SAML Single-Sign-On (E20)

Mattermost can be configured to act as a SAML 2.0 Service Provider. The SAML Single-Sign-On integration offers the following benefits:

  • Single-sign-on. Users can sign-in to Mattermost with their SAML credentials.
  • Centralized identity management. Mattermost accounts automatically pull user attributes from SAML upon login, such as full name, email and username.
  • Automatic account provisioning. New Mattermost user accounts are automatically created the first time a user signs in with their SAML credentials on the Mattermost server.
  • Sync groups to predefined roles in Mattermost. Assign team and channel roles to groups via LDAP Group Sync.
  • Compliance alignment with administrator management. Manage Administrator access to Mattermost in the System Console using SAML attributes.

SAML Single-Sign-On itself does not support periodic updates of user attributes nor automatic deprovisioning. However, SAML with AD/LDAP sync can be configured to support these use cases.

For more information about SAML, see this article from Varonis, and this conceptual example from DUO.

Mattermost officially supports Okta, OneLogin and Microsoft ADFS as the identity providers (IDPs), please see links below for more details on how to configure SAML with these providers.

In addition to the officially supported identity providers, you can also configure SAML for a custom IdP. For instance, customers have successfully set up Azure AD, DUO, PingFederate and SimpleSAMLphp as a custom IdPs. You can also set up MFA on top of your SAML provider for additional security.

Using SAML Attributes to Apply Roles

You can use attributes to assign roles to specified users on login. To access the SAML attribute settings navigate to System Console > SAML 2.0.

Username Attribute

(Optional) Enter a SAML assertion filter to use when searching for users.

  1. Navigate to System Console > Authentication > SAML.
  2. Complete the Username Attribute field.
  3. Choose Save.

When the user accesses the Mattermost URL, they log in with same username and password that they use for organizational logins.

Guest Attribute

When enabled, the Guest Attribute in Mattermost identifies external users whose SAML assertion is guest and who are invited to join your Mattermost server. These users will have the Guest role applied immediately upon first sign-in instead of the default member user role. This eliminates having to manually assign the role in the System Console.

If a Mattermost Guest user has the guest role removed in the SAML system, the synchronization processes will not automatically promote them to a member user role. This is done manually via System Console > User Management. If a member user has the Guest Attribute added, the synchronization processes will automatically demote the member user to the guest role.

  1. Enable Guest Access via System Console > SAML 2.0.
  2. Navigate to System Console > Authentication > SAML 2.0.
  3. Complete the Guest Attribute field.
  4. Choose Save.

When a guest logs in for the first time they are presented with a default landing page until they are added to channels.

See the Guest Accounts documentation for more information about this feature.

Admin Attribute

(Optional) The attribute in the SAML Assertion for designating System Admins. The users selected by the query will have access to your Mattermost server as System Admins. By default, System Admins have complete access to the Mattermost System Console.

Existing members that are identified by this attribute will be promoted from member to System Admin upon next login. The next login is based upon Session lengths set in System Console > Session Lengths. It is recommended that users are manually demoted to members in System Console > User Management to ensure access is restricted immediately.

  1. Navigate to System Console > Authentication > SAML 2.0.
  2. Set Enable Admin Attribute to true.
  3. Complete the Admin Attribute field.
  4. Choose Save.

Note: If the Admin Attribute is set to false the member’s role as System Admin is retained. However if the attribute is removed/changed, System Admins that were promoted via the attribute will be demoted to members and will not retain access to the System Console. When this attribute is not in use, System Admins can be manually promoted/demoted in System Console > User Management.

Roadmap

In Mattermost v5.14, you can optionally configure Mattermost to sign the SAML request using a private key to meet InfoSec requirements at your organization.

In future roadmap, the main consideration is an integration with SCIM, via plugin. Such an integration allows system administrators to create SAML provisioned users before their first login, and sync them against Mattermost permissions.

Currently user provisioning and deprovisioning can be handled with SAML sync, but relies on AD/LDAP - SCIM enables admins to control user provisioning and deprovisioning within the IdP itself.

For examples, see Microsoft Azure AD integration with SCIM and Okta user provisioning with SCIM.

Configuration Assistance

We are open to providing assistance when configuring your custom IdP by answering Mattermost technical configuration questions and working with your IdP provider in support of resolving issues as they relate to Mattermost SAML configuration settings. However, we cannot guarantee your connection will work with Mattermost.

For technical documentation on SAML, see SAML Single-Sign-On (E20): Technical Documentation.

To assist with the process of getting a user file for your custom IDP, please see this documentation.

Please see more information on getting support here and submit requests for official support of a particular provider on our feature idea forum.

Please note that we may not be able to guarantee that your connection will work with Mattermost, however we will consider improvements to our feature as we are able. Please submit requests for official support of a particular provider on our feature idea forum.