SSO/SAML login for Windows Hello enrolled users fails #5514

New Issue

Open

opened 2026-02-05 10:08:01 +03:00 by OVERLORD · 4 comments

OVERLORD commented 2026-02-05 10:08:01 +03:00

Owner

Copy Link

Originally created by @schluis96 on GitHub (Nov 21, 2025).

Describe the Bug

We have Entra SAML login enabled for BookStack, which works fine.

However, we noticed that users enrolled in Windows Hello and have logged in with an Hello method (PIN, biometrics) on their computer, receive an AADSTS75011 error. They cannot log in with SSO.

In a browser not passing Windows Authentication, SSO still works.

Full error message:

AADSTS75011: Authentication method 'X509, MultiFactor, X509Device' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. Contact the BookStack application owner.

I see this ISSUE https://github.com/BookStackApp/BookStack/issues/5660 and I try with the 2 options. See screenshot

Steps to Reproduce

1. Working Docker BookStack in Azure App Service
2. SAML configured with our company Entra AD
3. Log in with username/password credentials into Windows
4. SAML SSO login to BookStack works to fine
5. Log out of Windows
6. Log in with Windows Hello using e.g. PIN or biometrics
7. SAML SSO login to BookStack fails

Expected Behaviour

SSO login when using Windows Hello should also work
What environment variables should be set up in the Docker Compose to allow this?

Screenshots or Additional Context

Browser Details

Microsoft Edge version 142.0.03595.90 64Bits

Exact BookStack Version

v24.10.2

Originally created by @schluis96 on GitHub (Nov 21, 2025). ### Describe the Bug We have Entra SAML login enabled for BookStack, which works fine. However, we noticed that users enrolled in Windows Hello and have logged in with an Hello method (PIN, biometrics) on their computer, receive an AADSTS75011 error. They cannot log in with SSO. In a browser not passing Windows Authentication, SSO still works. ### Full error message: ``` AADSTS75011: Authentication method 'X509, MultiFactor, X509Device' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. Contact the BookStack application owner. ``` I see this ISSUE https://github.com/BookStackApp/BookStack/issues/5660 and I try with the 2 options. See screenshot ### Steps to Reproduce 1. Working Docker BookStack in Azure App Service 2. SAML configured with our company Entra AD 3. Log in with username/password credentials into Windows 4. SAML SSO login to BookStack works to fine 5. Log out of Windows 6. Log in with Windows Hello using e.g. PIN or biometrics 7. SAML SSO login to BookStack fails ### Expected Behaviour SSO login when using Windows Hello should also work What environment variables should be set up in the Docker Compose to allow this? ### Screenshots or Additional Context <img width="597" height="716" alt="Image" src="https://github.com/user-attachments/assets/dc032ee8-1164-4ec6-bfa2-47bb25969f10" /> <img width="768" height="119" alt="Image" src="https://github.com/user-attachments/assets/ca6156d6-9565-4979-9456-cbedd36b6e41" /> <img width="714" height="118" alt="Image" src="https://github.com/user-attachments/assets/b9ca5b98-2ad8-46f9-951a-e9df3c6baf04" /> ### Browser Details Microsoft Edge version 142.0.03595.90 64Bits ### Exact BookStack Version v24.10.2

OVERLORD added the 🐕 Support label 2026-02-05 10:08:01 +03:00

OVERLORD commented 2026-02-05 10:08:04 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Nov 21, 2025):

Hi @schluis96,
Have you read https://github.com/BookStackApp/BookStack/issues/5660 which covers the same thing?

@ssddanbrown commented on GitHub (Nov 21, 2025): Hi @schluis96, Have you read https://github.com/BookStackApp/BookStack/issues/5660 which covers the same thing?

OVERLORD commented 2026-02-05 10:08:05 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Nov 21, 2025):

Ah, I see you have.

How are you setting .env options? and how are you running BookStack? What's the method of installation used?

@ssddanbrown commented on GitHub (Nov 21, 2025): Ah, I see you have. How are you setting `.env` options? and how are you running BookStack? What's the method of installation used?

OVERLORD commented 2026-02-05 10:08:06 +03:00

Author

Owner

Copy Link

@schluis96 commented on GitHub (Nov 21, 2025):

Yes sir, I have tested both configurations and neither of them is working.

@schluis96 commented on GitHub (Nov 21, 2025): Yes sir, I have tested both configurations and neither of them is working.

OVERLORD commented 2026-02-05 10:08:08 +03:00

Author

Owner

Copy Link

@schluis96 commented on GitHub (Nov 21, 2025):

We have used the code, built the Docker image, and deployed it to the App Service. I have attached screenshots of the .env configuration, and I have tested both options.

Dockerfile

# Utiliza PHP 8.3 con Apache
FROM php:8.3-apache

# Instalar dependencias adicionales y extensiones de PHP
RUN apt-get update && apt-get install -y \
    git \
    unzip \
    libpng-dev \
    libjpeg-dev \
    libfreetype6-dev \
    libonig-dev \
    libxml2-dev \
    zip \
    curl \
    dialog \
    openssh-server

# Configurar contraseña para el acceso SSH
RUN echo "root:Docker!" | chpasswd

# Instalar la extensión GD
RUN docker-php-ext-configure gd --with-freetype --with-jpeg \
    && docker-php-ext-install -j$(nproc) gd

# Instalar otras extensiones de PHP
RUN docker-php-ext-install -j$(nproc) pdo_mysql mbstring xml dom opcache

# Instalar Composer
RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer

# Definir la variable ARG para usar durante la construcción
ARG APP_ENV

# Definir la variable de entorno para persistir en tiempo de ejecución
ENV APP_ENV=${APP_ENV}

# Configurar Apache en función del entorno
RUN if [ "$APP_ENV" = "testing" ]; then \
    echo "Configurando Apache para el entorno de testing"; \
    sed -i 's|DocumentRoot /var/www/html|DocumentRoot /var/www/html/public|g' /etc/apache2/sites-available/000-default.conf \
    && sed -i '/DocumentRoot/a <Directory /var/www/html/public>\n    AllowOverride All\n    Require all granted\n</Directory>' /etc/apache2/sites-available/000-default.conf \
    && sed -i '/ServerAdmin/a ServerName wiki-test.fibermancha.es' /etc/apache2/sites-available/000-default.conf \
    && sed -i 's|LogLevel .*|LogLevel warn|g' /etc/apache2/sites-available/000-default.conf; \
  elif [ "$APP_ENV" = "production" ]; then \
    echo "Configurando Apache para el entorno de producción"; \
    sed -i 's|DocumentRoot /var/www/html|DocumentRoot /var/www/html/public|g' /etc/apache2/sites-available/000-default.conf \
    && sed -i '/DocumentRoot/a <Directory /var/www/html/public>\n    AllowOverride All\n    Require all granted\n</Directory>' /etc/apache2/sites-available/000-default.conf \
    && sed -i '/ServerAdmin/a ServerName wiki.fibermancha.es' /etc/apache2/sites-available/000-default.conf \
    && sed -i 's|LogLevel .*|LogLevel warn|g' /etc/apache2/sites-available/000-default.conf; \
  else \
    echo "Configurando Apache para localhost (docker local)"; \
    sed -i 's|DocumentRoot /var/www/html|DocumentRoot /var/www/html/public|g' /etc/apache2/sites-available/000-default.conf \
    && sed -i '/DocumentRoot/a <Directory /var/www/html/public>\n    AllowOverride All\n    Require all granted\n</Directory>' /etc/apache2/sites-available/000-default.conf \
    && sed -i '/ServerAdmin/a ServerName localhost' /etc/apache2/sites-available/000-default.conf \
    && sed -i 's|LogLevel .*|LogLevel warn|g' /etc/apache2/sites-available/000-default.conf; \
  fi

# Habilitar el módulo de reescritura en Apache
RUN a2enmod rewrite

# Establecer el directorio de trabajo
WORKDIR /var/www/html

# Copiar los archivos del repositorio local al contenedor
COPY . /var/www/html

# Ejecutar composer update antes de composer install
RUN composer update --no-dev --optimize-autoloader

# Configurar Git para permitir el directorio seguro
RUN git config --global --add safe.directory /var/www/html

# Limpiar caché de Composer y actualizar dependencias
RUN composer clear-cache \
    && composer install --no-dev --optimize-autoloader

# Mostrar el valor de APP_ENV en los logs
RUN echo "El valor de APP_ENV es: $APP_ENV"

# Verificar la presencia de archivos .env
RUN ls -la /var/www/html


# Verificar si el archivo .env fue generado correctamente en el build
RUN if [ ! -f /var/www/html/.env ]; then \
    echo "El archivo .env no se ha copiado correctamente"; \
    exit 1; \
else \
    echo "El archivo .env se ha generado correctamente"; \
fi

# Mostrar el contenido del archivo .env para depuración
RUN echo "Contenido del archivo .env:" && cat /var/www/html/.env

# Verificar el contenido de nuevo después de copiar .env
RUN ls -la /var/www/html

# Generar clave de aplicación si no está ya presente en .env
RUN php artisan key:generate --force

# Asegurar que las carpetas necesarias son accesibles por Apache
RUN chown -R www-data:www-data storage bootstrap/cache public/uploads

# Configurar SSH
COPY sshd_config /etc/ssh/
COPY entrypoint.sh ./ 
RUN chmod u+x ./entrypoint.sh

# Exponer puertos para la aplicación y SSH
EXPOSE 80 2222

# Ejecutar migraciones si es necesario
RUN php artisan migrate --force || true

# Ejecutar el script de entrada
ENTRYPOINT ["./entrypoint.sh"]

@schluis96 commented on GitHub (Nov 21, 2025): We have used the code, built the Docker image, and deployed it to the App Service. I have attached screenshots of the .env configuration, and I have tested both options. Dockerfile ``` # Utiliza PHP 8.3 con Apache FROM php:8.3-apache # Instalar dependencias adicionales y extensiones de PHP RUN apt-get update && apt-get install -y \ git \ unzip \ libpng-dev \ libjpeg-dev \ libfreetype6-dev \ libonig-dev \ libxml2-dev \ zip \ curl \ dialog \ openssh-server # Configurar contraseña para el acceso SSH RUN echo "root:Docker!" | chpasswd # Instalar la extensión GD RUN docker-php-ext-configure gd --with-freetype --with-jpeg \ && docker-php-ext-install -j$(nproc) gd # Instalar otras extensiones de PHP RUN docker-php-ext-install -j$(nproc) pdo_mysql mbstring xml dom opcache # Instalar Composer RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer # Definir la variable ARG para usar durante la construcción ARG APP_ENV # Definir la variable de entorno para persistir en tiempo de ejecución ENV APP_ENV=${APP_ENV} # Configurar Apache en función del entorno RUN if [ "$APP_ENV" = "testing" ]; then \ echo "Configurando Apache para el entorno de testing"; \ sed -i 's|DocumentRoot /var/www/html|DocumentRoot /var/www/html/public|g' /etc/apache2/sites-available/000-default.conf \ && sed -i '/DocumentRoot/a <Directory /var/www/html/public>\n AllowOverride All\n Require all granted\n</Directory>' /etc/apache2/sites-available/000-default.conf \ && sed -i '/ServerAdmin/a ServerName wiki-test.fibermancha.es' /etc/apache2/sites-available/000-default.conf \ && sed -i 's|LogLevel .*|LogLevel warn|g' /etc/apache2/sites-available/000-default.conf; \ elif [ "$APP_ENV" = "production" ]; then \ echo "Configurando Apache para el entorno de producción"; \ sed -i 's|DocumentRoot /var/www/html|DocumentRoot /var/www/html/public|g' /etc/apache2/sites-available/000-default.conf \ && sed -i '/DocumentRoot/a <Directory /var/www/html/public>\n AllowOverride All\n Require all granted\n</Directory>' /etc/apache2/sites-available/000-default.conf \ && sed -i '/ServerAdmin/a ServerName wiki.fibermancha.es' /etc/apache2/sites-available/000-default.conf \ && sed -i 's|LogLevel .*|LogLevel warn|g' /etc/apache2/sites-available/000-default.conf; \ else \ echo "Configurando Apache para localhost (docker local)"; \ sed -i 's|DocumentRoot /var/www/html|DocumentRoot /var/www/html/public|g' /etc/apache2/sites-available/000-default.conf \ && sed -i '/DocumentRoot/a <Directory /var/www/html/public>\n AllowOverride All\n Require all granted\n</Directory>' /etc/apache2/sites-available/000-default.conf \ && sed -i '/ServerAdmin/a ServerName localhost' /etc/apache2/sites-available/000-default.conf \ && sed -i 's|LogLevel .*|LogLevel warn|g' /etc/apache2/sites-available/000-default.conf; \ fi # Habilitar el módulo de reescritura en Apache RUN a2enmod rewrite # Establecer el directorio de trabajo WORKDIR /var/www/html # Copiar los archivos del repositorio local al contenedor COPY . /var/www/html # Ejecutar composer update antes de composer install RUN composer update --no-dev --optimize-autoloader # Configurar Git para permitir el directorio seguro RUN git config --global --add safe.directory /var/www/html # Limpiar caché de Composer y actualizar dependencias RUN composer clear-cache \ && composer install --no-dev --optimize-autoloader # Mostrar el valor de APP_ENV en los logs RUN echo "El valor de APP_ENV es: $APP_ENV" # Verificar la presencia de archivos .env RUN ls -la /var/www/html # Verificar si el archivo .env fue generado correctamente en el build RUN if [ ! -f /var/www/html/.env ]; then \ echo "El archivo .env no se ha copiado correctamente"; \ exit 1; \ else \ echo "El archivo .env se ha generado correctamente"; \ fi # Mostrar el contenido del archivo .env para depuración RUN echo "Contenido del archivo .env:" && cat /var/www/html/.env # Verificar el contenido de nuevo después de copiar .env RUN ls -la /var/www/html # Generar clave de aplicación si no está ya presente en .env RUN php artisan key:generate --force # Asegurar que las carpetas necesarias son accesibles por Apache RUN chown -R www-data:www-data storage bootstrap/cache public/uploads # Configurar SSH COPY sshd_config /etc/ssh/ COPY entrypoint.sh ./ RUN chmod u+x ./entrypoint.sh # Exponer puertos para la aplicación y SSH EXPOSE 80 2222 # Ejecutar migraciones si es necesario RUN php artisan migrate --force || true # Ejecutar el script de entrada ENTRYPOINT ["./entrypoint.sh"] ```

OVERLORD referenced this issue 2026-02-05 10:34:12 +03:00

[PR #5514] [CLOSED] bug fix for Users can edit and rename shelves #5458 #6509

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

l10n_development

further_theme_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label 🐕 Support

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#5514