Mattermost Documentation Authenticate

charm
,
1

How to authenticate

When visiting a fresh deployment, you will first be asked to create an admin account. Further accounts must be created using this admin account, or by setting up an external authentication source, such as SAML.

SAML Authentication

This charm supports configuring Ubuntu SSO as the authentication method. This requires the following:

  • a Mattermost Enterprise Edition licence to be obtained and activated
  • a SAML config for the Mattermost installation to be added to login.ubuntu.com
  • the SAML config to have a new certificate generated (this is because the default certificate available via the SAML metadata URL has expired; refer to “Canonical RT#107985” when requesting this)
  • the new certificate to be installed in the Mattermost database (see below)

Installing the SAML Identity Provider Certificate

Invoke psql against the Mattermost database on the current primary and use the following query to install the certificate:

INSERT INTO configurationfiles (name, createat, updateat, data)
    VALUES ('saml-idp.crt', (extract(epoch from now()) * 1000)::bigint ,(extract(epoch from now()) * 1000)::bigint, $-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----$);

Allowing all users to create Personal Access Tokens

Setting the “Enable Personal Access Tokens” option in the System Console’s “Integrations” panel does not give all users the ability to use them.

To give access to all new users, add this database trigger:

BEGIN;
CREATE OR REPLACE FUNCTION grant_system_user_access_token_role() RETURNS TRIGGER AS $$
  BEGIN
    IF position('system_user_access_token' in NEW.roles) = 0 THEN
      NEW.roles = NEW.roles || ' system_user_access_token';
    END IF;
    RETURN NEW;
  END;
$$
LANGUAGE PLPGSQL;

DROP TRIGGER IF EXISTS before_insert_system_user_grant_system_user_access_token ON users;
CREATE TRIGGER before_insert_system_user_grant_system_user_access_token
    BEFORE INSERT ON users
    FOR EACH ROW WHEN ( NEW.roles = 'system_user' )
    EXECUTE FUNCTION grant_system_user_access_token_role();
COMMIT;

And to update all existing users, run this query:

UPDATE users
    SET roles = 'system_user system_user_access_token'
    WHERE roles = 'system_user';
2