ssddanbrown
commented
3 years ago Hi @jimmyc802,
Can you confirm and details about your SSO system at all? Are you using ADFS or another popular offering?
Closed jimmyc802 closed 1 year ago
ssddanbrown
commented
3 years ago Hi @jimmyc802,
Can you confirm and details about your SSO system at all? Are you using ADFS or another popular offering?
jimmyc802
commented
3 years ago Hey Dan! We are using Azure AD Enterprise Applications. Here is our SAML config on the Azure AD side and our SAML config in bookstack:
SAML2_NAME=SSO
SAML2_EMAIL_ATTRIBUTE=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
SAML2_EXTERNAL_ID_ATTRIBUTE=uid
SAML2_DISPLAY_NAME_ATTRIBUTES=http://schemas.microsoft.com/identity/claims/displayname
SAML2_IDP_ENTITYID=https://sts.windows.net/<redacted>/
SAML2_AUTOLOAD_METADATA=false
SAML2_IDP_SSO=https://login.microsoftonline.com/<redacted>/saml2
SAML2_IDP_SLO=https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
SAML2_IDP_x509=<redacted>Thanks @jimmyc802 for the extra context. There are various other SAML single logout issues here, particularly around Microsoft systems but authentication issues are particularly difficult & time consuming to test, review & action; especially surrounding systems that I have limited or no access to.
I'm trying to get through some of the pending SAML issues/prs in this release cycle though. If you need something urgently it might be worth having a search across those issues or PRs as sometimes people will post patches or workarounds.
jimmyc802
commented
3 years ago I'll keep an eye out. Let me know if you hear of anything in the meantime.
abulgatz
commented
3 years ago @ssddanbrown I can provide free admin access to a Microsoft Azure AD tenant if you'd like for testing purposes.
aswgxf
commented
2 years ago Are there any updates on this? We are looking into moving all of our documentation into BookStack and currently have the SAML auth configured.
ssddanbrown
commented
2 years ago @aswgxf Some further changes were made in #2902. Looks like I tested AFDS with SLS at that time, So not sure if this issue is actually relevant any more.
ssddanbrown
commented
1 year ago Upon my comment above, I'm going to go ahead and close this off. If you are facing issues after configuring logout via SAML, please open a new issue rather than responding to this one as the details will likely have since changed.
radiantwave
commented
8 months ago I have the same issue. Which details could help here?
Using v23.10.4 These are my settings:
AUTH_METHOD=saml2
AUTH_AUTO_INITIATE=true
SAML2_NAME=authentik
SAML2_EMAIL_ATTRIBUTE=email
SAML2_EXTERNAL_ID_ATTRIBUTE=uid
SAML2_USER_TO_GROUPS=true
SAML2_GROUP_ATTRIBUTE=http://schemas.xmlsoap.org/claims/Group
SAML2_DISPLAY_NAME_ATTRIBUTES=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
SAML2_IDP_ENTITYID=https://authentik.<company>/api/v3/providers/saml/11/metadata/?download
SAML2_AUTOLOAD_METADATA=true
Describe the bug With SAML/SSO enabled, Clicking the Logout button logs users out of the IDP but Bookstack still thinks they are authenticated and they can still navigate Bookstack, even if they close and reopen their browser. This seems to be cookie session related. If you delete the cookies for Bookstack, XSRF-TOKEN and bookstack_session, you get prompted to authenticate again.
Steps To Reproduce With SAML/SSO enabled for authentication
Expected behavior Clicking the logout button should log us out of both the IDP and Bookstack.
Your Configuration (please complete the following information):
Additional context Add any other context about the problem here.