website/integrations: Update Bookstack SAML settings Documentation (#4137)

Update Bookstack SAML settings

Enabled AUTH_AUTO_INITIATE=true to reduce amount of clicks needed to proceed to Bookstack and give a propper SSO experience. If user is not logged in elsewhere already, authentik's login page will still be displayed.

Edited SAML2_DISPLAY_NAME_ATTRIBUTES so it actually works. The previous "Name" entry is non-functional and does not parse. When this is the case, or the field is empty, usernames in Bookstack default to user's email address. Entries here need to be in line with Active Directory Federation Services' Role of Claims found here: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-claims. Additionally, this will use the user's authentik username rather than real/full name.

Enabled Group Sync by default for easier administration for sysadmins. SAML2_GROUP_ATTRIBUTE also needed to be in line with Active Directory Federation Services' Role of Claims

Signed-off-by: Avsynthe <102600593+Avsynthe@users.noreply.github.com>

Signed-off-by: Avsynthe <102600593+Avsynthe@users.noreply.github.com>
This commit is contained in:
Avsynthe 2022-12-02 21:46:44 +11:00 committed by GitHub
parent 6ca1654129
commit 860c85d012
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 2 deletions

View File

@ -71,6 +71,10 @@ Modify the following Example SAML config and paste incorporate into your `.env`
```bash ```bash
# Set authentication method to be saml2 # Set authentication method to be saml2
AUTH_METHOD=saml2 AUTH_METHOD=saml2
# Control if BookStack automatically initiates login via your SAML system if it's the only authentication method.
# Prevents the need for the user to click the "Login with x" button on the login page.
# Setting this to true enables auto-initiation.
AUTH_AUTO_INITIATE=true
# Set the display name to be shown on the login button. # Set the display name to be shown on the login button.
# (Login with <name>) # (Login with <name>)
SAML2_NAME=authentik SAML2_NAME=authentik
@ -78,15 +82,20 @@ SAML2_NAME=authentik
SAML2_EMAIL_ATTRIBUTE=email SAML2_EMAIL_ATTRIBUTE=email
# Name of the attribute to use as an ID for the SAML user. # Name of the attribute to use as an ID for the SAML user.
SAML2_EXTERNAL_ID_ATTRIBUTE=uid SAML2_EXTERNAL_ID_ATTRIBUTE=uid
# Enable SAML group sync.
SAML2_USER_TO_GROUPS=true
# Set the attribute from which BookStack will read groups names from.
# You will need to rename your roles in Bookstack to match your groups in authentik.
SAML2_GROUP_ATTRIBUTE=http://schemas.xmlsoap.org/claims/Group
# Name of the attribute(s) to use for the user's display name # Name of the attribute(s) to use for the user's display name
# Can have multiple attributes listed, separated with a '|' in which # Can have multiple attributes listed, separated with a '|' in which
# case those values will be joined with a space. # case those values will be joined with a space.
# Example: SAML2_DISPLAY_NAME_ATTRIBUTES=firstName|lastName # Example: SAML2_DISPLAY_NAME_ATTRIBUTES=firstName|lastName
# Defaults to the ID value if not found. # Defaults to the ID value if not found.
SAML2_DISPLAY_NAME_ATTRIBUTES=Name SAML2_DISPLAY_NAME_ATTRIBUTES=http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
# Identity Provider entityID URL # Identity Provider entityID URL
SAML2_IDP_ENTITYID=METADATAURL SAML2_IDP_ENTITYID=METADATAURL
# Auto-load metatadata from the IDP # Auto-load metatadata from the IDP
# Setting this to true negates the need to specify the next three options # Setting this to true negates the need to specify the next three options
SAML2_AUTOLOAD_METADATA=true SAML2_AUTOLOAD_METADATA=true