mirror of
https://github.com/BookStackApp/BookStack.git
synced 2026-02-07 03:09:44 +03:00
Authentication Failure with SAML Provider #3467
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @dkanada on GitHub (Jan 23, 2023).
Describe the Bug
I'm unable to authenticate with SAML due to an unknown error. Thanks to some moderate debugging I was able to narrow it down to this exact line but I'm not sure where to go from there. Essentially, it looks like the ACS ID is null for some reason, causing the cache key and subsequent SAML response to end up empty and redirect back to the login page. I can definitely see that the initial request to
/saml2/acsis redirected to/saml2/acs?id=ABCDso by all accounts the ID should exist. I've tried a mix of SAML configurations both within BookStack and Keycloak (which is my IDP at the moment) and nothing seems to help, so hopefully someone can point me in the right direction.Steps to Reproduce
Expected Behaviour
Login completes successfully or a more descriptive error is provided.
Screenshots or Additional Context
No response
Browser Details
Firefox 109
Exact BookStack Version
BookStack 22.11.1
PHP Version
PHP 8.1
Hosting Environment
I'm using a custom Docker image with an HTTPS proxy but I think it's related to the SAML specification.
@dkanada commented on GitHub (Jan 23, 2023):
Just tried to print the request object and was able to confirm the path looks like
/saml2/acs?id=ABCDwhereas trying to printrequest->get('id', 'null')will output null...I feel like this might be completely unrelated to SAML at this point. I haven't tried the local authentication provider yet so I'll try that next to narrow down the issue.@dkanada commented on GitHub (Jan 23, 2023):
Local authentication works fine and I found two (one and two) issues with the same error notification. Both seem to point towards a SAML misconfiguration either within my BookStack or Keycloak instance, but the tests from my previous comment might indicate something with the session backend? I have very little experience with PHP so I'll be stepping away for a few days to clear my thoughts.
@ssddanbrown commented on GitHub (Jan 23, 2023):
It would be useful to know the exact method used to establish the findings/confirmations in your previous comment from 11 hours ago, just to be sure of the scenario to avoid looking in the wrong place.
If this line is definitely resulting in
null, then my best guess is that query strings are not being properly passed to BookStack, which I've seen a few times in the past, commonly with certain nginx configs. Could be at the proxy layer or within the container in your described scenerio.@dkanada commented on GitHub (Jan 24, 2023):
It was definitely the nginx configuration, thanks for the pointer! Query strings weren't getting passed to php-fpm which broke the SAML authentication but not the local one.
@ssddanbrown commented on GitHub (Jan 24, 2023):
Awesome, good to hear you found the cause and thanks for confirming back the status!