• Home
• App Integrations
• Single Sign-On Integrations
• Mattermost Single Sign-On (SSO)

Mattermost Single Sign-On (SSO)

Mattermost is an open-source, self-hostable online internal chat service for organisations and companies where you can bring all your team communication into one place with sharing files, search and integrations. Here this guide will walk you through step-by-step process of configuring SSO login for Mattermost application where we will configure Mattermost as SAML Service Provider (SP) and miniOrange as Identity Provider (IdP). Once configured successfully you will be ready to securely SSO into Mattermost application in no time.

miniOrange provides a ready to use solution for Mattermost. This solution ensures secure single sign on integration with Mattermost and seamless access to your users and enterprises within minutes. Single Sign On (SSO) into Mattermost with one set of login credentials.

miniOrange and Mattermost Single Sign-On (SSO) integration supports the following features:

• SP Initiated Single Sign-On (SSO)
• IdP Initiated Single Sign-On (SSO)

Follow the Step-by-Step Guide given below for Mattermost Single Sign-On (SSO)

1. Configure Mattermost in miniOrange

• Login into miniOrange Admin Console.
• Go to Apps and click on Add Application button.



• In Choose Application, select SAML/WS-FED from the application type dropdown.



• Search for Mattermost in the list, if you don't find Mattermost in the list then, search for custom and you can set up your application in Custom SAML App.

• To set up app integration for SSO, get the required values (eg. SP Entity ID, ACS URL or SP Metadata File) from your Mattermost Admin Console. You can obtain the XML file by calling the Mattermost RESTful API endpoint at /api/v4/saml/metadata.
• Now enter the following values under the Basic Settings in the respective fields in the given format or you can also upload the SP metadata file by clicking on Import SP Metadata.

SP Entity ID or Issuer:	mattermost
ACS URL:	https://{your-mattermost-url}/login/sso/saml (where https://{your-mattermost-url} should typically match the Mattermost Site URL.)




• Click Next, now in the Attribute Mapping configure the following attributes as shown in the image below.

Name ID:	E-mail Address
NameID format:	urn:oasis:names:tc:SAML:2.0:nameid‑format:emailaddress




• Click Save.
• Your application is saved successfully. Now click on the three dots menu button against your newly created application. Go to Metadata.



• On the Metadata page -
  1. If you want to use miniOrange as User-Store i.e., your user identities will be stored in miniOrange then download the metadata file under the heading 'INFORMATION REQUIRED TO SET MINIORANGE AS IDP'.
  
  2. If you want to authenticate your users via any external Identity Provider like Active Directory, Okta, OneLogin, Google, Apple ID, etc then download the Metadata file under the heading 'INFORMATION REQUIRED TO AUTHENTICATE VIA EXTERNAL IDPS'.



• Select Show Metadata Details, then click on Download Metadata.

2. Configure SAML 2.0 SSO in Mattermost

In this step we are going to set up Mattermost as SAML 2.0 Service Provider (SP).

• To enable single-sign-on (SSO) start the Mattermost server and sign into Mattermost as a System Admin.
• Go to System Console > Authentication > SAML 2.0.
• Then in the Identity Provider Metadata URL field enter Identity Provider Metadata URL from Metadata file you downloaded in Step 1.
• Now select Get SAML Metadata from IdP
• This populates the SAML SSO URL and the Identity Provider Issuer URL fields automatically. The Identity Provider Public Certificate can also be downloaded from the server and set locally.
• Alternatively you can enter the following fields manually. First set Enable Login With SAML 2.0 to true.

SAML SSO URL:	Copy SAML Login URL from Metadata file you downloaded in Step 1.
Identity Provider Issuer URL:	Copy IdP Entity ID or Issuer: from Metadata file you downloaded in Step 1
Identity Provider Public Certificate: :	Copy X.509 Certificate from Metadata file you downloaded in Step 1.






Configure Mattermost to verify the signature:

• The Service Provider Login URL is the Single sign on URL you specified in miniOrange earlier
• Set Verify Signature to true.



• Enable encryption based on the parameters provided earlier.



• Configure Mattermost to sign SAML requests using the Service Provider Private Key.

Set attributes for the SAML Assertions used to update user information in Mattermost:

• Attributes for Email, Username, and Id are required and should match the values you entered in miniOrange earlier. See documentation on SAML configuration settings for more detail.For Mattermost servers running 3.3 and earlier, the first name and last name attributes are also required fields.



• Click Save.

3. Test SSO Configuration

Test SSO login to your Mattermost account with miniOrange IdP:

Using SP Initiated Login

• Go to your Mattermost URL, here you will be either asked to enter the username or click on the SSO link which will redirect you to miniOrange IdP Sign On Page.



• Enter your miniOrange login credential and click on Login. You will be automatically logged in to your Mattermost account.

Using IDP Initiated Login

• Login to miniOrange IdP using your credentials.



• On the Dashboard, click on Mattermost application which you have added, to verify SSO configuration.





Not able to configure or test SSO?


Contact us or email us at idpsupport@xecurify.com and we'll help you setting it up in no time.

In this guide, you have successfully configured the Single Sign-On (SSO) for Mattermost application by integrating Mattermost as SAML Service Provider and miniOrange as IDP.

External References

• MatterMost Configuration Settings
• Guide For Single Sign On (SSO)
• What is Single Sign-On (SSO) and How does SSO Works?
• Explore the connection between SAML and SSO