website/integrations/chat-communication-collaboration/mattermost-team-edition/index.mdx
import TabItem from "@theme/TabItem"; import Tabs from "@theme/Tabs";
Mattermost is an open source, real-time collaboration platform. It provides chat, audio/video calling, screen sharing, and a plugin architecture for extending its capabilities. Mattermost Team Edition is the free, open-source version of the product.
The following placeholders are used in this guide:
mattermost.company is the FQDN of the Mattermost installation.authentik.company is the FQDN of the authentik installation.:::info This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. :::
You can configure Mattermost to use either OIDC or SAML, and this guide explains both options.
<Tabs defaultValue="oidc" values={[ { label: "Log in with OIDC", value: "oidc" }, { label: "Log in with SAML", value: "saml" }, ]}> <TabItem value="oidc">
:::info Mattermost OIDC support
Mattermost Team Edition does not natively support generic single sign-on. However, you can manually configure Mattermost to use its GitLab integration for authentication via authentik's OAuth2/OpenID Provider. This requires editing the config.json file directly, as the necessary settings are not available through the web interface. If you are using a hosted version of Mattermost without filesystem access, you will not be able to complete this setup.
Once configured, Mattermost will display a login button with the GitLab icon, but authentication will be handled entirely by authentik. GitLab itself is not required or used in any way. :::
To support the integration of Mattermost Team Edition with authentik, you need to create property mappings and an application/provider pair in authentik.
mattermost-usernameusernameMaps the user's authentik username to the username field for Mattermost authentication.return {
"username": request.user.username,
}
:::info
The following id property mapping is optional. If omitted, Mattermost will generate user IDs based on email addresses, resulting in names such as person-example.com for [email protected]. Since these IDs serve as nicknames, this format may be undesirable.
:::
mattermost-ididMaps the user's Mattermost ID or primary key to the id field for Mattermost authentication.return {
"id": request.user.attributes.get("mattermostId", request.user.pk),
}
Log in to authentik as an administrator and open the authentik Admin interface.
Navigate to Applications > Applications and click Create with Provider to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
Strict redirect URI to https://mattermost.company/signup/gitlab/complete.Click Submit to save the new application and provider.
To support the integration of Mattermost Team Edition with authentik, you'll need to update the config.json file of your Mattermost deployment:
GitLabSettings section to look like the following:"GitLabSettings": {
"Enable": true,
"Secret": "<client_secret>",
"Id": "<client_id>",
"Scope": "",
"AuthEndpoint": "https://authentik.company/application/o/authorize/",
"TokenEndpoint": "https://authentik.company/application/o/token/",
"UserAPIEndpoint": "https://authentik.company/application/o/userinfo/",
"DiscoveryEndpoint": "https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration",
"ButtonText": "Log in with authentik",
"ButtonColor": "#000000"
},
https://mattermost.company/admin_console/authentication/signup) and make sure that Enable Account Creation is set to true.:::info License required SAML authentication with encryption requires Mattermost Enterprise Edition or a licensed version. Mattermost Team Edition does not natively support SAML. If you are using Mattermost Team Edition, use OIDC instead. :::
Before configuring SAML, you need to generate a certificate key pair for Mattermost to use for signing and decryption.
Generate a public certificate and private key pair for Mattermost:
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
-keyout mattermost-private.key \
-out mattermost-public.crt \
-subj "/CN=mattermost.company"
Keep these files safe. You will upload the public certificate to authentik and both files to Mattermost.
To support the integration of Mattermost with authentik via SAML, you need to upload the Mattermost certificate and create an application/provider pair in authentik.
Mattermost Certificate.mattermost-public.crt into the Certificate field.Log in to authentik as an administrator and open the authentik Admin interface.
Navigate to Applications > Applications and click Create with Provider to create an application and provider pair.
Mattermost), an optional group for the type of application, and the policy engine mode. Take note of the slug as it will be required later.https://mattermost.company/login/sso/saml.authentik.Post.Click Submit to save the new application and provider.
https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/.authentik.https://mattermost.company/login/sso/saml.authentik.mattermost-private.key.mattermost-public.crt.RSAwithSHA256.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.http://schemas.goauthentik.io/2021/02/saml/username.http://schemas.goauthentik.io/2021/02/saml/uid (optional).To verify the integration of authentik with Mattermost, log out and attempt to log back in. You should see a login button for authentik on the login page, and a successful login should redirect you to Mattermost without any errors.