Hi Community, I set up Mattermost with SAML using ADFS. From a web browser, ADFS works. I can login using an account on Active Directory without issue on Mac and iOS. However, when using the 1.8.0 iOS app and even the Android app, when I start the app and Choose my login method as: With SAML, I get a white screen with a blue single Sign-On bar. I followed the doc here: https://docs.mattermost.com/deployment/sso-saml-adfs.html#configure-saml-synchronization-with-ad-ldap
Any ideas? Thanks!!
Hi @paull! Thank you for reaching out.
Can you help share what Mattermost server version you are using?
Are there any logs that you can help gather from around the time the issue occurs?
If you don’t see any information in the logs, set the File Log Level in System Console > General > Logging to DEBUG and then reproduce the bug. If you can’t access the System Console, set the config value LogSettings > FileLevel to DEBUG.
@amy.blais , Absolutely.
Mattermost Enterprise Edition
Mattermost Version: 4.10.0
Database Schema Version: 4.10.0
Database: mysql
The only thing that appears in the server logs when I click the login with SAML is:
{“level”:“debug”,“ts”:1527267365.757236,“caller”:“api/context.go:104”,“msg”:"/login/sso/saml"}
Again, if I use a browser, SAML works. Don’t know if there is anything I need to enable to get the app to work. I’m talking with another peer of ours that is using mattermost as well. We compared ADFS configuration and ours are the same. He gets exactly the same issue. i.e. works with browser but not with the app.
Thanks!
Hi @paull! Thank you for the additional information.
Just wanted to give you a quick update that I will ask a team member to help try to reproduce this. If we are unable to reproduce it I will ask our engineers what additional information we could ask you to help gather to troubleshoot this further.
Hi @paull -
We have tested this and it appears that there is a more broad issue with ADFS on mobile.
We were able to reproduce the issue both with basic email & password login and with SAML when using ADFS, and both resulted in a blank screen (on mobile). SAML using OneLogin and OKTA did not lead to any issues.
I created a ticket for this issue and I’ll attach it here so you can track its progress: https://mattermost.atlassian.net/browse/MM-10725.
Thank you for helping us track down this bug!
Hey @paull, two quick questions:
Sorry for the late reply. I got Mattermost working with ADFS, but ran out of time to document.
Here is the update:
The customer is using ADFS 3.0 and Windows Integrated Authentication (WIA) is enabled as shown in the picture. This is a global setting.
From powershell on the Windows server, the Mozilla/5.0 user agent was added to the WIASupportedUserAgents for other apps. The Mattermost app uses Mozilla/5.0 in its user agent, so Windows Integrated Authentication is used by ADFS. It looks like the Mattermost app supports Forms-based authentication, but not Windows Integrated authentication.
The following command was set in my environment to enable the Mozilla/5.0 user agent as well as a long list of other user agents to support WIA.
Set-AdfsProperties -WIASupportedUserAgents @(“MSAuthHost/1.0/In-Domain”, “Mozilla/5.0”, “Firefox/55.0”, “MSIE 6.0”, “MSIE 7.0; Windows NT”, “MSIE 8.0”, “MSIE 9.0”, “MSIE 10.0; Windows NT 6”, “Windows NT 6.3; Trident/7.0”, “Windows NT 6.3; Win64; x64; Trident/7.0”, “Windows NT 6.3; WOW64; Trident/7.0”, “Windows NT 6.2; Trident/7.0”, “Windows NT 6.2; Win64; x64; Trident/7.0”, “Windows NT 6.2; WOW64; Trident/7.0”, “Windows NT 6.1; Trident/7.0”, “Windows NT 6.1; Win64; x64; Trident/7.0”, “Windows NT 6.1; WOW64; Trident/7.0”, “MSIPC”, “Windows Rights Management Client”)
For a test, I removed Mozilla/5.0 from the WIA Supported User Agents LIst.
Set-AdfsProperties -WIASupportedUserAgents @(“MSAuthHost/1.0/In-Domain”, “Firefox/55.0”, “MSIE 6.0”, “MSIE 7.0; Windows NT”, “MSIE 8.0”, “MSIE 9.0”, “MSIE 10.0; Windows NT 6”, “Windows NT 6.3; Trident/7.0”, “Windows NT 6.3; Win64; x64; Trident/7.0”, “Windows NT 6.3; WOW64; Trident/7.0”, “Windows NT 6.2; Trident/7.0”, “Windows NT 6.2; Win64; x64; Trident/7.0”, “Windows NT 6.2; WOW64; Trident/7.0”, “Windows NT 6.1; Trident/7.0”, “Windows NT 6.1; Win64; x64; Trident/7.0”, “Windows NT 6.1; WOW64; Trident/7.0”, “MSIPC”, “Windows Rights Management Client”)
After that, when clicking login via SAML, I’m presented with an ADFS login screen and everything works.
However, in the real environment, the Mozilla/5.0 user agent can not be removed.
Is there a way to get the Mattermost app to work with WIA?
Hi @paull! This section in our docs might help: https://docs.mattermost.com/mobile/mobile-troubleshoot.html#login-with-adfs-is-not-working.
“Those instances set up for login with ADFS with integrated windows authentication (IWA) should configure automated fall back to form-based authentication if IWA fails.”
Let us know if this helps?
Hi Amy,
I was able to get the iOS apps working, and now we are now testing Android and my Enterprise License has expired. Is there any way to get another temporary license while getting the real account set up with enterprise?
Thanks,
Paul