We're Hiring!

Mattermost, Inc.

Mattermost Recipe: Migrating ID Attribute in SAML / LDAP

Hi All,
Wanted to share this here in case it helps anyone in the future.

We had a customer using SAML and LDAP and encountered an issue with using the objectGUID as an ID Attribute in the LDAP and SAML Settings *. They wanted to migrate an active production environment to use a different unique and unchanging property for the IdAttribute under LDAP and SAML (in this case UserPrincipleName). Here are the steps they successfully followed to make the transition:

  1. Enable AD/LDAP Login
  2. Change AD ID Attribute to UserPrincipalName
  3. Remove SAML 2.0 ID Attribute
  4. Make sure the following are set in SAML 2.0 settings
    a. Enable Login With SAML 2.0: True
    b. Enable Synchronizing SAML Accounts With AD/LDAP: True
    c. Override SAML bind data with AD/LDAP information: True
  5. Perform AD/LDAP Sync (after the sync notice that the authdata in the database change from objectGUID to email address.)
  6. Change SAML ID Attribute to UPN (UPN is set up as UserPrincipalName in the SAML Assertion)
  7. Disable AD/LDAP Login

* Note: Do to differences with how different SAML providers send the objectGUID property (related to endian-ness) SAML can fail. See the following Mattermost Server JIRA for details on additional handling coming in MM Server 5.25 - https://mattermost.atlassian.net/browse/MM-25039