Configure SAML with Okta

The following process provides steps to configure SAML 2.0 with Okta for Mattermost.

Before you begin

Before you configure SAML:

  1. Make sure you have the XML Security Library installed on your Mattermost instance. The XML Security Library is usually included as part of Debian GNU/Linux.
  2. Install the xmlsec1-openssl library
  • On Ubuntu: sudo apt-get install xmlsec1
  • On RHEL: sudo yum install xmlsec1-openssl
  1. Generate encryption certificates for encrypting the SAML connection.
  1. You can use the Bash script from the mattermost/docs repository on GitHub, or any other suitable method.
  2. Save the two files that are generated. They are the private key and the public key. In the System Console, they are referred to as the Service Provider Private Key and the Service Provider Public Certificate respectively.

Set up a connection app for Mattermost SSO

  1. Sign into Okta as an administrator.

  2. Go to Admin Dashboard > Applications > Add Application.

  3. Click Create New App and choose SAML 2.0 as the Sign on method.

    ../_images/okta_1_new_app.PNG
  4. Enter General Settings for the application, including App name and App logo (optional). It is recommended to display the application icon to users, including in the Okta Mobile app.

If you’d like to use a Mattermost logo for the application, you are free to download one from our page.

../_images/okta_2_general_settings.PNG
  1. Enter SAML Settings, including:
  • Single sign on URL: https://<your-mattermost-url>/login/sso/saml where https://<your-mattermost-url> should typically match the Mattermost Site URL.

  • Audience URL: For instance, mattermost

  • Name ID format: unspecified

  • Application username: Email

    ../_images/okta_3_initial_saml_settings.PNG
  1. Set up encryption for your SAML connection. First, click Show Advanced Settings.

    ../_images/okta_4_initial_saml_settings.PNG

Then, set Assertion Encryption as Encrypted and upload the Service Provider Public Certificate you generated in step 2 to the Encryption Certificate field.

../_images/okta_5_advanced_saml_settings.PNG
  1. Enter attribute statements, which will be used to map attributes between Okta and Mattermost. For more information on which attributes are configurable, see our documentation on SAML configuration settings. Email and username attributes are required. For Mattermost servers running 3.3 and earlier, first name and last name attributes are also required.

    ../_images/okta_6_attribute_statements.PNG
  2. Click Next. Then, set Okta support parameters for the application. Recommended settings:

  • I’m an Okta customer adding an internal app

  • This is an internal app that we have created

    ../_images/okta_7_support_configuration.PNG
  1. Click Finish. On the next screen, click the Sign On tab and click View Setup Instructions.

    ../_images/okta_8_view_instructions.PNG
  2. Take note of Identity Provider Single Sign-On URL (also known as SAML SSO URL), and the Identity Provider Issuer, as both will be needed to configure SAML for Mattermost.

Furthermore, you must download the X.509 Public Certificate file and save it. You will need to upload it to Mattermost at a later step.

../_images/okta_9_view_instructions.PNG

Configure SAML sign-in for Mattermost

  1. Start Mattermost server and sign into Mattermost as a System Administrator. Go to System Console > Authentication > SAML, and enter the following fields:
  • SAML SSO URL: Identity Provider Single Sign-On URL from Okta, specified earlier.

  • Identity Provider Issuer URL: Identity Provider Issuer from Okta, specified earlier.

  • Identity Provider Public Certificate: X.509 Public Certificate file you downloaded from Okta earlier.

    ../_images/okta_10_mattermost_basics.PNG
  1. Configure Mattermost to verify the signature. The Service Provider Login URL is the Single sign on URL you specified in Okta earlier.

    ../_images/okta_11_mattermost_verification.PNG
  2. Enable encryption based on the parameters provided earlier.

    ../_images/okta_12_mattermost_encryption.PNG
  3. Set attributes for the SAML Assertions, which will be used to update user information in Mattermost. Attributes for email and username are required and should match the values you entered in Okta earlier. See documentation on SAML configuration settings for more detail.

For Mattermost servers running 3.3 and earlier, the first name and last name attributes are also required fields.

../_images/okta_13_mattermost_attributes.PNG
  1. (Optional) Customize the login button text.

    ../_images/okta_14_mattermost_login_button.PNG
  2. Click Save.

  3. (Optional) If you configured First Name Attribute and Last Name Attribute, go to System Console > General > Users and Teams and set Teammate Name Display to Show first and last name. This is recommended for a better user experience.

You’re done! If you’d like to confirm SAML SSO is successfully enabled, switch your System Administrator account from email to SAML-based authentication via Account Settings > General > Sign-in Method > Switch to SAML SSO and sign in with your SAML credentials to complete the switch.

It is also recommended to post an announcement about how the migration will work to users.

You may also configure SAML for Okta by editing config.json to enable SAML based on SAML configuration settings. You must restart the Mattermost server for the changes to take effect.

Bind Authentication to ID Attribute instead of Email

Alternatively, you can use an Id Attribute instead of email to bind the user. We recommend choosing an ID that is unique and will not change over time.

Configuring with an Id Attribute allows you to reuse an email address for a new user without the old user’s information being exposed. For instance, if a user with an email address joe.smith@mattermost.com was once an employee, a new employee named Joe Smith can use the same email. This configuration is also useful when a user’s name changes and their email needs to be updated.

This process was designed with backwards compatibility to email binding. Here is the process applied to new account creations and to accounts logging in after the configuration:

  • A user authenticated with SAML is bound to the SAML service user using the Id Attribute (as long as it has been configured) or bound by email using the email received from SAML.
  • When the user tries to login and the SAML server responds with a valid authentication, then the server uses the “Id” field of the SAML authentication to search the user.
  • If a user bound to that ID already exists, it logs in as that user.
  • If a user bound to that ID does not exist, it will search base on the email.
  • If a user bound to the email exists, it logs in with email and updates the autentication data to the ID, instead of the email.
  • If a user bound to the ID or email does not exist, it will create a new Mattermost account bound to the SAML account by ID and will allow the user to log in.

Note: Existing accounts will not update until they log in to the server.

Configure SAML synchronization with AD/LDAP

In addition to configuring SAML sign-in, you can optionally configure synchronizing SAML accounts with AD/LDAP. When configured:

  • Mattermost queries AD/LDAP for relevant account information and updates SAML accounts based on changes to attributes (first name, last name, and nickname)
  • Accounts disabled in AD/LDAP are made inactive in Mattermost, and their active sessions are revoked once Mattermost synchronizes attributes.

To configure SAML synchronization with AD/LDAP:

  1. Go to System Console > SAML and set Enable Synchronizing SAML Accounts With AD/LDAP to true.
  2. Go to System Console > AD/LDAP and set Enable Synchronization with AD/LDAP to true.
  3. Set the rest of the AD/LDAP settings based on configuration settings documentation to connect Mattermost with your AD/LDAP server.
  • If you don’t want to enable AD/LDAP sign-in, keep Enable sign-in with AD/LDAP as false.
  1. Set Syncronization Interval to specify how often Mattermost synchronizes SAML user accounts with AD/LDAP. The default setting is 60 minutes. If you want to synchronize immediately after disabling an account, use the “AD/LDAP Synchronize Now” button in System Console > AD/LDAP.
  2. To test Mattermost can successfully connect to your AD/LDAP server, click the AD/LDAP Test button.

Once the synchronization with AD/LDAP is enabled, user attributes are synchronized with AD/LDAP based on their email address. If a user with a given email address doesn’t have an AD/LDAP account, they will be deactivated in Mattermost on the next AD/LDAP sync. To re-activate the account:

  1. Add the user to your AD/LDAP server.
  2. Purge all caches in Mattermost in System Console > Configuration > Purge All Caches.
  3. Run AD/LDAP sync in System Console > AD/LDAP > AD/LDAP Synchronize Now.
  4. Purge all caches again in Mattermost in System Console > Configuration > Purge All Caches, which re-activates the account in Mattermost.

Note

If a user is deactivated from AD/LDAP, they will be deactivated in Mattermost on the next sync. They will be shown as “Inactive” in the System Console users list, all of their sessions will expire and they won’t be able to log back in to Mattermost.

If a user is deactivated from SAML, their session won’t expire until they’re deactivated from AD/LDAP. However, they won’t be able to log back in to Mattermost.

Note

SAML synchronization with AD/LDAP is designed to pull user attributes such as first name and last name from your AD/LDAP, not to control authentication.

In particular, the user filter cannot be used to control who can log in to Mattermost, this should be controlled by your SAML service provider’s group permissions.

Technical description of SAML synchronization with AD/LDAP

When enabled, SAML synchronization with AD/LDAP occurs in phases:

  1. Get all the current LDAP users from the Mattermost database who have Users.AuthService set to ldap. This is a SQL query issued against the Mattermost database: SELECT * FROM Users WHERE AuthService = 'ldap'.
  2. Get all the current SAML users from the Mattermost database who have Users.AuthService set to saml. This is a SQL query issued against the Mattermost database: SELECT * FROM Users WHERE AuthService = 'saml'.
  3. Get all the current LDAP users from the LDAP server as defined by LdapSettings.UserFilter. This is an LDAP query issued against the LDAP server. Users are retrieved in batches as defined by LdapSettings.MaxPageSize.
  4. Update LDAP attributes. For each existing Mattermost user retrieved in step 1, attempt to find a match against the list of LDAP users from step 3. To find matches, Users.AuthData field of the Mattermost user is compared against the LdapSettings.IdAttribute LDAP setting.
  • If any attribute of the user has changed, that attribute is copied from the LDAP server and the user is marked as updated.
  • If the corresponding LdapSettings.IdAttribute is not found, the user is assumed to be deleted from the LDAP server, and deactivated from Mattermost by setting the Users.DeleteAt field to a valid timestamp.
  1. Update SAML attributes. For each existing Mattermost user retrieved in step 2, attempt to find a match against the list of LDAP users from step 3. To find matches, SamlSettings.Email is compared against the LdapSettings.EmailAttribute LDAP setting.
  • If any attribute of the user has changed, that attribute is copied from the LDAP server and the user is marked as updated.
  • If the corresponding LdapSettings.EmailAttribute is not found, the user is assumed to be deleted from the LDAP server, and deactivated from Mattermost by setting the Users.DeleteAt field to a valid timestamp.

Override SAML Data with AD/LDAP Data

Alternatively, you can choose to override SAML bind data with AD/LDAP information. For more infomation on binding a user with the SAML ID Attribute, please refer to this documentation.

This process overrides SAML email address with AD/LDAP email address data or SAML Id Attribute with AD/LDAP Id Attribute if configured. We recommend using this configuration with the SAML ID Attribute to help ensure new users are not created when the email address changes for a user.

To ensure existing user accounts do not get disabled in this process, ensure the SAML IDs match the LDAP IDs by exporting data from both systems and comparing the ID data. Mapping ID Attributes for both AD/LDAP and SAML within Mattermost to fields that hold the same data will ensure the IDs match as well.

  1. Set the SAML Id Attribute on System Console > SAML > Id Attribute.
  2. Set System Console > SAML > Override SAML bind data with AD/LDAP information to true.
  3. Set System Console > SAML > Enable Synchronizing SAML Accounts With AD/LDAP to true.
  4. Run AD/LDAP sync in System Console > AD/LDAP > AD/LDAP Synchronize Now.

Troubleshooting

The following are troubleshooting suggestions on common error messages and issues.

  1. System Administrator locks themselves out of the system
If the System Administrator is locked out of the system during SAML configuration process, they can set an existing account to System Administrator using a command line tool.
  1. Received error message: An account with that username already exists. Please contact your Administrator.

This usually means an existing account has another authentication method enabled. If so, the user should sign in using that method (such as email and password), then change their sign-in method to SAML via Account Settings > Security > Sign-in method.

This error message can also be received if the Username Attribute of their SAML credentials doesn’t match the username of their Mattermost account. If so, the user can update the attribute at their identity provider (for instance, back to the old value if it had been previously updated).

  1. Received error message: An account with that email already exists. Please contact your Administrator.

This usually means an existing account has another authentication method enabled. If so, the user should sign in using that method (such as email and password), then change their sign-in method to SAML via Account Settings > Security > Sign-in method.

This error message can also be received if the Email Attribute of their SAML credentials doesn’t match the email address of their Mattermost account. If so, the user can update the attribute at their identity provider (for instance, back to the old value if it had been previously updated).

  1. Received error message: SAML login was unsuccessful because one of the attributes is incorrect. Please contact your System Administrator.
Confirm all attributes, including Email Attribute and Username Attribute, are correct in both the Identity Provider configuration and in System Console > SAML.
  1. Unable to switch to SAML authentication successfully

First, ensure you have installed the XML Security Library on your Mattermost instance and that it is available in your PATH.

Second, ensure you have completed each step of the SAML configuration.

If you are still having trouble with configuration, feel free to post in our Troubleshooting forum and we’ll be happy to help with issues during setup.