SAML Metadata Not Available from Metadata URL #5041

New Issue

Closed

opened 2026-02-05 09:36:01 +03:00 by OVERLORD · 3 comments

OVERLORD commented 2026-02-05 09:36:01 +03:00

Owner

Copy Link

Originally created by @eramnes on GitHub (Nov 5, 2024).

Attempted Debugging

• I have read the debugging page

Searched GitHub Issues

• I have searched GitHub for the issue.

Describe the Scenario

We are trying to set up SAML authentication for BookStack, but trying to access the metadata URL results in a blank page if SAML is enabled in the .env file, or redirects to the login page if SAML is not enabled. The BookStack instance appears to work normally if SAML is not configured in the .env (I am able to sign in with a local account, navigate, configure items, etc.), but once SAML is enabled all URLs only load a blank page.

I have enabled APP_DEBUG in the .env file, but there is no laravel.log written to storage/logs, despite the fact I am fairly certain that the nginx user/group has write permissions to that directory:

# ls -alZ
total 4
drwxrwxr-x.  9 gfdcadmin nginx unconfined_u:object_r:httpd_sys_rw_content_t:s0  106 Nov  1 15:48 .
drwxr-xr-x. 16 gfdcadmin nginx unconfined_u:object_r:httpd_sys_content_t:s0    4096 Nov  5 13:28 ..
drwxrwxr-x.  2 gfdcadmin nginx unconfined_u:object_r:httpd_sys_rw_content_t:s0   24 Nov  1 15:48 app
drwxrwxr-x.  2 gfdcadmin nginx unconfined_u:object_r:httpd_sys_rw_content_t:s0   24 Nov  1 15:48 backups
drwxrwxr-x.  2 gfdcadmin nginx unconfined_u:object_r:httpd_sys_rw_content_t:s0   24 Nov  1 15:48 clockwork
drwxrwxr-x.  2 gfdcadmin nginx unconfined_u:object_r:httpd_sys_rw_content_t:s0   24 Nov  1 15:48 fonts
drwxrwxr-x.  5 gfdcadmin nginx unconfined_u:object_r:httpd_sys_rw_content_t:s0   66 Nov  1 15:48 framework
drwxrwxr-x.  2 gfdcadmin nginx unconfined_u:object_r:httpd_sys_rw_content_t:s0   24 Nov  1 15:48 logs
drwxrwxr-x.  4 gfdcadmin nginx unconfined_u:object_r:httpd_sys_rw_content_t:s0   33 Nov  1 15:48 uploads

The only "error" I can see when SAML is enabled is in the nginx access.log, which is a 500 error:

10.133.0.45 - - [05/Nov/2024:13:18:20 +0000] "GET /saml2/metadata HTTP/1.1" 500 5 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" "-"

If SAML is not enabled, access.log shows a 302 redirect to the login page:

10.133.0.45 - - [05/Nov/2024:13:54:37 +0000] "GET /saml2/metadata HTTP/1.1" 302 378 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" "-"
10.133.0.45 - - [05/Nov/2024:13:54:38 +0000] "GET / HTTP/1.1" 302 402 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" "-"
10.133.0.45 - - [05/Nov/2024:13:54:38 +0000] "GET /login HTTP/1.1" 200 8830 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" "-"

I followed the permissions configuration documentation for the BookStack root directory including the SELinux configuration, and given it seems to be working OK without SAML configured I don't think it's a permission issue but I could be missing something. I did tail the audit.log when attempting to access the metadata URL and didn't see any SELinux denies.

I'm not sure where to go from here as without the metadata XML file we can't get our IDP configured properly, and I can't see any error messages that show me what's going on.

Any assistance that someone can offer would be appreciated.

Exact BookStack Version

v24.10

Log Content

No response

Hosting Environment

# php -version
PHP 8.3.13 (cli) (built: Oct 22 2024 18:39:14) (NTS gcc x86_64)
Copyright (c) The PHP Group
Zend Engine v4.3.13, Copyright (c) Zend Technologies

# cat /etc/redhat-release
Red Hat Enterprise Linux release 9.4 (Plow)

# nginx -version
nginx version: nginx/1.20.1

# mysql --version
mysql  Ver 15.1 Distrib 10.5.22-MariaDB, for Linux (x86_64) using  EditLine wrapper

BookStack was installed using the manual install method from the documentation to /var/www/bookstack. File permissions were assigned based on the filesystems permission documentation. There is no proxy used on this machine. It is a "Standard B2s" VM hosted in Azure. BookStack/nginx is using HTTPS.

Originally created by @eramnes on GitHub (Nov 5, 2024). ### Attempted Debugging - [X] I have read the debugging page ### Searched GitHub Issues - [X] I have searched GitHub for the issue. ### Describe the Scenario We are trying to set up SAML authentication for BookStack, but trying to access the metadata URL results in a blank page if SAML is enabled in the .env file, or redirects to the login page if SAML is not enabled. The BookStack instance appears to work normally if SAML is not configured in the .env (I am able to sign in with a local account, navigate, configure items, etc.), but once SAML is enabled all URLs only load a blank page. I have enabled APP_DEBUG in the .env file, but there is no laravel.log written to storage/logs, despite the fact I am fairly certain that the nginx user/group has write permissions to that directory: ``` # ls -alZ total 4 drwxrwxr-x. 9 gfdcadmin nginx unconfined_u:object_r:httpd_sys_rw_content_t:s0 106 Nov 1 15:48 . drwxr-xr-x. 16 gfdcadmin nginx unconfined_u:object_r:httpd_sys_content_t:s0 4096 Nov 5 13:28 .. drwxrwxr-x. 2 gfdcadmin nginx unconfined_u:object_r:httpd_sys_rw_content_t:s0 24 Nov 1 15:48 app drwxrwxr-x. 2 gfdcadmin nginx unconfined_u:object_r:httpd_sys_rw_content_t:s0 24 Nov 1 15:48 backups drwxrwxr-x. 2 gfdcadmin nginx unconfined_u:object_r:httpd_sys_rw_content_t:s0 24 Nov 1 15:48 clockwork drwxrwxr-x. 2 gfdcadmin nginx unconfined_u:object_r:httpd_sys_rw_content_t:s0 24 Nov 1 15:48 fonts drwxrwxr-x. 5 gfdcadmin nginx unconfined_u:object_r:httpd_sys_rw_content_t:s0 66 Nov 1 15:48 framework drwxrwxr-x. 2 gfdcadmin nginx unconfined_u:object_r:httpd_sys_rw_content_t:s0 24 Nov 1 15:48 logs drwxrwxr-x. 4 gfdcadmin nginx unconfined_u:object_r:httpd_sys_rw_content_t:s0 33 Nov 1 15:48 uploads ``` The only "error" I can see when SAML is enabled is in the nginx access.log, which is a 500 error: ``` 10.133.0.45 - - [05/Nov/2024:13:18:20 +0000] "GET /saml2/metadata HTTP/1.1" 500 5 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" "-" ``` If SAML is not enabled, access.log shows a 302 redirect to the login page: ``` 10.133.0.45 - - [05/Nov/2024:13:54:37 +0000] "GET /saml2/metadata HTTP/1.1" 302 378 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" "-" 10.133.0.45 - - [05/Nov/2024:13:54:38 +0000] "GET / HTTP/1.1" 302 402 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" "-" 10.133.0.45 - - [05/Nov/2024:13:54:38 +0000] "GET /login HTTP/1.1" 200 8830 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" "-" ``` I followed the permissions configuration documentation for the BookStack root directory including the SELinux configuration, and given it seems to be working OK without SAML configured I don't think it's a permission issue but I could be missing something. I did tail the audit.log when attempting to access the metadata URL and didn't see any SELinux denies. I'm not sure where to go from here as without the metadata XML file we can't get our IDP configured properly, and I can't see any error messages that show me what's going on. Any assistance that someone can offer would be appreciated. ### Exact BookStack Version v24.10 ### Log Content _No response_ ### Hosting Environment ``` # php -version PHP 8.3.13 (cli) (built: Oct 22 2024 18:39:14) (NTS gcc x86_64) Copyright (c) The PHP Group Zend Engine v4.3.13, Copyright (c) Zend Technologies ``` ``` # cat /etc/redhat-release Red Hat Enterprise Linux release 9.4 (Plow) ``` ``` # nginx -version nginx version: nginx/1.20.1 ``` ``` # mysql --version mysql Ver 15.1 Distrib 10.5.22-MariaDB, for Linux (x86_64) using EditLine wrapper ``` BookStack was installed using the [manual install](https://www.bookstackapp.com/docs/admin/installation/#manual) method from the documentation to /var/www/bookstack. File permissions were assigned based on the filesystems permission documentation. There is no proxy used on this machine. It is a "Standard B2s" VM hosted in Azure. BookStack/nginx is using HTTPS.

OVERLORD added the 🐕 Support label 2026-02-05 09:36:01 +03:00

OVERLORD closed this issue 2026-02-05 09:36:02 +03:00

OVERLORD commented 2026-02-05 09:36:07 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Nov 5, 2024):

Hi @eramnes

but once SAML is enabled all URLs only load a blank page.

That generally indicates an issue with option formatting in the .env file.
Ensure options are formatted properly, ensuring any value which contain spaces or hashes are wrapped in quotes, for example:

SAML2_NAME="My login option"

@ssddanbrown commented on GitHub (Nov 5, 2024): Hi @eramnes > but once SAML is enabled all URLs only load a blank page. That generally indicates an issue with option formatting in the `.env` file. Ensure options are formatted properly, ensuring any value which contain spaces or hashes are wrapped in quotes, for example: ```bash SAML2_NAME="My login option" ```

OVERLORD commented 2026-02-05 09:36:09 +03:00

Author

Owner

Copy Link

@eramnes commented on GitHub (Nov 5, 2024):

@ssddanbrown

Thank you for the info. You were correct on this, there was a space in the SAML2_NAME field which after quoting has resolved the issue. Sorry to have taken up your time for such a simple misconfiguration, I should have double-checked that to begin with.

Have a good rest of your day and thanks for the assistance!

@eramnes commented on GitHub (Nov 5, 2024): @ssddanbrown Thank you for the info. You were correct on this, there was a space in the SAML2_NAME field which after quoting has resolved the issue. Sorry to have taken up your time for such a simple misconfiguration, I should have double-checked that to begin with. Have a good rest of your day and thanks for the assistance!

OVERLORD commented 2026-02-05 09:36:11 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Nov 5, 2024):

No worries, happy you found the problem!

@ssddanbrown commented on GitHub (Nov 5, 2024): No worries, happy you found the problem!

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

further_theme_development

l10n_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label 🐕 Support

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#5041