I’m a newbie to SSO setup so it might be a me problem. But I spent days arguing/fighting with Claude and Gemini on how configure this. There were some pitfall what were not obvious but maybe to a seasoned person they are. I was using authentik for SSO. So put here to help the next newbie.
- Must remove the Verification Certificate from the Joplin Provider (otherwise joplin-sp.xml will have AuthnRequestsSigned="true")
- Create custom property mappings with simple attribute names (
emailanddisplayName), not URI-format names that are the default in authentik (that have this as the attribute “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” instead of just “email”) - Permissions on the XML files (joplin-idp.xml and joplin-sp.xml) the Joplin server app runs as uid 1001… so give read/execute permissions and or give everyone read access
- summary of parameters to add to compose:
- # SAML CONFIG
- SAML_ENABLED=${SAML_ENABLED}
- SAML_IDP_CONFIG_FILE=/saml/joplin-idp.xml
- SAML_SP_CONFIG_FILE=/saml/joplin-sp.xml
- DELETE_EXPIRED_SESSIONS_SCHEDULE= # Empty to disable auto-logout
- # SAML CONFIG
- If you continue to get errors… use Dozzle to inspect the Log for errors (which is highlights in red or search for ones related to SAML… then ask AI what it means if it’s not obvious… but sometime it will assume and lead you astray… so question when it doesn’t feel right or you might end up going in circles… keep checking the logs and ask what that means
Hope this saves you days/hours that I lost to trying to learn and figure this out.