Using SAML SSO (Shibboleth) to create users #3838

New Issue

OVERLORD · 2026-02-05T07:38:11+03:00

OVERLORD commented

2026-02-05 07:38:11 +03:00

Originally created by @cfschulte on GitHub (Jun 7, 2023).

Attempted Debugging

I have read the debugging page

Searched GitHub Issues

I have searched GitHub for the issue.

Describe the Scenario

I asked a colleague who has been using Shibboleth/SAML2 for login and account creation. As far as we could tell, I have my .env file set up correctly so I think it's something in my system setup. He is using a pre-configured Docker Container, which my department avoids because of security concerns and we would like to avoid that extra layer of abstraction.

I am able to put the bookstack website behind our campus's SSO, but I am sent to a login error page if I set AUTH_METHOD=saml2. Has anyone worked with Shibboleth SSO? I have set SAML2_EMAIL_ATTRIBUTE, SAML2_EXTERNAL_ID_ATTRIBUTE, and SAML2_DISPLAY_NAME_ATTRIBUTES to their respective urn strings, and even uncommented those in the attribute-map.xml file.

I've tried setting the apache shib.conf to both the DocumentRoot, "/", and the login page, "/login". If I set shibboleth directory to /login, I get an interesting error: The POST method is not supported for route Shibboleth.sso/SAML2/POST. Supported methods: GET, HEAD.

Does anybody have experience setting up a Linux apache2/shibboleth server to work with BookStack?

Thanks,
Chris

Exact BookStack Version

v23.05.1

Log Content

No response

PHP Version

8.1.2

Hosting Environment

Ubuntu 22.04
Apache/2.4.52 (Ubuntu)
shibboleth 3.3.0

Originally created by @cfschulte on GitHub (Jun 7, 2023). ### Attempted Debugging - [X] I have read the debugging page ### Searched GitHub Issues - [X] I have searched GitHub for the issue. ### Describe the Scenario I asked a colleague who has been using Shibboleth/SAML2 for login and account creation. As far as we could tell, I have my .env file set up correctly so I think it's something in my system setup. He is using a pre-configured Docker Container, which my department avoids because of security concerns and we would like to avoid that extra layer of abstraction. I am able to put the bookstack website behind our campus's SSO, but I am sent to a login error page if I set AUTH_METHOD=saml2. Has anyone worked with Shibboleth SSO? I have set SAML2_EMAIL_ATTRIBUTE, SAML2_EXTERNAL_ID_ATTRIBUTE, and SAML2_DISPLAY_NAME_ATTRIBUTES to their respective urn strings, and even uncommented those in the attribute-map.xml file. I've tried setting the apache shib.conf to both the DocumentRoot, "/", and the login page, "/login". If I set shibboleth directory to /login, I get an interesting error: The POST method is not supported for route Shibboleth.sso/SAML2/POST. Supported methods: GET, HEAD. Does anybody have experience setting up a Linux apache2/shibboleth server to work with BookStack? Thanks, Chris ### Exact BookStack Version v23.05.1 ### Log Content _No response_ ### PHP Version 8.1.2 ### Hosting Environment Ubuntu 22.04 Apache/2.4.52 (Ubuntu) shibboleth 3.3.0

OVERLORD added the 🐕 Support label 2026-02-05 07:38:11 +03:00

OVERLORD closed this issue

2026-02-05 07:38:15 +03:00

OVERLORD commented

2026-02-05 07:38:20 +03:00

@ssddanbrown commented on GitHub (Jun 7, 2023):

Hi @cfschulte,
Unfortunately I have not experience with Shibboleth, so will be blind in being able to properly guide you.

I've tried setting the apache shib.conf to both the DocumentRoot,

From some quick searching, this file seems to be mostly used when Shibboleth is being used as a service-provider, looking like it's built as an apache module to add authentication in some way.
I'd expect BookStack to be the service provide here, directly communicating with your SAML IdP, I would not expect anything SAML built-into the webserver side for BookStack specifically.
Can I confirm that you do expect BookStack to be the IdP in this scenario, and Shibboleth is being used as an IdP?

@ssddanbrown commented on GitHub (Jun 7, 2023): Hi @cfschulte, Unfortunately I have not experience with Shibboleth, so will be blind in being able to properly guide you. > I've tried setting the apache shib.conf to both the DocumentRoot, From some quick searching, this file seems to be mostly used when Shibboleth is being used as a service-provider, looking like it's built as an apache module to add authentication in some way. I'd expect BookStack to be the service provide here, directly communicating with your SAML IdP, I would not expect anything SAML built-into the webserver side for BookStack specifically. Can I confirm that you do expect BookStack to be the IdP in this scenario, and Shibboleth is being used as an IdP?

OVERLORD commented

2026-02-05 07:38:25 +03:00

@cfschulte commented on GitHub (Jun 7, 2023):

Thank you @ssddanbrown ,
I have tried to set the SAML2_IDP_ENTITYID to the bookstack server, but it had a problem reading it. I just displays an xml file with this message: "This XML file does not appear to have any style information associated with it. The document tree is shown below."

I set both that and SAML2_IDP_SSO to our central login and it kind of works, but it does not create accounts. This is how the colleague using Docker has the .env set.

I'm not an expert on SAML2. This is the quick description of how our systems are set up:

"The NetID Login Service SAML2 Identity Provider (which runs on Shibboleth) is UW Madison's central Authentication and Authorization service. Application administrators can integrate their web-based applications with NetID Login Service and not have to set up their own authentication and authorization."

I saw you mention in other posts here that you're not real experienced with Shibboleth, so I really appreciate that you took a look at it. My hope is that maybe someone else has gotten this to fully work and can offer insight.

@cfschulte commented on GitHub (Jun 7, 2023): Thank you @ssddanbrown , I have tried to set the SAML2_IDP_ENTITYID to the bookstack server, but it had a problem reading it. I just displays an xml file with this message: "This XML file does not appear to have any style information associated with it. The document tree is shown below." I set both that and SAML2_IDP_SSO to our central login and it kind of works, but it does not create accounts. This is how the colleague using Docker has the .env set. I'm not an expert on SAML2. This is the quick description of how our systems are set up: "The NetID Login Service SAML2 Identity Provider (which runs on Shibboleth) is UW Madison's central Authentication and Authorization service. Application administrators can integrate their web-based applications with NetID Login Service and not have to set up their own authentication and authorization." I saw you mention in other posts here that you're not real experienced with Shibboleth, so I really appreciate that you took a look at it. My hope is that maybe someone else has gotten this to fully work and can offer insight.

OVERLORD commented

2026-02-05 07:38:28 +03:00

@ssddanbrown commented on GitHub (Jun 10, 2023):

I have tried to set the SAML2_IDP_ENTITYID to the bookstack server,

The SAML2_IDP_ENTITYID bookstack option should not point to the BookStack server, is should point to your IDP system's entityID endpoint (Which I assume is NetID/Shibboleth).

I just displays an xml file with this message: "This XML file does not appear to have any style information associated with it. The document tree is shown below."

That is a common browser warning when viewing XML files. It should not really arise or interfere in the server-to-server communication paths of SAML2. If you're trying to view the plain XML to download/copy for IDP usage, you can right-lick the page then "View Source".

@ssddanbrown commented on GitHub (Jun 10, 2023): > I have tried to set the SAML2_IDP_ENTITYID to the bookstack server, The `SAML2_IDP_ENTITYID` bookstack option should not point to the BookStack server, is should point to your IDP system's entityID endpoint (Which I assume is NetID/Shibboleth). > I just displays an xml file with this message: "This XML file does not appear to have any style information associated with it. The document tree is shown below." That is a common browser warning when viewing XML files. It should not really arise or interfere in the server-to-server communication paths of SAML2. If you're trying to view the plain XML to download/copy for IDP usage, you can right-lick the page then "View Source".

OVERLORD commented

2026-02-05 07:38:33 +03:00

@cfschulte commented on GitHub (Jun 22, 2023):

@ssddanbrown, I did get this to work, eventually. I am using apache2 and shibboleth SAML on Ubuntu 22.04. I do need both apache2 and shibd running. However, I had to disable apache's shib module and shib.conf, and run SAML directly through BookStack.

I also had to work with the IdP to make sure that everything was in the metadata that needed to be there. For instance the SAML2_EMAIL_ATTRIBUTE and SAML2_DISPLAY_NAME_ATTRIBUTES urns where not there by default.

Thanks,
Chris

@cfschulte commented on GitHub (Jun 22, 2023): @ssddanbrown, I did get this to work, eventually. I am using apache2 and shibboleth SAML on Ubuntu 22.04. I do need both apache2 and shibd running. However, I had to disable apache's shib module and shib.conf, and run SAML directly through BookStack. I also had to work with the IdP to make sure that everything was in the metadata that needed to be there. For instance the SAML2_EMAIL_ATTRIBUTE and SAML2_DISPLAY_NAME_ATTRIBUTES urns where not there by default. Thanks, Chris

OVERLORD commented

2026-02-05 07:38:39 +03:00

@ssddanbrown commented on GitHub (Jun 22, 2023):

Good to hear you got things working!

@ssddanbrown commented on GitHub (Jun 22, 2023): Good to hear you got things working!

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#3838