-
Notifications
You must be signed in to change notification settings - Fork 620
Enhance SAML configuration instructions for Mattermost #8914
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
b49affa
6da9117
465befb
df31b16
f14f518
1f50d2d
69d21b6
3593633
7dd836c
ca3349c
8535843
8680279
6d71613
14eefc7
04d3664
7fc4d4f
169239c
88f60c8
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -20,47 +20,115 @@ Prerequisites | |||||
| * A Microsoft Entra tenant containing applicable user data. | ||||||
| * A verified custom domain for your tenant. See Microsoft's `Add your custom domain name to your tenant <https://learn.microsoft.com/en-us/entra/fundamentals/add-custom-domain>`__ documentation for details. | ||||||
| * A Microsoft Entra ID P1 or P2 license. | ||||||
| * An account with at least the **Application Administrator** role in your Entra tenant. | ||||||
|
|
||||||
| Set up an enterprise app for Mattermost SSO in Entra ID | ||||||
| -------------------------------------------------------- | ||||||
|
|
||||||
| 1. Log into the Microsoft Azure portal and select the **Microsoft Entra ID** service. | ||||||
| 2. In the left menu, select **Manage > Enterprise applications**. | ||||||
| 3. Select the **New application** button. | ||||||
| 4. In the **Search application** field, search for **Microsoft Entra SAML Toolkit** and select **Microsoft Entra SAML Toolkit**. | ||||||
| 5. In the **Name** field, enter **Mattermost SAML** then select the **Create** button. | ||||||
| 6. In the **Mattermost SAML** enterprise application settings, select **Manage > Users and Groups** to assign users and/or groups to the application **or** select **Manage > Properties** then set **Assignment required?** to **No** then select **Save**. | ||||||
| 7. In the **Mattermost SAML** enterprise application settings, select **Manage > Single sign-on** then select **SAML** under **Select a single sign-on method**. | ||||||
| 8. Select **Edit** in the **Basic SAML Configuration section** then set the below fields then select **Save**: | ||||||
| 1. Sign in to the `Microsoft Entra admin center <https://entra.microsoft.com>`__ with an account that has at least the **Application Administrator** role. | ||||||
| 2. In the left navigation menu, select **Entra ID > Enterprise applications**. | ||||||
| 3. Select **+ New application**. | ||||||
| 4. Select **+ Create your own application**. | ||||||
| 5. In the **What's the name of your app?** field, enter **Mattermost**. | ||||||
| 6. Under **What are you looking to do with your application?**, select **Integrate any other application you don't find in the gallery (Non-gallery)**. | ||||||
| 7. Select **Create**. Entra provisions the application; this may take a few seconds. | ||||||
| 8. In the **Mattermost** enterprise application settings, select **Manage > Users and groups**, then assign the approved users and/or groups that should have access to Mattermost. | ||||||
|
|
||||||
| - **Identity (Entity ID)**: ``https://<your-mattermost-url>`` | ||||||
| - **Reply URL (Assertion Consumer Service URL)**: ``https://<your-mattermost-url>/login/sso/saml`` | ||||||
| - **Sign on URL**: ``https://<your-mattermost-url>/login`` | ||||||
| .. warning:: | ||||||
|
|
||||||
| 9. Select **Edit** in the **Attributes & Claims** section then set the below attributes: | ||||||
| Alternatively, you can select **Manage > Properties**, set **Assignment required?** to **No**, then select **Save**. This grants Mattermost access to **all users in your Entra tenant** — evaluate whether this aligns with your organization's access control requirements before proceeding. | ||||||
| 9. In the **Mattermost** enterprise application settings, select **Manage > Single sign-on**, then select **SAML** under **Select a single sign-on method**. | ||||||
| 10. Select **Edit** in the **Basic SAML Configuration** section, then set the fields below and select **Save**: | ||||||
|
|
||||||
| a. Set the the **Unique User Identifier (Name ID)** required claim **Name identifier format** and **Source attribute** values as required for your environment. Setting the **Source attribute** to an immutable value such as ``user.objectid`` is recommended. | ||||||
| b. Edit claim names **and namespaces** under **Additional claims** to match SAML attribute settings you wish to set in Mattermost. Configurable settings are Email, Username, Id, Guest, Admin, First Name, Last Name, Nickname, Position, and Preferred Language. | ||||||
| - **Identifier (Entity ID)**: ``https://<your-mattermost-url>`` | ||||||
| - **Reply URL (Assertion Consumer Service URL)**: ``https://<your-mattermost-url>/login/sso/saml`` | ||||||
| - **Sign on URL**: ``https://<your-mattermost-url>/login`` | ||||||
|
|
||||||
| .. important:: | ||||||
| 11. Select **Edit** in the **Attributes & Claims** section, then configure the required claim and additional claims as described below. | ||||||
|
|
||||||
| Mattermost matches each attribute by its **full claim name**, including the namespace, exactly as it appears in the SAML assertion. By default, Entra ID emits its built-in claims under the namespace ``http://schemas.xmlsoap.org/ws/2005/05/identity/claims/`` — so the claim that appears in the **Claim name** column as ``emailaddress`` is actually sent in the assertion as ``http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress``. | ||||||
| **How Entra claims map to Mattermost** | ||||||
|
|
||||||
| This means the value you enter in each Mattermost attribute field (step 15 of **Configure SAML Sign-On for Mattermost**, below) must be the **fully-qualified** claim name. Entering only the short name (for example, ``email`` or ``name``) will **not** match, and login will fail with an error such as ``SAML login was unsuccessful because one of the attributes is incorrect... <attribute> attribute is missing``. | ||||||
| The SAML assertion Entra sends to Mattermost contains a set of *claims* — name/value pairs describing the user. Mattermost reads these claims based on the attribute names you configure in **System Console > Authentication > SAML 2.0 > Attributes** (for example, **Email Attribute**, **Username Attribute**, **First Name Attribute**). | ||||||
|
|
||||||
| You have two options: | ||||||
| The **Claim name** you set in Entra must match the value you enter in the corresponding Mattermost attribute field exactly, character for character. The **Value** (also called **Source attribute**) tells Entra which user property to send — for example, ``user.mail`` sends the user's email address. | ||||||
|
|
||||||
| - **Clear the namespace** on each claim in Entra ID under **Additional claims** so the claim name becomes the short value (for example, ``email``), then enter that same short value in Mattermost; **or** | ||||||
| - **Leave the default namespace** in Entra ID and enter the fully-qualified claim name in Mattermost (for example, ``http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress``). | ||||||
| a. **Required claim — Unique User Identifier (Name ID)** | ||||||
|
|
||||||
| Whichever option you choose, the value in Mattermost must match the assertion **character-for-character**. If a login fails, the safest way to confirm the exact claim names being sent is to capture and decode the SAML response from the browser (for example, with the `SAML-tracer <https://addons.mozilla.org/firefox/addon/saml-tracer/>`__ browser extension) and read the ``Name`` attribute of each ``<Attribute>`` element. | ||||||
| Set the **Name identifier format** and **Source attribute** values as required for your environment. The Name ID is part of the SAML assertion, but Mattermost account binding is controlled by the **Id Attribute (SAML)** setting if you configure it, or by email otherwise. If you want immutable user binding in Mattermost, add a separate ``Id`` claim under **Additional claims** and set its **Value** (source attribute) to an immutable Entra attribute such as ``user.objectid``. ``user.userprincipalname`` is also a common choice for Name ID when a human-readable identifier is preferred, with the trade-off that renames in Entra can orphan the corresponding Mattermost account if you rely on it for identity matching. | ||||||
|
||||||
| Set the **Name identifier format** and **Source attribute** values as required for your environment. The Name ID is part of the SAML assertion, but Mattermost account binding is controlled by the **Id Attribute (SAML)** setting if you configure it, or by email otherwise. If you want immutable user binding in Mattermost, add a separate ``Id`` claim under **Additional claims** and set its **Value** (source attribute) to an immutable Entra attribute such as ``user.objectid``. ``user.userprincipalname`` is also a common choice for Name ID when a human-readable identifier is preferred, with the trade-off that renames in Entra can orphan the corresponding Mattermost account if you rely on it for identity matching. | |
| Set the **Name identifier format** and **Source attribute** values as required for your environment. The Name ID is part of the SAML assertion, but Mattermost account binding is controlled by the **Id Attribute** setting if you configure it, or by email otherwise. If you want immutable user binding in Mattermost, add a separate ``Id`` claim under **Additional claims** and set its **Value** (source attribute) to an immutable Entra attribute such as ``user.objectid``. ``user.userprincipalname`` is also a common choice for Name ID when a human-readable identifier is preferred, with the trade-off that renames in Entra can orphan the corresponding Mattermost account if you rely on it for identity matching. |
Copilot
AI
Apr 21, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Persona: Editor Evie | Severity: Friction
Quoted text: “Mattermost usernames cannot contain the @ character”
Why it matters: This is an important constraint that affects whether the recommended claim mapping will work. Adding a supporting reference (or a quick pointer to where the username rules are documented) increases reader confidence and reduces ambiguity.
Suggestion: Link to the existing username requirements (for example, the profile documentation that lists allowed username characters) right after this sentence, or rephrase to explicitly align with that documented rule set (letters/numbers plus ., -, _).
| Use ``user.mailnickname`` rather than ``user.userprincipalname`` as the source for the username claim. The user principal name is typically formatted as an email address (``user@domain.com``), but Mattermost usernames cannot contain the ``@`` character, so SAML logins using ``user.userprincipalname`` will fail. The mail nickname is the local part of the email address (the portion before ``@``) and maps cleanly to a valid Mattermost username. | |
| Use ``user.mailnickname`` rather than ``user.userprincipalname`` as the source for the username claim. The user principal name is typically formatted as an email address (``user@domain.com``), but Mattermost usernames can contain only letters, numbers, and ``.``, ``-``, or ``_`` characters, so SAML logins using ``user.userprincipalname`` will fail. The mail nickname is the local part of the email address (the portion before ``@``) and maps cleanly to a valid Mattermost username. |
Copilot
AI
Apr 21, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Persona: Editor Evie | Severity: Friction
Quoted text/behavior: The :start-after: :nosearch: option under the final .. include:: sso-saml-faq.rst directive is indented with a tab.
Why it matters: Tabs in reStructuredText indentation can lead to inconsistent rendering or Sphinx warnings depending on configuration; spaces are the safer, standard indentation.
Suggestion: Replace the tab indentation with spaces (matching the include option indentation style used elsewhere in the docs).
| :start-after: :nosearch: | |
| :start-after: :nosearch: |
Copilot
AI
Apr 21, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Editor Evie (Polish): The .. include:: option lines at the end of the file are indented with a tab (\t:start-after: ...), while earlier directives in this file use spaces for indentation (e.g., the badges include). Tabs work but tend to cause inconsistent rendering/linting across editors. Suggestion: replace the tabs with consistent two-space indentation for the :start-after: options.
Uh oh!
There was an error while loading. Please reload this page.