Please note, we have released a new version for Mattermost 3.0.2
So we had a request a few weeks ago to get Mattermost 2.1 working with ADFS so we can use SSO. Unfortunately for us no one had coded a version that can work with ADFS, so we took on the challenge. After two weeks and lots of trials and errors we had designed a secure version ( Mattermost 2.1.1) that worked with ADFS. This version is based on the the March 16, 2016 stable release v2.1.0 of Mattermost.
The advantages of using ADFS over other methods:
- True SSO
- Much more secure then LDAP or gitlab with LDAP
- Proven for Enterprise
We have also made sure that the following features are available:
- Other domains and forest can also use Mattermost if invited and trusts exists
- Authentication is based on AD SID so if a user is deleted or leaves the company a new user with the same domain username will get a new account with a different username. This is very important as it insures that users are unique and that even if you have two users with the same usernames in different domains they will each get there unique username and not effect one another.
Here is the guide on where to get it and how to configure it:
You will first need to download/compile and install the new version which can be found below:
You can download the compiled version from: http://www.gi-architects.co.uk/wp-content/uploads/2016/04/mattermost.tar.gz or form https://github.com/lubenk/platform/releases
You can get the code from: https://github.com/lubenk/platform/tree/ADFS-2.1.1
Now that you have a working copy it’s time to configure ADFS 3.0 for OAUTH2.0 please use the instructions on : http://www.gi-architects.co.uk/2016/04/setup-oauth2-on-adfs-3-0/
with the following additions notes:
ClientID : Just generate one at https://www.guidgenerator.com/online-guid-generator.aspx (please make sure this guid is either more then or less then 26 characters).
Redirect URI : https://mattermost.local/signup/adfs/complete (where mattermost.local is the dns address of your mattermost app)
Relaying party identifier: you can just use your dns address of your mattermost app
The following Claim setup, please make sure the claims are exact, the rules name can be anything:
Once you setup adfs you need to configure mattermost, you can either do this via the config.json or via the admin interface as show below:
Please make sure you copy the public key of the ADFS root CA of your Service Communications Certificate in PEM format (the format that has —-BEGIN CERTIFICATE—- in it) into /usr/local/share/ca-certificates and name it with a .crt file extension, then run “sudo update-ca-certificates”.
You also need the public key of the signing certificate in PEM format somewhere on the server which you will need to reference in the settings.
And that is it you should have a working version with ADFS