OpenID Connect Single Sign-On
Available on Enterprise and Professional plans
Available in legacy Mattermost Enterprise Edition E20
Mattermost provides OpenID Connect support for GitLab, Google Apps, and Office 365. With OpenID Connect, users can also use their login to Keycloak, Atlassian Crowd, Apple, Microsoft, Salesforce, Auth0, Ory.sh, Facebook, Okta, OneLogin, and Azure AD, as well as others, as a Single Sign-on (SSO) service for team creation, account creation, and user login.
Follow these steps to configure a service provider using OpenID Connect.
Step 1: Create an OpenID Connect Application
Follow service provider documentation for creating an OpenID Connect application. Most OpenID Connect service providers require authorization of all redirect URIs.
In the appropriate field, enter
Copy and paste values for the Discovery Endpoint, Client ID, and Client Secret values to a temporary location. You will enter these values when you configure Mattermost.
Step 2: Configure Mattermost for an OpenID Connect SSO
Log in to Mattermost, then go to System Console > Authentication > OpenID Connect.
Select OpenID Connect (Other) as the service provider.
Enter the Discovery Endpoint.
Enter the Client ID.
Enter the Client Secret.
Specify a Button Name and Button Color for the OpenID Connect option on the Mattermost login page.
Restart your Mattermost server to see the changes take effect.
When Mattermost is configured to use OpenID Connect for user authentication, the following user attribute changes can’t be made through the Mattermost API: first name, last name, or username. OpenID Connect must be the authoritative source for these user attributes.
Frequently Asked Questions
How can I use LDAP attributes or Groups with OpenID?
At this time, LDAP data isn’t compatible with OpenID. If you currently rely on LDAP to manage your users’ teams, channels, groups, or attributes, you won’t be able to do this automatically with users who have logged in with OpenID. If you need LDAP synced to each user, we suggest using SAML or LDAP as the login provider. Some OpenID providers can use SAML instead, like Keycloak.