Вы находитесь на странице: 1из 19


Steps for integration.

·0 SAML Configuration.

·1 Add a Relying Party Trust

·2 Create Claim Rules

·3 Export Identity Provider Certificate

·4 Configure SAML sign-in for Mattermost

·5 Bind Authentication to ID Attribute instead of Email

·6 Configure SAML synchronization with AD/LDAP

·7 Technical description of SAML synchronization with AD/LDAP

·8 Override SAML Data with AD/LDAP Data

1.SAML Configuration.
·9 We already have the XML Security Library installed on our mattermost
instance. The XML Security Library is usually included as part of Debian

·10 Install the xmlsec1-openssl library

·11 On Ubuntu: sudo apt-get install xmlsec1

·12 On RHELGenerate encryption certificates for encrypting the SAML


·13 We can use the Bash script from the mattermost/docs repository on
GitHub, or any other suitable method.

·14 Save the two files that are generated. They are the private key and the
public key. In the System Console, they are referred to as the Service
Provider Private Key and the Service Provider Public Certificate
respectively.: sudo yum install xmlsec1-openssl

# The following are basic requirements to use ADFS for Mattermost:

An SSL certificate to sign our ADFS login page.

ADFS installed on our Microsoft Server. We can find a detailed guide for
deploying and configuring ADFS in this article.

On our ADFS installation, note down the value of the SAML 2.0/W-Federation
URL in ADFS Endpoints section, also known as the SAML SSO URL Endpoint in
this guide. If we choose the defaults for the installation, this will be /adfs/ls/.

2.Add a Relying Party Trust.

·15 In ADFS management sidebar, go to AD FS > Trust Relationships >
Relying Party Trusts and click Add Relying Party Trust.

·16 A configuration wizard for adding a new relying party trust opens. In the
Welcome screen, click Start.
·17 In the Select Data Source screen, select the option Enter data about the
relying party manually.
·18 In the Specify Display Name screen, enter a Display Name to recognize
the trust, such as Mattermost, and add any notes we want to mak
·19 In the Choose Profile screen, select the option ADFS profile.
·20 In the Configure Certificate screen, leave the certificate settings at their
default values.
·21 However, if we would like to set up encryption for our SAML connection,
click the Browse button and upload our Service Provider Public Certificate.
·22 In the Configure URL screen, select the option Enable Support for the
SAML 2.0 WebSSO protocol and enter the SAML 2.0 SSO service URL.
·23 In the Configure Identifiers screen, enter the Relying party trust identifier
(also known as the Identity Provider Issuer URL) and click Add.
·24 In the Configure Multi-factor Authentication Now screen, we can enable
multi-factor authentication.
·25 In the Choose Issuance Authorization Rules screen, select the option
Permit all users to access this relying party.
·26 In the Ready to Add Trust screen, we can review your settings.
·27 In the Finish screen, select the option Open the Edit Claim Rules dialog
for this relying party trust when the wizard closes, and click Close. we will
now exit configuration wizard and a Claim Rules editor opens.
3. Create Claim Rules.
·28 In the Issuance Transform Rules of the Claim Rules editor, click the Add
Rule… button. This action opens an Add Transform Claim Rule Wizard.
·29 In the Choose Rule Type screen, select Send LDAP Attributes as Claims
from the drop-down menu, then click Next.
·30 In the Configure Claim Rule screen, enter a Claim Rule Name. select
Active Directory as the Attribute Store and do the following:
·31 From the LDAP Attribute column, select E-Mail-Addresses. From the
Outgoing Claim Type, type Email
·32 From the LDAP Attribute column, select Given-Name. From the Outgoing
Claim Type, type FirstName
·33 From the LDAP Attribute column, select Surname. From the Outgoing
Claim Type, type LastName
·34 From the LDAP Attribute column, select SAM-Account-Name. From the
Outgoing Claim Type, type Username
·35 Create another new rule by clicking the Add Rule button.
·36 In the Choose Rule Type screen, select Transform an Incoming Claim
from the drop-down menu, then click Next.
·37 In the Configure Claim Rule screen, enter a Claim Rule Name of your
choice, then
·38 Select Name ID for the Incoming claim type
·39 Select Unspecified for the Incoming name ID format
·40 Select E-Mail Address for the Outgoing claim type