Hi All,
Wanted to share this here in case it helps anyone in the future.
We had a customer using SAML and LDAP and encountered an issue with using the objectGUID as an ID Attribute in the LDAP and SAML Settings *. They wanted to migrate an active production environment to use a different unique and unchanging property for the IdAttribute under LDAP and SAML (in this case UserPrincipleName). Here are the steps they successfully followed to make the transition:
- Enable AD/LDAP Login
- Change AD ID Attribute to UserPrincipalName
- Remove SAML 2.0 ID Attribute
- Make sure the following are set in SAML 2.0 settings
a. Enable Login With SAML 2.0: True
b. Enable Synchronizing SAML Accounts With AD/LDAP: True
c. Override SAML bind data with AD/LDAP information: True - Perform AD/LDAP Sync (after the sync notice that the authdata in the database change from objectGUID to email address.)
- Change SAML ID Attribute to UPN (UPN is set up as UserPrincipalName in the SAML Assertion)
- Disable AD/LDAP Login
* Note: Do to differences with how different SAML providers send the objectGUID property (related to endian-ness) SAML can fail. See the following Mattermost Server JIRA for details on additional handling coming in MM Server 5.25 - [MM-25039] - Mattermost