mirror of
https://github.com/BookStackApp/BookStack.git
synced 2026-07-16 05:33:49 +03:00
SAML Authentication with Authentik #5321
Closed
opened 2026-02-05 09:57:40 +03:00 by OVERLORD
·
2 comments
No Branch/Tag Specified
development
l10n_development
release
snyk-action
ci_and_static
mfa_key
phpstan_june26
MilnerMart/development
GamerClassN7/impersonations-for-admin
Zhey-on/feature/csp-image-css-controls-6033
tortillas5/development
llm_only
vectors
McTom234/oidc-key-algorithms
captcha_example
v26.05.2
v26.05.1
v26.05
v26.03.5
v26.03.4
v26.03.3
v26.03.2
v26.03.1
v26.03
v25.12.9
v25.12.8
v25.12.7
v25.12.6
v25.12.5
v25.12.4
v25.12.3
v25.12.2
v25.12.1
v25.12
v25.11.6
v25.11.5
v25.11.4
v24.11.4
v25.11.3
v25.11.2
v25.11.1
v25.11
v25.07.3
v25.07.2
v25.07.1
v25.07
v25.05.2
v25.05.1
v25.05
v25.02.5
v25.02.4
v25.02.3
v25.02.2
v25.02.1
v25.02
v24.12.1
v24.12
v24.10.3
v24.10.2
v24.10.1
v24.10
v24.05.4
v24.05.3
v24.05.2
v24.05.1
v24.05
v24.02.3
v24.02.2
v24.02.1
v24.02
v23.12.3
v23.12.2
v23.12.1
v23.12
v23.10.4
v23.10.3
v23.10.2
v23.10.1
v23.10
v23.08.3
v23.08.2
v23.08.1
v23.08
v23.06.2
v23.06.1
v23.06
v23.05.2
v23.05.1
v23.05
v23.02.3
v23.02.2
v23.02.1
v23.02
v23.01.1
v23.01
v22.11.1
v22.11
v22.10.2
v22.10.1
v22.10
v22.09.1
v22.09
v22.07.3
v22.07.2
v22.07.1
v22.07
v22.06.2
v22.06.1
v22.06
v22.04.2
v22.04.1
v22.04
v22.03.1
v22.03
v22.02.3
v22.02.2
v22.02.1
v22.02
v21.12.5
v21.12.4
v21.12.3
v21.12.2
v21.12.1
v21.12
v21.11.3
v21.11.2
v21.11.1
v21.11
v21.10.3
v21.10.2
v21.10.1
v21.10
v21.08.6
v21.08.5
v21.08.4
v21.08.3
v21.08.2
v21.08.1
v21.08
v21.05.4
v21.05.3
v21.05.2
v21.05.1
v21.05
v21.04.6
v21.04.5
v21.04.4
v21.04.3
v21.04.2
v21.04.1
v21.04
v0.31.8
v0.31.7
v0.31.6
v0.31.5
v0.31.4
v0.31.3
v0.31.2
v0.31.1
v0.31.0
v0.30.7
v0.30.6
v0.30.5
v0.30.4
v0.30.3
v0.30.2
v0.30.1
v0.30.0
v0.29.3
v0.29.2
v0.29.1
v0.29.0
v0.28.3
v0.28.2
v0.28.1
v0.28.0
v0.27.5
v0.27.4
v0.27.3
v0.27.2
v0.27.1
v0.27
v0.26.4
v0.26.3
v0.26.2
v0.26.1
v0.26.0
v0.25.5
v0.25.4
v0.25.3
v0.25.2
v0.25.1
v0.25.0
v0.24.3
v0.24.2
v0.24.1
v0.24.0
v0.23.2
v0.23.1
v0.23.0
v0.22.0
v0.21.0
v0.20.3
v0.20.2
v0.20.1
v0.20.0
v0.19.0
v0.18.5
v0.18.4
v0.18.3
v0.18.2
v0.18.1
v0.18.0
v0.17.4
v0.17.3
v0.17.2
v0.17.1
v0.17.0
v0.16.3
v0.16.2
v0.16.1
v0.16.0
v0.15.3
v0.15.2
v0.15.1
v0.15.0
v0.14.3
v0.14.2
v0.14.1
v0.14.0
v0.13.1
v0.13.0
v0.12.2
v0.12.1
v0.12.0
v0.11.2
v0.11.1
v0.11.0
v0.10.0
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.2
v0.8.1
v0.8.0
v0.7.6
v0.7.5
v0.7.4
v0.7.3
0.7.2
v.0.7.1
v0.7.0
v0.6.3
v0.6.2
v0.6.1
v0.6.0
v0.5.0
Labels
Clear labels
🎨 Design
📖 Docs Update
🐛 Bug
🐛 Bug
:cat2:🐈 Possible duplicate
💿 Database
☕ Open to discussion
💻 Front-End
🐕 Support
🚪 Authentication
🌍 Translations
🔌 API Task
🏭 Back-End
⛲ Upstream
🔨 Feature Request
🛠️ Enhancement
🛠️ Enhancement
🛠️ Enhancement
❤️ Happy feedback
🔒 Security
🔍 Pending Validation
💆 UX
📝 WYSIWYG Editor
🌔 Out of scope
🔩 API Request
:octocat: Admin/Meta
🖌️ View Customization
❓ Question
🚀 Priority
🛡️ Blocked
🚚 Export System
♿ A11y
🔧 Maintenance
> Markdown Editor
pull-request
Mirrored from GitHub Pull Request
No Label
🐕 Support
Milestone
No items
No Milestone
Projects
Clear projects
No project
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: starred/BookStack#5321
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @qschweitzer on GitHub (Jun 18, 2025).
Attempted Debugging
Searched GitHub Issues
Describe the Scenario
Hi,
I found no issue about SAML authentication to Bookstack with Authentik.
Authentik has an excellent documentation about how to take it in place: https://docs.goauthentik.io/integrations/services/bookstack/
Context: I'm hardenning my authentication with a fresh new installed internal ISP/SSO called Authentik.
My Bookstack (prod) actually use OIDC directly from Microsoft Entra (Azure AD).
We have many users using Bookstack and I'm testing the authentication on a staging release of bookstack, with imported database. All is working well on staging after database import.
Issue: documentation not working with Authentik
BUT, if you follow this doc from start to end, it doesn't work with existing users.
The key mapping value on bookstack is "External Authentication ID".
In the Authentik doc, and same on Bookstack doc about SAML, the value is "uid".
I did a lot of research, then try a "last chance" before opening a SR here.
I finally try to change email of existing test user to my-old-email@domain, then re-enabling SAML.
A new account was created, bad news, bu on that newer user account I found the "External Authentication ID": it was my email...
At the begining I thought it was an error, a bad value automatically injected by my password manager. But I tested it next, I type my email on original user as "External Authentication ID" and then: OOoooh it works !
So, I don't know why, I don't know how, but now it works.
And yeah I simply post this SR as an experience if anyone else have to fix this issue.
But I'm really interested to know why Bookstack have to use email, SAML/OIDC or very complicated to understand.
Bye.
Exact BookStack Version
BookStack v25.05
Log Content
Hosting Environment
OS: Flatcar Linux
SSO/ISP: Authentik 2025.6.2
@ssddanbrown commented on GitHub (Jun 18, 2025):
Hi @qschweitzer,
I'd be happy to confirm, but I'm a little confused since you mentioned multiple auth options, and values, and I'm a bit lost between them.
I'm assuming you're now using the following options with the shown values:
If so, and you're seeing the user email end up in the user "External Authentication ID" field, then that means your auth provider is providing the email for the
uidvalue. You can temporarily enable aSAML2_DUMP_USER_DETAILS=trueoption to see what details are coming from your auth provider. (this will block logins though and display details to the browser, so only use this temporarily).That all depends on your previous configuration. If there's an attempted BookStack login/registration for an existing user who's email already exists, BookStack won't match those up if the "External Authentication ID" field does not match the ID from the auth provider, since that would be suspicious. When changing auth providers, You'd either need to align the attributes/values used for the user ID across platforms, or update the "External Authentication ID" field for all existing users to match the ID used in the new system.
Typically email address doesn't make a great ID, since email addresses can change.
If it helps, I do have a video on Authentik use with BookStack, although it's OIDC specific: https://www.youtube.com/watch?v=M1_WPhR4hRc
@qschweitzer commented on GitHub (Jul 3, 2025):
Hi Dan,
Many thanks for your reply and sorry to my late reply.
Uh, yes I understand the confusion effect of my post.
Both documentation of Authentik and Bookstack are clear, I could understand both of them without question.
But it seems to have a bug in Authentik communication with Bookstack when using SAML.
With your recommandation, I switch to OpenID mode and there is absolutely no issue after that and following your video.
So...just use OpenID :)
I didn't saw on the first Authentik doc reading that there are two tab, one per mode.
Thank you, it's a quickly closed case.
And many thanks for Bookstack, awesome tool !