Problem with Entra ID SAML

Summary
SAML assertions don’t seem to work with mattermost vs Entra ID

I have set up my E20 Mattermost as a SAML app in Entra/AAD and I can seem to figure out what Mattermost will accept as SAML Claims.

For example:

AAD has http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress so I put emailaddress in the Email Attribute field.

The log says this:

SAML login was unsuccessful because one of the attributes is incorrect. Please contact your System Administrator., emailaddress attribute is missing

Yet, the Received Assertion info directly above this has this:
Error{{urn:oasis:names:tc:SAML:2.0:assertion Attribute} http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress [{{urn:oasis:names:tc:SAML:2.0:assertion AttributeValue} tom@xxxxxxxx.com}]}

I don’t know what to do about this.

Hi @Tastle73, thank you for reaching out! It looks like the issue might be related to how the SAML attributes are being mapped. I recommend double-checking the Email Attribute field in your Mattermost SAML configuration to ensure it matches the exact attribute name being sent by Entra ID (e.g., email instead of emailaddress). You can find more details on configuring SAML in our SAML Single Sign-On documentation. Let us know if you need further assistance!