Enable ADFS OAUTH2 for Mattermost 2.1

Mattermost

 

 Please note, we have released a new version for Mattermost 3.0.2

Enable ADFS OAUTH2 for Mattermost 3.0

So we had a request a few weeks ago to get Mattermost 2.1 working with ADFS so we can use SSO. Unfortunately for us no one had coded a version that can work with ADFS, so we took on the challenge. After two weeks and lots of trials and errors we had designed a secure version ( Mattermost 2.1.1) that worked with ADFS. This version is based on the the March 16, 2016 stable release v2.1.0 of Mattermost.

The advantages of using ADFS over other methods:

  • True SSO
  • Much more secure then LDAP or gitlab with LDAP
  • Proven for Enterprise

We have also made sure that the following features are available:

  • Other domains and forest can also use Mattermost if invited and trusts exists
  • Authentication is based on AD SID so if a user is deleted or leaves the company a new user with the same domain username will get a new account with a different username. This is very important as it insures that users are unique and that even if you have two users with the same usernames in different domains they will each get there unique username and not effect one another.

Here is the guide on where to get it and how to configure it:

adfsm1 adfsm2 adfsm3 adfsm4

You will first need to download/compile and install the new version which can be found below:

You can download the compiled version from: http://www.gi-architects.co.uk/wp-content/uploads/2016/04/mattermost.tar.gz or form https://github.com/lubenk/platform/releases

You can get the code from: https://github.com/lubenk/platform/tree/ADFS-2.1.1

 

Now that you have a working copy it’s time to configure ADFS 3.0 for OAUTH2.0 please use the instructions on : http://www.gi-architects.co.uk/2016/04/setup-oauth2-on-adfs-3-0/

with the following additions notes:

ClientID : Just generate one at https://www.guidgenerator.com/online-guid-generator.aspx (please make sure this guid is either more then or less then 26 characters).
Redirect URI : https://mattermost.local/signup/adfs/complete (where mattermost.local is the dns address of your mattermost app)
Relaying party identifier: you can just use your dns address of your mattermost app

The following Claim setup, please make sure the claims are exact, the rules name can be anything:

adfsm7

adfsm5

adfsm8

adfsm6

 

Once you setup adfs you need to configure mattermost, you can either do this via the config.json or via the admin interface as show below:

adfsm4

Please make sure you copy the public key of the ADFS root CA of your Service Communications Certificate in PEM format (the format that has —-BEGIN CERTIFICATE—- in it) into /usr/local/share/ca-certificates and name it with a .crt file extension, then run “sudo update-ca-certificates”.

You also need the public key of the signing certificate in PEM format somewhere on the server which you will need to reference in the settings.

And that is it you should have a working version with ADFS

4 thoughts on “Enable ADFS OAUTH2 for Mattermost 2.1

  1. Hi guys,

    Thanks for your code contribution of ADFS OAuth authentication for Mattermost. Hopefully this does get included in the main branch in future releases!

    Good work!
    R.

    1. Hello Richard,

      I am glad you find the code usefull. I will include tomorow screenshots, a guide on how to configure and a tutorial of what changes i made.

      I did notify the team at mattermost, but at this stage it will be too hard for them to test it if its integrated so its not looking good for the team edition.

    1. Unfortunately Bernd, they have decided to include SSO in there commercial version and not the team edition. I will do my best to update it ti the newer version when i have time so the community can still benefit from it.

Leave a Reply

Your email address will not be published. Required fields are marked *