[PR #2171] [CLOSED] Make RequestedAuthnContext configurable in SAML2 #5955

New Issue

Closed

opened 2026-02-05 10:21:16 +03:00 by OVERLORD · 0 comments

OVERLORD commented 2026-02-05 10:21:16 +03:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/BookStackApp/BookStack/pull/2171
Author: @Ant1x
Created: 7/6/2020
Status: ❌ Closed

Base: master ← Head: saml2-authn-context

---

📝 Commits (2)

• 374b70f Add requestedAuthnContext configurable to Saml2
• 4ac1071 Include Saml2 requested authn context

📊 Changes

2 files changed (+5 additions, -1 deletions)

View changed files

📝 .env.example.complete (+2 -1)
📝 app/Config/saml2.php (+3 -0)

📄 Description

When using SAML IDP providers that have different authentication methods available, authentication will occasionally fail since by default the OneLogin SAML library sets requestedAuthnContext to true.

This has the effect of requiring the exact urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport authentication context from the IDP (Refer to README: https://github.com/onelogin/php-saml)

I've been getting SAML to work with Microsoft ADFS that is configured with a range of different authentication mechanisms, and in this configuration ADFS is unable to authenticate a request that asks for PasswordProtectedTransport

In this PR I have made this option configurable by setting SAML2_REQUESTED_AUTHN_CONTEXT in the env config file. I have made it default to true as to not change the current working configuration for already deployed Bookstack instances.

Setting SAML2_REQUESTED_AUTHN_CONTEXT to false will send an authentication request to the IDP without specifying any authentication context, allowing the IDP to select the most appropriate method to authenticate the end user.

Setting SAML2_REQUESTED_AUTHN_CONTEXT to true or not configuring it will keep the same behavior of requesting PasswordProtectedTransport.

(Note: The online GitHub editor has automatically added a newline to the .env.example.complete file)

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/BookStackApp/BookStack/pull/2171 **Author:** [@Ant1x](https://github.com/Ant1x) **Created:** 7/6/2020 **Status:** ❌ Closed **Base:** `master` ← **Head:** `saml2-authn-context` --- ### 📝 Commits (2) - [`374b70f`](https://github.com/BookStackApp/BookStack/commit/374b70f0addace4999319cc2ebce0e010cfe2f6a) Add requestedAuthnContext configurable to Saml2 - [`4ac1071`](https://github.com/BookStackApp/BookStack/commit/4ac1071273aad4f60d97d73cc347c5bcc897fc5b) Include Saml2 requested authn context ### 📊 Changes **2 files changed** (+5 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `.env.example.complete` (+2 -1) 📝 `app/Config/saml2.php` (+3 -0) </details> ### 📄 Description When using SAML IDP providers that have different authentication methods available, authentication will occasionally fail since by default the OneLogin SAML library sets `requestedAuthnContext` to `true`. This has the effect of requiring the `exact` `urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport` authentication context from the IDP (Refer to README: https://github.com/onelogin/php-saml) I've been getting SAML to work with Microsoft ADFS that is configured with a range of different authentication mechanisms, and in this configuration ADFS is unable to authenticate a request that asks for `PasswordProtectedTransport` In this PR I have made this option configurable by setting `SAML2_REQUESTED_AUTHN_CONTEXT` in the env config file. I have made it default to `true` as to not change the current working configuration for already deployed Bookstack instances. Setting `SAML2_REQUESTED_AUTHN_CONTEXT` to `false` will send an authentication request to the IDP without specifying any authentication context, allowing the IDP to select the most appropriate method to authenticate the end user. Setting `SAML2_REQUESTED_AUTHN_CONTEXT` to `true` or not configuring it will keep the same behavior of requesting `PasswordProtectedTransport`. (Note: The online GitHub editor has automatically added a newline to the .env.example.complete file) --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

OVERLORD added the pull-request label 2026-02-05 10:21:16 +03:00

OVERLORD closed this issue 2026-02-05 10:21:18 +03:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

l10n_development

release

v25-12

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#5955