Sign in Subscribe
Authentik

Bookstack Integration with Authentik

David Buhlman

2 min read
Bookstack Integration with Authentik
Photo by JJ Ying / Unsplash

Today I am going to see if I can get the Bookstack integration working.

Step 1

Steps performed in Authentik Security

  • I open the Admin Interface
  • I navigate to Applications
  • I click on Providers
  • I click on Create
    • I select SAML Provider
    • I click Next
    • Name: Bookstack
    • ACS URL: https://bookstack.domain.local/saml2/acs
    • Issuer: http://authentik.domain.local:9000
    • Service Provider Binding: Post
    • Audience: https://bookstack.domain.local/saml2/metadata
    • Authentication flow: default-source-authentication (Welcome to Authentik)
    • Authorization flow: default-provider-authorization-implicit-consent (Authorize Application)
    • Signing Certificate: authentik Self-signed Certificate
    • I click Finish
  • I click on Applications
  • I click on Create
    • Name: Bookstack
    • Slug: bookstack
    • Provider: Bookstack
    • Launch URL: https://bookstack.domain.com
    • I click Create
  • I go back to Providers
  • I select Bookstack
  • I navigate to the Metadata tab
  • I click Copy download URL

Steps take from BOOKSTACK-01

  • nano /var/www/.env
  • I add the following to the file:
# Set authentication method to be saml2
AUTH_METHOD=saml2
# Control if BookStack automatically initiates login via your SAML system if it's the only authentication method.
# Prevents the need for the user to click the "Login with x" button on the login page.
# Setting this to true enables auto-initiation.
AUTH_AUTO_INITIATE=true
# Set the display name to be shown on the login button.
# (Login with <name>)
SAML2_NAME=authentik
# Name of the attribute which provides the user's email address
SAML2_EMAIL_ATTRIBUTE=email
# Name of the attribute to use as an ID for the SAML user.
SAML2_EXTERNAL_ID_ATTRIBUTE=uid
# Enable SAML group sync.
SAML2_USER_TO_GROUPS=true
# Set the attribute from which BookStack will read groups names from.
# You will need to rename your roles in Bookstack to match your groups in authentik.
SAML2_GROUP_ATTRIBUTE=http://schemas.xmlsoap.org/claims/Group
# Name of the attribute(s) to use for the user's display name
# Can have multiple attributes listed, separated with a '|' in which
# case those values will be joined with a space.
# Example: SAML2_DISPLAY_NAME_ATTRIBUTES=firstName|lastName
# Defaults to the ID value if not found.
SAML2_DISPLAY_NAME_ATTRIBUTES=http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
# Identity Provider entityID URL
SAML2_IDP_ENTITYID=http://authentik.domain.local:9000/api/v3/providers/saml/1/metadata/?download
# Auto-load metadata from the IDP
# Setting this to true negates the need to specify the next three options
SAML2_AUTOLOAD_METADATA=true
  • I save the file .env

Once I added this I can now click on the application in Authentik and there is a test button. Selecting david comes back as successful. So I pull up Bookstack in Firefox which logs me into Bookstack as the Authentik admin. Neat. I open Chrome and try Bookstack. It looks like you have to be logged into Authentik first? Ok sure. I logged in as david. When I try to go to bookstack it gives me an An unknown error occurred message.

Steps taken from Authentik Security

  • I navigate to Applications
  • I click on Bookstack
  • I click on the Policy/Group/User Bindings tab.
  • I click on Create and bind Policy
  • I select david and add the email address [email protected]

This results in an error message that the email address already exists with different credentials. A user with the email .... already exists but with different credentials. That would be my administrative account I believe, but I'll have to work out a solution on another day as I am out of time for the moment.