Issue Connecting SAML to Entra ID

Troubleshooting
1

Good Afternoon,

We are receiving an error that a SAML attribute is not available when attempting to login via Entra SSO.

We are starting to setup Mattermost Entry Edition v11.2.1 for a small team of users. We are trying to connect the team to our Entra ID system and use SAML authentication. We have walked through the SAML 2.0 panel in the system console, and we are able to connect to our Entra system. The Get SAML Metadata from IdP says it connects successfully, with 2 fields and 1 cert being updated. We have entered the appropriate claims (Email == email, Username == name, ID == name). However, whenever we try to login via SSO, Mattermost returns the error “SAML login was unsuccessful because one of the attributes is incorrect. Please contact your System Administrator.”

We installed a SAML sniffer extension in Edge, and the results suggest that the values we entered match what is returned from Entra. We’ve also tried adding another attribute name and that is also not working. A snippet of the sniffer’s POST response is pasted below.

<samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>

<AttributeStatement>
  <Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
    <AttributeValue>12345</AttributeValue>
  </Attribute>
  <Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
    <AttributeValue>12345</AttributeValue>
  </Attribute>
  <Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
    <AttributeValue>Test User</AttributeValue>
  </Attribute>
  <Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
    <AttributeValue>12345/</AttributeValue>
  </Attribute>
  <Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
    <AttributeValue>12345</AttributeValue>
    <AttributeValue>12345</AttributeValue>
    <AttributeValue>12345</AttributeValue>
  </Attribute>
  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
    <AttributeValue>Test</AttributeValue>
  </Attribute>
  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
    <AttributeValue>User</AttributeValue>
  </Attribute>
  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
    <AttributeValue>test.user@email.org</AttributeValue>
  </Attribute>
  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
    <AttributeValue>test.user@email.org</AttributeValue>
  </Attribute>
  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email">
    <AttributeValue>test.user@email.org</AttributeValue>
  </Attribute>
</AttributeStatement>

Any help would be greatly appreciated.

Thank you.