Deny Logins with SAML #3511

New Issue

OVERLORD · 2026-02-05T06:56:36+03:00

OVERLORD commented

2026-02-05 06:56:36 +03:00

Originally created by @dslater82 on GitHub (Feb 16, 2023).

Attempted Debugging

I have read the debugging page

Searched GitHub Issues

I have searched GitHub for the issue.

Describe the Scenario

I have a bookstack instance setup with SAML. Is there a way to deny logins if they do not have an account in bookstack? We have 60,000 users who can login with SAML and don't want user's we don't specify to login. It seems we can do this if using one of the other authentication methods by settings XXXX_AUTO_REGISTER=false. We have another instance using ldap and I am able to get around this issue by doing

LDAP_USER_FILTER=(&(uid=${user})(memberOf=cn=group_name,ou=group,dc=XXXX,dc=XXXXX,dc=XXXXX))

Exact BookStack Version

23.01.1

Log Content

No response

PHP Version

No response

Hosting Environment

Rocky Linux 8 with PHP 8.2.

Originally created by @dslater82 on GitHub (Feb 16, 2023). ### Attempted Debugging - [X] I have read the debugging page ### Searched GitHub Issues - [X] I have searched GitHub for the issue. ### Describe the Scenario I have a bookstack instance setup with SAML. Is there a way to deny logins if they do not have an account in bookstack? We have 60,000 users who can login with SAML and don't want user's we don't specify to login. It seems we can do this if using one of the other authentication methods by settings XXXX_AUTO_REGISTER=false. We have another instance using ldap and I am able to get around this issue by doing LDAP_USER_FILTER=(&(uid=${user})(memberOf=cn=group_name,ou=group,dc=XXXX,dc=XXXXX,dc=XXXXX)) ### Exact BookStack Version 23.01.1 ### Log Content _No response_ ### PHP Version _No response_ ### Hosting Environment Rocky Linux 8 with PHP 8.2.

OVERLORD added the 🐕 Support label 2026-02-05 06:56:36 +03:00

OVERLORD closed this issue

2026-02-05 06:56:42 +03:00

OVERLORD commented

2026-02-05 06:56:46 +03:00

@ssddanbrown commented on GitHub (Feb 16, 2023):

Yeah, there's no built-in BookStack-side filtering or registration disabling for SAML authentication.
From my experience of playing with SAML platforms for testing, it's common for SAML auth platforms themselves to manage access control to the service provider (in this case BookStack).

You could technically block new registrations via restricting registration email domain (To a random non-used email domain), but that may have implications for existing users and when adding new users.

@ssddanbrown commented on GitHub (Feb 16, 2023): Yeah, there's no built-in BookStack-side filtering or registration disabling for SAML authentication. From my experience of playing with SAML platforms for testing, it's common for SAML auth platforms themselves to manage access control to the service provider (in this case BookStack). You could technically block new registrations via restricting registration email domain (To a random non-used email domain), but that may have implications for existing users and when adding new users.

OVERLORD commented

2026-02-05 06:56:52 +03:00

@dslater82 commented on GitHub (Feb 16, 2023):

Thanks. It seems the restriction email domain works. Admins had the user manually with the correct email and then they can login. Not ideal but it works.

@dslater82 commented on GitHub (Feb 16, 2023): Thanks. It seems the restriction email domain works. Admins had the user manually with the correct email and then they can login. Not ideal but it works.

OVERLORD referenced this issue

2026-02-05 10:26:53 +03:00

[PR #3512] [MERGED] WYSIWYG Code Editor Updates #6207

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#3511