Mattermost, Inc.

SAML Service Provider Identity

Hi,

When configuring SAML one of the steps is to configure the identity provider with the service provider identity URL or URI, normally this would be done using the SP URL or some other unique ID however MM has coded theirs to use the Identity Provider request URL. This is incorrect as if every SP did this the IDP would have no way of telling them apart.

This can be seen here in step 8 https://docs.mattermost.com/deployment/sso-saml-adfs.html this link refers to the “relying party trust identifier” and links it to begin synonymous with the “identity provider issuer url” but these are two very different things. It is actually synonymous with the service provider identityas service provider and relying party are interchangeable references

This value should be a unique SP value not the value of the IDP. e.g. https://mattermost.example.com/login/sso/saml
or
urn:federation:mattermost

1 Like

Thanks for the feedback, I’ve opened a doc issue for this here: https://github.com/mattermost/docs/issues/3529.

Hi @amy.blais

Thanks but its more than a doc issue as the docs reflect the way the server currently works but a code issue in that it should not be setup like this.

To add to @amy.blais’s reply I’ve raised this with the Enterprise team.

1 Like

Hi, @Terafirma

Any chance for you to share the value of Relying party trust identifier that you configured for step 8?

Since you mentioned that they are 2 different things, we can include this detail in the https://mattermost.atlassian.net/browse/MM-24434 ticket for future references in case other users might run into the same problem.

Hi,

I used the as shown

https://<adfs-url.example.com>/adfs/services/trust

to make it work.The problem is now ADFS has a relying party that it thinks the ID of is the ADFS url.

This ID should be a unique value to the relying party/service provider. All other SSO apps we have configured SAML on define this as either the URL of the app or some form of uri:federation:app-name

In the case of Mattermost I would expect this to be the SAML endpoint of https://mattermost.example.com/login/sso/saml

This would mean ADFS sees these IDs:

CRM:
https://tenant.examplecrm.com
Mattemrost 1:
https://mattemrost1.example.com/login/sso/saml
Mattemrost 2:
https://mattermost2.example.com/login/sso/saml
Azure:
uri:federation:microsoft

compared to how it is now:

CRM:
https://tenant.examplecrm.com
Mattemrost 1:
https://adfs.example.com/adfs/services/trust
Mattemrost 2:
https://adfs.example.com/adfs/services/trust
Azure:
uri:federation:microsoft

1 Like

Hi, @amy.blais @justinegeffen

May I know if the information provided by @Terafirma is sufficient for us to update the https://github.com/mattermost/docs/issues/3529 ticket?

If yes, may we know what will be the next step from his or my end? Thanks.

There is a Jira ticket open for this here: https://mattermost.atlassian.net/browse/MM-24467.

1 Like