Differences

This shows you the differences between two versions of the page.

Link to this comparison view

documentation:latest:applications:mattermost [2019/05/19 13:48]
maxbes created
documentation:latest:applications:mattermost [2019/06/05 14:24]
Line 1: Line 1:
-====== Mattermost Team Edition ====== 
- 
-{{ :​applications:​mattermost_logo.png?​nolink |}} 
- 
-===== Presentation ===== 
- 
-Mattermost is a team-based instant messaging application. 
- 
-See [[https://​mattermost.com/​|the official Mattermost website]] for a complete presentation. 
- 
-Mattermost follows an Open Core development model. The freely available [[https://​docs.mattermost.com/​developer/​manifesto.html|Team edition]] contains all the basic chat features, but lack the integration capabilities found in the [[https://​mattermost.com/​pricing/​|Enterprise edition]]. 
- 
-The Enterprise edition provides [[https://​docs.mattermost.com/​deployment/​sso-saml.html|SAML integration]] out of the box, and you can configure it just like [[../​idpsaml|any other SAML service in LemonLDAP::​NG]] 
- 
-The Team edition, however, only provides SSO integration with Gitlab. 
- 
-However, it is possible to configure LemonLDAP::​NG to behave exactly like a Gitlab Oauth2 server, allowing Mattermost Team Edition to be integrated with LemonLDAP::​NG without having to use a [[gitlab|Gitlab]] server. 
- 
-<note warning> 
-The following configuration requires your user database to expose a numeric identifier for every user. 
-</​note>​ 
- 
-===== Configuring Mattermost Team Edition ===== 
- 
-Configuring Mattermost through the //System Console// will not allow you to set the correct URLs. You need to edit the Mattermost configuration file, and avoid changing Gitlab integration settings in the //System Console// 
- 
-Set the following settings in ''/​opt/​mattermost/​config/​config.json''​ 
- 
-<​code>​ 
-    "​GitLabSettings":​ { 
-        "​Enable":​ true, 
-        "​Secret":​ "​CHOOSE_A_CLIENT_SECRET",​ 
-        "​Id":​ "​CHOOSE_A_CLIENT_ID",​ 
-        "​Scope":​ "",​ 
-        "​AuthEndpoint":​ "​https://​auth.example.com/​oauth2/​gitlab_authorize",​ 
-        "​TokenEndpoint":​ "​https://​auth.example.com/​oauth2/​token",​ 
-        "​UserApiEndpoint":​ "​https://​auth.example.com/​oauth2/​userinfo"​ 
-    }, 
-</​code>​ 
- 
- 
-==== Configuring your web server ==== 
- 
-Mattermost does not use OpenID Connect to communicate with Gitlab, but uses plain OAuth2 instead. Because of that, LemonLDAP::​NG will not receive the ''​scope=''​ parameter and will display an error on the portal when trying to authenticate. 
- 
-In order to fix this, we can add a fake OAuth2 authorize URL on the LemonLDAP::​NG server that will automatically add this ''​scope=''​ parametrer 
- 
-Here is an example configuration for Nginx, add it in your Portal virtualhost before any other rewrite rule: 
- 
-<​code>​ 
-    rewrite ^/​oauth2/​gitlab_(authorize.*)$ https://​auth.example.com/​oauth2/​$1?​scope=openid%20gitlab ; 
-</​code>​ 
- 
- 
-==== Configuring LemonLDAP ==== 
- 
-We now have to configure LemonLDAP::​NG to recognize Mattermost as a valid OAuth2 relaying party and send it the information it needs to recognize a user. 
- 
-[[ ../​idpopenidconnect | Add a new OpenID Connect]] relaying party with the following parameters: 
- 
-    * **Client ID**: the same you set in Mattermost configuration 
-    * **Client Secret**: the same you set in Mattermost configuration 
-    * Add a new scope in "Extra claims"​ 
-        * **Key**: ''​gitlab''​ 
-        * **Value**: ''​id username name email''​ 
-    * Add the following exported attributes 
-        * ''​username'':​ set it to the session attribute containing the user login 
-        * ''​name'':​ session attribute containing the user's full name 
-        * ''​email'':​ session attribute containing the user's email 
-        * ''​id'':​ session attribute containing the user's numeric ID 
- 
-<note warning> 
-Mattermost absolutely needs to receive a numerical value in the ''​id''​ claim. If you are using a LDAP server, you could use the ''​uidNumber''​ LDAP attribute. If you use something else, you will have to find a trick to assign a unique numeric ID to each Mattermost user.  
- 
-The ''​id''​ attribute has to be different for each user, since this is the field Mattermost will use internally to map Gitlab identities to Mattermost accouts. 
-</​note>​