.at/saml2/sls',
'simplesaml.nameidattribute' => 'username',
'simplesaml.attributes' => true,
'attributes' => [SOME ATTR HERE],
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
];

Browser blocks cookies:

PHP Version

8.1

Hosting Environment

Debian 11 with apache2

Originally created by @knuz92 on GitHub (Jan 18, 2023). ### Attempted Debugging - [X] I have read the debugging page ### Searched GitHub Issues - [X] I have searched GitHub for the issue. ### Describe the Scenario I use simplesamlphp for my SSO server. It is located on "sso.n.domain1.at". The BookStack instance is on "brain.domain2.at". When I log in via SAML, everything works fine. Logging out via BookStack directly also works fine. But when I logout via SAML SLS -> SAML sends a request to BookStack, it tries to delete the cookies, which is not possible because the browser does not change them for security reasons. (CSRF) Why doesn't BookStack just delete the session server side? Is this a bug or do i have a configuration error there? BookStack instances on the same Domain are working with fine SLS -> the Browser deletes the Cookies. ### Exact BookStack Version 22.11.1 ### Log Content # BookStack Config: AUTH_METHOD=saml2 AUTH_AUTO_INITIATE=true SAML2_NAME="MY Login" SAML2_EMAIL_ATTRIBUTE=mail SAML2_EXTERNAL_ID_ATTRIBUTE=username SAML2_DISPLAY_NAME_ATTRIBUTES=fullname SAML2_IDP_ENTITYID=https://sso.n.domain1.at/sso/saml2/idp/metadata.php SAML2_AUTOLOAD_METADATA=false SAML2_IDP_SSO=https://sso.n.domain1.at/sso/saml2/idp/SSOService.php SAML2_IDP_SLO=https://sso.n.domain1.at/sso/saml2/idp/SingleLogoutService.php SAML2_IDP_x509="-----BEGIN CERTIFICATE----- CRT HERE -----END CERTIFICATE-----" SAML2_USER_TO_GROUPS=true SAML2_GROUP_ATTRIBUTE=groups SAML2_REMOVE_FROM_GROUPS=true ----------------------- # Config SAML SP Remote: $metadata['https://brain.domain2.at/saml2/metadata'] = [ 'AssertionConsumerService' => 'https://brain.domain2.at/saml2/acs', 'SingleLogoutService' => 'https://brain.domain2.at/saml2/sls', 'simplesaml.nameidattribute' => 'username', 'simplesaml.attributes' => true, 'attributes' => [SOME ATTR HERE], 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', ]; -------------------------- # Browser blocks cookies: ![Bildschirmfoto 2023-01-18 um 09 59 48](https://user-images.githubusercontent.com/10095962/213128550-be177ae4-cc1c-4a28-b4b2-7463e176b26e.png) ![Bildschirmfoto 2023-01-18 um 10 00 36](https://user-images.githubusercontent.com/10095962/213128555-69108456-81d0-44cf-a8c9-655538dbb223.png) ### PHP Version 8.1 ### Hosting Environment Debian 11 with apache2

OVERLORD added the 🐕 Support label 2026-02-05 06:46:56 +03:00

OVERLORD closed this issue

2026-02-05 06:47:01 +03:00

OVERLORD commented

2026-02-05 06:47:05 +03:00

@ssddanbrown commented on GitHub (Jan 18, 2023):

Hi @knuz92,
I must admit, I've been away from the specific of SAML2 for a while so can't remember exactly what we support but I'll try my best to answer from memory.

Why doesn't BookStack just delete the session server side? Is this a bug or do i have a configuration error there?

BookStack does refresh the session server-side, but I think this would still provide cookies back so that a new session can be connected up.

Do you know if the logout request is loading via an iframe?
I have a feeling it is, making the logout request third-party and therefore any existing session cookies are not sent with the request, and therefore the session cannot be identified to be destroyed/refreshed on the BookStack side.

That would make sense since you say this works when on the same domain.

It may be possible that we could support other single logout schemes (Back-channel, alternative session identification) but It'd require time to investigate the options out there and their support by IDPs, to determine what's possible and if it's worthwihle to pursue & support.

@ssddanbrown commented on GitHub (Jan 18, 2023): Hi @knuz92, I must admit, I've been away from the specific of SAML2 for a while so can't remember exactly what we support but I'll try my best to answer from memory. > Why doesn't BookStack just delete the session server side? Is this a bug or do i have a configuration error there? BookStack does refresh the session server-side, but I think this would still provide cookies back so that a new session can be connected up. Do you know if the logout request is loading via an iframe? I have a feeling it is, making the logout request third-party and therefore any existing session cookies are not sent with the request, and therefore the session cannot be identified to be destroyed/refreshed on the BookStack side. That would make sense since you say this works when on the same domain. It may be possible that we could support other single logout schemes (Back-channel, alternative session identification) but It'd require time to investigate the options out there and their support by IDPs, to determine what's possible and if it's worthwihle to pursue & support.

OVERLORD commented

2026-02-05 06:47:11 +03:00

@ssddanbrown commented on GitHub (Jan 26, 2023):

Since there's been no follow-up I'm going to close this. If the issue remains and is something you still require to be fixed respond to my previous comment and this can then be re-opened.

@ssddanbrown commented on GitHub (Jan 26, 2023): Since there's been no follow-up I'm going to close this. If the issue remains and is something you still require to be fixed respond to my previous comment and this can then be re-opened.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#3458