BookStackApp
SSO/SAML login for Windows Hello enrolled users fails
Describe the Bug
We have Entra SAML login enabled for BookStack, which works fine.
However, we noticed that users enrolled in Windows Hello and have logged in with an Hello method (PIN, biometrics) on their computer, receive an AADSTS75011 error. They cannot log in with SSO.
In a browser not passing Windows Authentication, SSO still works.
Full error message:
AADSTS75011: Authentication method 'X509, MultiFactor, X509Device' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. Contact the BookStack application owner.
I see this ISSUE https://github.com/BookStackApp/BookStack/issues/5660 and I try with the 2 options. See screenshot
Steps to Reproduce
- Working Docker BookStack in Azure App Service
- SAML configured with our company Entra AD
- Log in with username/password credentials into Windows
- SAML SSO login to BookStack works to fine
- Log out of Windows
- Log in with Windows Hello using e.g. PIN or biometrics
- SAML SSO login to BookStack fails
Expected Behaviour
SSO login when using Windows Hello should also work What environment variables should be set up in the Docker Compose to allow this?
Screenshots or Additional Context
Browser Details
Microsoft Edge version 142.0.03595.90 64Bits
Exact BookStack Version
v24.10.2
Hi @schluis96, Have you read https://github.com/BookStackApp/BookStack/issues/5660 which covers the same thing?
Ah, I see you have.
How are you setting .env options? and how are you running BookStack? What's the method of installation used?
Yes sir, I have tested both configurations and neither of them is working.
We have used the code, built the Docker image, and deployed it to the App Service. I have attached screenshots of the .env configuration, and I have tested both options.
Dockerfile
# Utiliza PHP 8.3 con Apache
FROM php:8.3-apache
# Instalar dependencias adicionales y extensiones de PHP
RUN apt-get update && apt-get install -y \
git \
unzip \
libpng-dev \
libjpeg-dev \
libfreetype6-dev \
libonig-dev \
libxml2-dev \
zip \
curl \
dialog \
openssh-server
# Configurar contraseña para el acceso SSH
RUN echo "root:Docker!" | chpasswd
# Instalar la extensión GD
RUN docker-php-ext-configure gd --with-freetype --with-jpeg \
&& docker-php-ext-install -j$(nproc) gd
# Instalar otras extensiones de PHP
RUN docker-php-ext-install -j$(nproc) pdo_mysql mbstring xml dom opcache
# Instalar Composer
RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer
# Definir la variable ARG para usar durante la construcción
ARG APP_ENV
# Definir la variable de entorno para persistir en tiempo de ejecución
ENV APP_ENV=${APP_ENV}
# Configurar Apache en función del entorno
RUN if [ "$APP_ENV" = "testing" ]; then \
echo "Configurando Apache para el entorno de testing"; \
sed -i 's|DocumentRoot /var/www/html|DocumentRoot /var/www/html/public|g' /etc/apache2/sites-available/000-default.conf \
&& sed -i '/DocumentRoot/a <Directory /var/www/html/public>\n AllowOverride All\n Require all granted\n</Directory>' /etc/apache2/sites-available/000-default.conf \
&& sed -i '/ServerAdmin/a ServerName wiki-test.fibermancha.es' /etc/apache2/sites-available/000-default.conf \
&& sed -i 's|LogLevel .*|LogLevel warn|g' /etc/apache2/sites-available/000-default.conf; \
elif [ "$APP_ENV" = "production" ]; then \
echo "Configurando Apache para el entorno de producción"; \
sed -i 's|DocumentRoot /var/www/html|DocumentRoot /var/www/html/public|g' /etc/apache2/sites-available/000-default.conf \
&& sed -i '/DocumentRoot/a <Directory /var/www/html/public>\n AllowOverride All\n Require all granted\n</Directory>' /etc/apache2/sites-available/000-default.conf \
&& sed -i '/ServerAdmin/a ServerName wiki.fibermancha.es' /etc/apache2/sites-available/000-default.conf \
&& sed -i 's|LogLevel .*|LogLevel warn|g' /etc/apache2/sites-available/000-default.conf; \
else \
echo "Configurando Apache para localhost (docker local)"; \
sed -i 's|DocumentRoot /var/www/html|DocumentRoot /var/www/html/public|g' /etc/apache2/sites-available/000-default.conf \
&& sed -i '/DocumentRoot/a <Directory /var/www/html/public>\n AllowOverride All\n Require all granted\n</Directory>' /etc/apache2/sites-available/000-default.conf \
&& sed -i '/ServerAdmin/a ServerName localhost' /etc/apache2/sites-available/000-default.conf \
&& sed -i 's|LogLevel .*|LogLevel warn|g' /etc/apache2/sites-available/000-default.conf; \
fi
# Habilitar el módulo de reescritura en Apache
RUN a2enmod rewrite
# Establecer el directorio de trabajo
WORKDIR /var/www/html
# Copiar los archivos del repositorio local al contenedor
COPY . /var/www/html
# Ejecutar composer update antes de composer install
RUN composer update --no-dev --optimize-autoloader
# Configurar Git para permitir el directorio seguro
RUN git config --global --add safe.directory /var/www/html
# Limpiar caché de Composer y actualizar dependencias
RUN composer clear-cache \
&& composer install --no-dev --optimize-autoloader
# Mostrar el valor de APP_ENV en los logs
RUN echo "El valor de APP_ENV es: $APP_ENV"
# Verificar la presencia de archivos .env
RUN ls -la /var/www/html
# Verificar si el archivo .env fue generado correctamente en el build
RUN if [ ! -f /var/www/html/.env ]; then \
echo "El archivo .env no se ha copiado correctamente"; \
exit 1; \
else \
echo "El archivo .env se ha generado correctamente"; \
fi
# Mostrar el contenido del archivo .env para depuración
RUN echo "Contenido del archivo .env:" && cat /var/www/html/.env
# Verificar el contenido de nuevo después de copiar .env
RUN ls -la /var/www/html
# Generar clave de aplicación si no está ya presente en .env
RUN php artisan key:generate --force
# Asegurar que las carpetas necesarias son accesibles por Apache
RUN chown -R www-data:www-data storage bootstrap/cache public/uploads
# Configurar SSH
COPY sshd_config /etc/ssh/
COPY entrypoint.sh ./
RUN chmod u+x ./entrypoint.sh
# Exponer puertos para la aplicación y SSH
EXPOSE 80 2222
# Ejecutar migraciones si es necesario
RUN php artisan migrate --force || true
# Ejecutar el script de entrada
ENTRYPOINT ["./entrypoint.sh"]