SAML Single Sign-On#

plans-img Available on Enterprise and Professional plans

deployment-img Cloud and self-hosted deployments

Also available in legacy Mattermost Enterprise Edition E20

Single sign-on (SSO) is a way for users to log into multiple applications with a single user ID and password without having to re-enter their credentials. The SAML standard allows identity providers to pass credentials to service providers. Mattermost can be configured to act as a SAML 2.0 Service Provider.

Mattermost can be configured to act as a SAML 2.0 Service Provider. The SAML Single sign-on integration offers the following benefits:

  • Single sign-on. Users can log in to Mattermost with their SAML credentials.

  • Centralized identity management. Mattermost accounts automatically pull user attributes from SAML upon login, such as full name, email, and username.

  • Automatic account provisioning. Mattermost user accounts are automatically created the first time a user signs in with their SAML credentials on the Mattermost server.

  • Sync groups to predefined roles in Mattermost. Assign team and channel roles to groups via LDAP Group Sync.

  • Compliance alignment with administrator management. Manage Administrator access to Mattermost in the System Console using SAML attributes.

Warning

SAML Single sign-on itself does not support periodic updates of user attributes nor automatic deprovisioning. However, SAML with AD/LDAP sync can be configured to support these use cases.

For more information about SAML, see this article from Varonis, and this conceptual example from DUO.

Mattermost officially supports Okta, OneLogin, and Microsoft ADFS as the identity providers (IDPs), please see links below for more details on how to configure SAML with these providers.

In addition to the officially supported identity providers, you can also configure SAML for a custom IdP. For instance, customers have successfully set up miniOrange, Azure AD, DUO, PingFederate, Keycloak, and SimpleSAMLphp as custom IdPs. Because we do not test against these identity providers, it is important that you test new versions of Mattermost in a staging environment to confirm it will work with your identity provider. You can also set up MFA on top of your SAML provider for additional security.

Note

If configuring Mattermost to use the EU-Login system for authentication, please be aware that their issuerURI field is what Mattermost calls “Service Provider Identifier”.

Using SAML attributes to apply roles#

You can use attributes to assign roles to specified users on login. To access the SAML attribute settings navigate to System Console > SAML 2.0.

Username attribute#

(Optional) Enter a SAML assertion filter to use when searching for users.

  1. Navigate to System Console > Authentication > SAML 2.0 (or System Console > SAML in versions prior to 5.12).

  2. Complete the Username Attribute field.

  3. Choose Save.

When the user accesses the Mattermost URL, they log in with same username and password that they use for organizational logins.

Guest attribute#

When enabled, the guest attribute in Mattermost identifies external users whose SAML assertion is guest and who are invited to join your Mattermost server. These users will have the guest role applied immediately upon first login instead of the default member user role. This eliminates having to manually assign the role in the System Console.

If a Mattermost guest user has the guest role removed in the SAML system, the synchronization processes will not automatically promote them to a member user role. This is done manually via System Console > User Management. If a member user has the guest attribute added, the synchronization processes will automatically demote the member user to the guest role.

  1. Enable Guest Access via System Console > SAML 2.0.

  2. Navigate to System Console > Authentication > SAML 2.0.

  3. Complete the Guest Attribute field.

  4. Choose Save.

When a guest logs in for the first time they are presented with a default landing page until they are added to channels.

See the Guest accounts documentation for more information about this feature.

Admin attribute#

(Optional) The attribute in the SAML Assertion for designating system admins. The users selected by the query will have access to your Mattermost server as system admins. By default, system admins have complete access to the Mattermost System Console.

Existing members that are identified by this attribute will be promoted from member to system admin upon next login. The next login is based upon Session lengths set in System Console > Session Lengths. It is recommended that users are manually demoted to members in System Console > User Management to ensure access is restricted immediately.

  1. Navigate to System Console > Authentication > SAML 2.0.

  2. Set Enable Admin Attribute to true.

  3. Complete the Admin Attribute field.

  4. Choose Save.

Note

If the admin attribute is set to false the member’s role as system admin is retained. However if the attribute is removed/changed, system admins that were promoted via the attribute will be demoted to members and will not retain access to the System Console. When this attribute is not in use, system admins can be manually promoted/demoted in System Console > User Management.

Configuration assistance#

We are open to providing assistance when configuring your custom IdP by answering Mattermost technical configuration questions and working with your IdP provider in support of resolving issues as they relate to Mattermost SAML configuration settings. However, we cannot guarantee your connection will work with Mattermost.

For technical documentation on SAML, see SAML Single Sign-On: technical documentation.

To assist with the process of getting a user file for your custom IdP, see this documentation.

Please note that we may not be able to guarantee that your connection will work with Mattermost, however we will consider improvements to our feature as we are able. You can see more information on getting support here and submit requests for official support of a particular provider on our feature idea portal.