- 
                Notifications
    You must be signed in to change notification settings 
- Fork 610
Description
@claude The documentation does not contain instructions for configuring SAML with Microsoft Entra ID. There should be a new documentation page similar to the pages for other SAML identity providers such as the Okta SAML configuration page, OneLogin SAML configuration page, Keycloak SAML configuration page, etc. The link to this documentation page should appear in the left navigation menu under Administration Guide > Server maintenance > Secure Mattermost > SAML-based SSO like other SAML documentation pages
Below is the content for the new documentation page in Markdown that will need to be converted to reStructuredText:
Configure SAML with Microsoft Entra ID
The following process provides steps to configure SAML with Microsoft Entra ID for Mattermost.
See the encryption options documentation for details on what encryption methods Mattermost supports for SAML.
Before you begin
Before you begin, you need to generate encryption certificates for encrypting the SAML connection.
- 
You can use the Bash script from the mattermost/docsrepository on GitHub, or any other suitable method. See the generate self-signed certificates documentation for details on generating a self-signed x509v3 certificate for use with multiple URLs / IPs.
- 
Save the two files that are generated. They are the private key and the public key. In the System Console, they are referred to as the Service Provider Private Key and the Service Provider Public Certificate respectively. 
Prerequisites
- A Microsoft Entra tenant containing applicable user data.
- A verified custom domain for your tenant. See Microsoft's Add your custom domain name to your tenant documentation for details.
- A Microsoft Entra ID P1 or P2 license.
Set up an enterprise app for Mattermost SSO in Entra ID
- Log into the Microsoft Azure portal and select the Microsoft Entra ID service.
- In the left menu, select Manage > Enterprise applications.
- Click the New application button.
- In the Search application field, search for Microsoft Entra SAML Toolkit and select Microsoft Entra SAML Toolkit.
- In the Name field, enter Mattermost SAML then click the Create button.
- In the Mattermost SAML enterprise application settings, select Manage > Users and Groups to assign users and/or groups to the application or select Manage > Properties then set Assignment required? to No then click Save.
- In the Mattermost SAML enterprise application settings, select Manage > Single sign-on then click SAML under Select a single sign-on method.
- Select Edit in the Basic SAML Configuration section then set the below fields then click Save:
- Identity (Entity ID): https://<your-mattermost-url>
- Reply URL (Assertion Consumer Service URL): https://<your-mattermost-url>/login/sso/saml
- Sign on URL: https://<your-mattermost-url>/login
 
- Identity (Entity ID): 
- Select Edit in the Attributes & Claims section then set the below attributes:
- Set the the Unique User Identifier (Name ID) required claim Name identifier format and Source attribute values as required for your environment. Setting the Source attribute to an immutable value such as user.objectidis recommended.
- Edit claim names and namespaces under Additional claims to match SAML attribute settings you wish to set in Mattermost. Configurable settings are Email, Username, Id, Guest, Admin, First Name, Last Name, Nickname, Position, and Preferred Language.
 
- Set the the Unique User Identifier (Name ID) required claim Name identifier format and Source attribute values as required for your environment. Setting the Source attribute to an immutable value such as 
- Select Edit in the SAML Certificates section. Select Sign SAML response and assertion for Signing Option and SHA-256 for Signing Algorithm then click Save.
- Select the Certificate (Base64) Download link in the SAML Certificates section. This is the Identity Provider Public Certificate to be uploaded to Mattermost.
- In the Mattermost SAML enterprise application settings, select Security > Token encryption. Select Import Certificate to import the Service Provider certificate. If you used the Bash script referenced in the Before you begin section, this is the mattermost-x509.crtfile. The Import dialog says to upload a certificate with a file extension.cer, but.crtfiles are also accepted. Upload the file then click Add.
- Click the ...to the right of the imported certificate details, select Activate token encryption certificate, then click Yes to activate.
- On the Home page for Microsoft Entra ID, select the Overview link in the left navigation menu and copy the Tenant ID value. The Tenant ID will be used in Mattermost SAML 2.0 URL settings.
- In the left navigation menu, select Manage > Enterprise applications. Select the Mattermost SAML application then copy the Application ID. The Application ID will be used in the Identity Provider Metadata URL setting in the Mattermost SAML 2.0 settings.
Configure SAML Sign-On for Mattermost
- In the Mattermost System Console, select Authentication > SAML 2.0.
- Set Enable Login With SAML 2.0 to True.
- Set Identity Provider Metadata URL: https://login.microsoftonline.com/<your-tenant-id>/federationmetadata/2007-06/federationmetadata.xml?appid=<your-app-id>
- Select Get SAML Metadata From IdP to verify that the SAML metadata can be retrieved successfully.
- Set SAML SSO URL: https://login.microsoftonline.com/<your-tenant-id>/saml2
- Set Identity Provider Issuer URL (trailing slash is required): https://sts.windows.net/<your-tenant-id>/
- Choose the Identity Provider Public Certificate file from step 11 of Set up an enterprise app for Mattermost SSO in Entra ID then upload.
- Set Verify Signature to True.
- Set Service Provider Login URL: https://<your-mattermost-url>/login/sso/saml
- Set Service Provider Identifier: https://<your-mattermost-url>
- Set Enable Encryption to True
- Choose your Service Provider Private Key file then upload.  If you used the Bash script referenced in the Before you begin section, this is the mattermost-x509.keyfile.
- Choose your Service Provider Public Certificate then upload. If you used the Bash script referenced in the Before you begin section, this is the mattermost-x509.crtfile.
- Set Sign Request to suit your environment. The Signature Algorithm must match the algorithm set in Entra ID (RSAwithSHA256 is recommended). Note: the Test single sign-on with Mattermost SAML tool in Microsoft Entra ID does not sign the request even if Sign Request is set to True in Mattermost. Depending on your security settings and key length, the Entra ID testing tool may successfully sign in while an actual sign in request from your Mattermost login page results in the error AADSTS90015: Requested query string is too long. since Entra ID handles the initial request with an HTTP GET redirect rather than HTTP POST.
- Set attribute settings to match attributes configured in step 9 of the Set up an enterprise app for Mattermost SSO in Entra ID section.
- Set the Login Button Text to suit your environment.
- Click the Save button.