OpenID Connect Single Sign-On (E20)

Available in Enterprise Edition E20.

Mattermost provides OpenID Connect support for GitLab, Google Apps, and Office 365. With OpenID Connect, users can also use their login to Keycloak, Atlassian Crowd, Apple, Microsoft, Salesforce, Auth0, Ory.sh, Facebook, Okta, OneLogin, and Azure AD, as well as others, as a Single Sign-on (SSO) service for team creation, account creation, and user sign-in.

Follow these steps to configure a service provider using OpenID Connect.

Step 1: Create an OpenID Connect Application

  1. Follow service provider documentation for creating an OpenID Connect application. Most OpenID Connect service providers require authorization of all redirect URIs.

  2. In the appropriate field, enter {your-mattermost-url}/signup/openid/complete For example: http://domain.com/signup/openid/complete

  3. Copy and paste values for the Discovery Endpoint, Client ID, and Client Secret values to a temporary location. You will enter these values when you configure Mattermost.

Step 2: Configure Mattermost for an OpenID Connect SSO

  1. Log in to Mattermost, then go to System Console > Authentication > OpenID Connect.

  2. Select OpenID Connect (Other) as the service provider.

  3. Enter the Discovery Endpoint.

  4. Enter the Client ID.

  5. Enter the Client Secret.

  6. Specify a Button Name and Button Color for the OpenID Connect option on the Mattermost login page.

  7. Select Save.

  8. Restart your Mattermost server to see the changes take effect.