Issues in configuring SAML SSO Okta with Mattermost

Troubleshooting
1

Summary

Issue when configuring SAML SSO Okta with Mattermost

Steps to reproduce

  1. I’ve installed Mattermost 5.26.0 on Ubuntu 18.04 to configure SAML SSO with Okta by referring to the documentation.
  2. When I tried logging in with SAML, I get the following error:
    image
    image1919×829 38.1 KB
  3. I get the error above soon as I set “Enable Encryption” as true.
  4. The certs that I used under the “Service Provider Private Key” and “Service Provider Public Certificate” are “saml-private.key” and “saml-public.crt”.
  5. These certs are the certs that are stored in /opt/mattermost/config

With that being said, I am unsure of which certs I should be used for the “Enable Encryption”. Below are the certs that I currently have (for better reference):

  1. mattermost-x509.crt (generated from gencert.sh)
  2. mattermost-x509.key (generated from gencert.sh)
  3. saml-idp.crt (stored under /opt/mattermost/config)
  4. saml-private.key (stored under /opt/mattermost/config)
  5. saml-public.crt (stored under /opt/mattermost/config)

Any suggestions/input would be greatly appreciated! Thank you.

1 Like
2

Hi @ytazky,

  1. mattermost-x509.crt (generated from gencert.sh) - is the encryption certificate which is uploaded to Okta, which is referred to as Service Provider Public Certificate.
  2. mattermost-x509.key (generated from gencert.sh) - is the certificate which should be uploaded within Mattermost as Service Provider Private Key.
  3. saml-idp.crt (stored under /opt/mattermost/config) - this is generated automatically when the Identity Provider Public Certificate (the X.509 Public Certificate file you downloaded from Okta) is uploaded within Mattermost.
  4. saml-private.key (stored under /opt/mattermost/config) - automatically generated when certs are uploaded.
  5. saml-public.crt (stored under /opt/mattermost/config) - automatically generated when certs are uploaded.

That been said, the error you encountered could be due to incorrect attribute statements. Could you do the following in the Okta Admin page:

  1. Go to General Tab → SAML settings
  2. Edit the ATTRIBUTE STATEMENTS to include Email, Username, FirstName and LastName.
  3. Remove any entries in GROUP ATTRIBUTE STATEMENTS
3

Hi @andrew.bimba,

Thanks for your reply! I appreciate it.

I’ve tried your suggested workaround but it is still reproducing the same issue. I’ve set the Email, Username, FirstName, and LastName attribute, however, I am not seeing any Group Attribute under SAML Settings.

I’ve attempted to restart Mattermost after setting Email, Username, FirstName, and LastName attribute but I am still getting the same initial error when trying to login with SAML.

In addition to this, I am providing the SAML settings in config.json of my Mattermost for further review on this issue.

"SamlSettings": {

    "Enable": true,
    "EnableSyncWithLdap": false,
    "EnableSyncWithLdapIncludeAuth": false,
    "Verify": false,
    "Encrypt": true,
    "SignRequest": false,
    "IdpUrl": "https://servicerockettazky123.okta.com/app/servicerocketorg872623_mattermost_1/exkq4obd5WpPgQc9v4x6/sso/saml",
    "IdpDescriptorUrl": "http://www.okta.com/exkq4obd5WpPgQc9v4x6",
    "IdpMetadataUrl": "",
    "ServiceProviderIdentifier": "http://localhost:8065/login/sso/saml",
    "AssertionConsumerServiceURL": "localhost:8065/login/sso/saml",
    "SignatureAlgorithm": "RSAwithSHA1",
    "CanonicalAlgorithm": "Canonical1.0",
    "ScopingIDPProviderId": "",
    "ScopingIDPName": "",
    "IdpCertificateFile": "saml-idp.crt",
    "PublicCertificateFile": "saml-public.crt",
    "PrivateKeyFile": "saml-private.key",
    "IdAttribute": "",
    "GuestAttribute": "",
    "EnableAdminAttribute": false,
    "AdminAttribute": "",
    "FirstNameAttribute": "FirstName",
    "LastNameAttribute": "LastName",
    "EmailAttribute": "Email",
    "UsernameAttribute": "Username",
    "NicknameAttribute": "",
    "LocaleAttribute": "",
    "PositionAttribute": "",
    "LoginButtonText": "SAML",
    "LoginButtonColor": "#34a28b",
    "LoginButtonBorderColor": "#2389D7",
    "LoginButtonTextColor": "#ffffff"
},

Thanks for your help, Andrew!

4

Hi Tazky,

Good to see you here!!!

Your configuration looks okay. Could you look into the log file /opt/mattermost/logs/mattermost.log and provide any errors related to SSO.

5

Hi @andrew.bimba,

Good to see you here, too!

Here’s the content of mattermost.log after the recent startup and SAML login error:

{“level”:“info”,“ts”:1598493859.0501144,“caller”:“app/web_hub.go:83”,“msg”:“Starting websocket hubs”,“number_of_hubs”:8}
{“level”:“info”,“ts”:1598493859.0672207,“caller”:“utils/i18n.go:83”,“msg”:“Loaded system translations”,“for locale”:“en”,“from locale”:“/opt/mattermost/i18n/en.json”}
{“level”:“info”,“ts”:1598493859.1160533,“caller”:“sqlstore/supplier.go:227”,“msg”:“Pinging SQL”,“database”:“master”}
{“level”:“info”,“ts”:1598493859.3144815,“caller”:“app/license.go:60”,“msg”:“License key valid unlocking enterprise features.”}
{“level”:“error”,“ts”:1598493859.3297205,“caller”:“app/server.go:404”,“msg”:“Mail server connection test is failed: SendEmailNotifications is not true”}
{“level”:“info”,“ts”:1598493859.3310964,“caller”:“app/server.go:440”,“msg”:“Current version is 5.26.0 (5.26.0/Wed Aug 12 20:40:27 UTC 2020/773ab352e845e1313c4b6a273ad1aae19e31f58c/2b8058134209f7600afade1268a7bae10fbe65ae)”,“current_version”:“5.26.0”,“build_number”:“5.26.0”,“build_date”:“Wed Aug 12 20:40:27 UTC 2020”,“build_hash”:“773ab352e845e1313c4b6a273ad1aae19e31f58c”,“build_hash_enterprise”:“2b8058134209f7600afade1268a7bae10fbe65ae”}
{“level”:“info”,“ts”:1598493859.331177,“caller”:“app/server.go:449”,“msg”:“Enterprise Build”,“enterprise_build”:true}
{“level”:“info”,“ts”:1598493859.3312008,“caller”:“app/server.go:455”,“msg”:“Printing current working”,“directory”:“/opt/mattermost”}
{“level”:“info”,“ts”:1598493859.3312266,“caller”:“app/server.go:456”,“msg”:“Loaded config”,“source”:“file:///opt/mattermost/config/config.json”}
{“level”:“info”,“ts”:1598493859.469355,“caller”:“sqlstore/post_store.go:1597”,“msg”:“Post.Message has size restrictions”,“max_characters”:16383,“max_bytes”:65535}
{“level”:“info”,“ts”:1598493859.4735372,“caller”:“bleveengine/bleve.go:267”,“msg”:“UpdateConf Bleve”}
{“level”:“info”,“ts”:1598493859.618432,“caller”:“app/server.go:783”,“msg”:“Starting Server…”}
{“level”:“info”,“ts”:1598493859.6187203,“caller”:“app/server.go:860”,“msg”:“Server is listening on [::]:8065”,“address”:“[::]:8065”}
{“level”:“info”,“ts”:1598493859.6187718,“caller”:“commands/server.go:106”,“msg”:“Sending systemd READY notification.”}
{“level”:“error”,“ts”:1598493926.307637,“caller”:“app/enterprise.go:175”,“msg”:“An error occurred while configuring SAML Service Provider”,“error”:“saml-public.crt/saml-private.key: cannot create key pair: tls: private key does not match public key”}
{“level”:“info”,“ts”:1598493926.333888,“caller”:“mlog/log.go:176”,“msg”:“Starting up plugins”}
{“level”:“info”,“ts”:1598493926.3341224,“caller”:“app/plugin.go:211”,“msg”:“Syncing plugins from the file store”}
{“level”:“info”,“ts”:1598493929.4420712,“caller”:“mlog/sugar.go:19”,“msg”:“Ensuring Surveybot exists”,“plugin_id”:“com.mattermost.nps”}
{“level”:“info”,“ts”:1598493929.4964304,“caller”:“app/license.go:60”,“msg”:“License key valid unlocking enterprise features.”}
{“level”:“info”,“ts”:1598493929.4819906,“caller”:“jobs/workers.go:77”,“msg”:“Starting workers”}
{“level”:“info”,“ts”:1598493929.501614,“caller”:“jobs/schedulers.go:78”,“msg”:“Starting schedulers.”}
{“level”:“error”,“ts”:1598493985.3485112,“caller”:“mlog/log.go:190”,“msg”:“An error occurred while parsing the response from the Identity Provider. Please contact your System Administrator.”,“path”:“/login/sso/saml”,“request_id”:“hwe1fu317ff8mnjnnjnamnkeyh”,“ip_addr”:“127.0.0.1”,“user_id”:“”,“method”:“POST”,“err_where”:“SamlInterfaceLibImpl.DoLogin”,“http_code”:302,“err_details”:“err=error validating response: unable to decrypt encrypted assertion: cannot decrypt, error retrieving private key: decryption tls.Certificate has no public certs attached”}

6

Hi Tazky,

Based on the error in the logs, it seems you do not have TLS/SSL configured on your Mattermost Server.

“http_code”:302,“err_details”:“err=error validating response: unable to decrypt encrypted assertion: cannot decrypt, error retrieving private key: decryption tls. Certificate has no public certs attached

For configuring SAML, you will need to configure TLS/SSL on the Mattermost Server.

For SAML config, the authorization server MUST require the use of TLS … The redirection endpoint SHOULD require the use of TLS … Access token credentials MUST only be transmitted using TLS.

Next Steps:

  1. You could follow this link to install NGINX and configure TLS/SSL How To Create a Self-Signed SSL Certificate for Nginx in Ubuntu 18.04 | DigitalOcean. You can skip Step 1: Create the SSL Certificate because you have already created the certificate mattermost-x509.crt & mattermost-x509.key.
  2. Configure TLS/SSL on Mattermost server using this link Redirect
7

Quick update here for others who found this post through searching that are using SAML with signing + encryption seeing the error message of:

err=error validating response: unable to decrypt encrypted assertion: cannot decrypt, error retrieving private key: decryption tls.Certificate has no public certs attached

It appears (possibly recently with the release of v5.29.1 on 2020.12.03) that Server is now validating the certificate defined in the config under SamlSettings.PublicCertificateFile actually matches against the private key in SamlSettings.PrivateKeyFile, whereas it previously may have functioned with a mismatched modulus between the two.

Troubleshooting wise, double check the certificate and key have the same modulus with:

openssl rsa -noout -modulus -in saml-private.key | openssl md5
openssl x509 -noout -modulus -in saml-public.crt | openssl md5