Mattermost is a team-based instant messaging application.
</p>
<p>
See <ahref="https://mattermost.com/"class="urlextern"title="https://mattermost.com/"rel="nofollow">the official Mattermost website</a> for a complete presentation.
</p>
<p>
Mattermost follows an Open Core development model. The freely available <ahref="https://docs.mattermost.com/developer/manifesto.html"class="urlextern"title="https://docs.mattermost.com/developer/manifesto.html"rel="nofollow">Team edition</a> contains all the basic chat features, but lack the integration capabilities found in the <ahref="https://mattermost.com/pricing/"class="urlextern"title="https://mattermost.com/pricing/"rel="nofollow">Enterprise edition</a>.
</p>
<p>
The Enterprise edition provides <ahref="https://docs.mattermost.com/deployment/sso-saml.html"class="urlextern"title="https://docs.mattermost.com/deployment/sso-saml.html"rel="nofollow">SAML integration</a> out of the box, and you can configure it just like <ahref="../idpsaml.html"class="wikilink1"title="documentation:2.0:idpsaml">any other SAML service in LemonLDAP::NG</a>
</p>
<p>
The Team edition, however, only provides <abbrtitle="Single Sign On">SSO</abbr> integration with Gitlab.
</p>
<p>
However, it is possible to configure LemonLDAP::NG to behave exactly like a Gitlab Oauth2 server, allowing Mattermost Team Edition to be integrated with LemonLDAP::NG without having to use a <ahref="gitlab.html"class="wikilink1"title="documentation:2.0:applications:gitlab">Gitlab</a> server.
</p>
<divclass="notewarning">The following configuration requires your user database to expose a unique numeric identifier for every user.
</div>
</div>
<!-- EDIT2 SECTION "Presentation" [89-1191] -->
<h2class="sectionedit3"id="configuring_mattermost_team_edition">Configuring Mattermost Team Edition</h2>
<divclass="level2">
<p>
Configuring Mattermost through the <em>System Console</em> will not allow you to set the correct URLs. You need to edit the Mattermost configuration file, and avoid changing Gitlab integration settings in the <em>System Console</em>
</p>
<p>
Set the following settings in <code>/opt/mattermost/config/config.json</code>
<!-- EDIT3 SECTION "Configuring Mattermost Team Edition" [1192-1919] -->
<h3class="sectionedit4"id="configuring_your_web_server">Configuring your web server</h3>
<divclass="level3">
<p>
Mattermost does not use OpenID Connect to communicate with Gitlab, but uses plain OAuth2 instead. Because of that, LemonLDAP::NG will not receive the <code>scope=</code> parameter and will display an error on the portal when trying to authenticate.
</p>
<p>
In order to fix this, we can add a fake OAuth2 authorize <abbrtitle="Uniform Resource Locator">URL</abbr> on the LemonLDAP::NG server that will automatically add this <code>scope=</code> parametrer, before sending the request to the correct OIDC <abbrtitle="Uniform Resource Locator">URL</abbr>
</p>
<p>
Here is an example configuration for Nginx, add it in your Portal virtualhost before any other rewrite rule:
We now have to configure LemonLDAP::NG to recognize Mattermost as a valid OAuth2 relaying party and send it the information it needs to recognize a user.
</p>
<p>
Add a <ahref="../idpopenidconnect.html"class="wikilink1"title="documentation:2.0:idpopenidconnect"> new OpenID Connect relaying party </a> with the following parameters:
</p>
<ul>
<liclass="level1"><divclass="li"><strong>Client ID</strong>: the same you set in Mattermost configuration</div>
</li>
<liclass="level2"><divclass="li"><strong>Client Secret</strong>: the same you set in Mattermost configuration</div>
<liclass="level4"><divclass="li"><strong>Value</strong>: <code>id username name email</code></div>
</li>
</ul>
</li>
<liclass="level2"><divclass="li"> Add the following exported attributes</div>
<ul>
<liclass="level4"><divclass="li"><code>username</code>: set it to the session attribute containing the user login</div>
</li>
<liclass="level4"><divclass="li"><code>name</code>: session attribute containing the user's full name</div>
</li>
<liclass="level4"><divclass="li"><code>email</code>: session attribute containing the user's email</div>
</li>
<liclass="level4"><divclass="li"><code>id</code>: session attribute containing the user's numeric ID</div>
</li>
</ul>
</li>
</ul>
<divclass="notewarning">Mattermost absolutely needs to receive a numerical value in the <code>id</code> claim. If you are using a LDAP server, you could use the <code>uidNumber</code> LDAP attribute. If you use something else, you will have to find a trick to assign a unique numeric ID to each Mattermost user.
<p>
The <code>id</code> attribute has to be different for each user, since this is the field Mattermost will use internally to map Gitlab identities to Mattermost accouts.
If you see a HTTP code 500 when going back to mattermost, with a panic() in <code>(*GitLabUser).IsValid(...)</code> , it probably means that you are not exporting the correct attributes, but it can also mean that <code>id</code> is exported as a JSON string.
</p>
<p>
If this case, it can help to create a macro, for example <code>uidNumber_n</code>, with a value of <code>$uidNumber + 0</code> to force conversion to a numeric value. You must then export it as the <code>id</code> field in the Relaying Party configuration.