With SAML/SSO enabled, Logout logs out of the IDP but Bookstack still thinks I am authenticated

[jimmyc802]

Describe the bug
With SAML/SSO enabled, Clicking the Logout button logs users out of the IDP but Bookstack still thinks they are authenticated and they can still navigate Bookstack, even if they close and reopen their browser. This seems to be cookie session related. If you delete the cookies for Bookstack, XSRF-TOKEN and bookstack_session, you get prompted to authenticate again.

Steps To Reproduce
With SAML/SSO enabled for authentication

1. Logout of Bookstack
2. Close your browser
3. Reopen same browser
4. Navigate to Bookstack and you will not get prompted to authenticate to the IDP.

Expected behavior
Clicking the logout button should log us out of both the IDP and Bookstack.

Your Configuration (please complete the following information):

• Exact BookStack Version (Found in settings): 31.4
• PHP Version: 7.3.26
• Hosting Method (Nginx/Apache/Docker): Apache 2.4.6

Additional context
Add any other context about the problem here.

[ssddanbrown]

Hi @jimmyc802,

Can you confirm and details about your SSO system at all? Are you using ADFS or another popular offering?

[jimmyc802]

Hey Dan! We are using Azure AD Enterprise Applications. Here is our SAML config on the Azure AD side and our SAML config in bookstack:

SAML2_NAME=SSO
SAML2_EMAIL_ATTRIBUTE=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
SAML2_EXTERNAL_ID_ATTRIBUTE=uid
SAML2_DISPLAY_NAME_ATTRIBUTES=http://schemas.microsoft.com/identity/claims/displayname
SAML2_IDP_ENTITYID=https://sts.windows.net/<redacted>/
SAML2_AUTOLOAD_METADATA=false
SAML2_IDP_SSO=https://login.microsoftonline.com/<redacted>/saml2
SAML2_IDP_SLO=https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
SAML2_IDP_x509=<redacted>

[ssddanbrown]

Thanks @jimmyc802 for the extra context.
There are various other SAML single logout issues here, particularly around Microsoft systems but authentication issues are particularly difficult & time consuming to test, review & action; especially surrounding systems that I have limited or no access to.

I'm trying to get through some of the pending SAML issues/prs in this release cycle though.
If you need something urgently it might be worth having a search across those issues or PRs as sometimes people will post patches or workarounds.

[jimmyc802]

I'll keep an eye out. Let me know if you hear of anything in the meantime.

[abulgatz]

@ssddanbrown I can provide free admin access to a Microsoft Azure AD tenant if you'd like for testing purposes.

[aswgxf]

Are there any updates on this? We are looking into moving all of our documentation into BookStack and currently have the SAML auth configured.

[ssddanbrown]

@aswgxf Some further changes were made in #2902. Looks like I tested AFDS with SLS at that time, So not sure if this issue is actually relevant any more.

[ssddanbrown]

Upon my comment above, I'm going to go ahead and close this off.
If you are facing issues after configuring logout via SAML, please open a new issue rather than responding to this one as the details will likely have since changed.

[radiantwave]

I have the same issue.
Which details could help here?

Using v23.10.4
These are my settings:

AUTH_METHOD=saml2
AUTH_AUTO_INITIATE=true
SAML2_NAME=authentik
SAML2_EMAIL_ATTRIBUTE=email
SAML2_EXTERNAL_ID_ATTRIBUTE=uid
SAML2_USER_TO_GROUPS=true
SAML2_GROUP_ATTRIBUTE=http://schemas.xmlsoap.org/claims/Group
SAML2_DISPLAY_NAME_ATTRIBUTES=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
SAML2_IDP_ENTITYID=https://authentik.<company>/api/v3/providers/saml/11/metadata/?download
SAML2_AUTOLOAD_METADATA=true