When configuring SAML one of the steps is to configure the identity provider with the service provider identity URL or URI, normally this would be done using the SP URL or some other unique ID however MM has coded theirs to use the Identity Provider request URL. This is incorrect as if every SP did this the IDP would have no way of telling them apart.
This can be seen here in step 8 https://docs.mattermost.com/deployment/sso-saml-adfs.html this link refers to the “relying party trust identifier” and links it to begin synonymous with the “identity provider issuer url” but these are two very different things. It is actually synonymous with the service provider identityas service provider and relying party are interchangeable references
This value should be a unique SP value not the value of the IDP. e.g. https://mattermost.example.com/login/sso/saml
Thanks for the feedback, I’ve opened a doc issue for this here: https://github.com/mattermost/docs/issues/3529.
Thanks but its more than a doc issue as the docs reflect the way the server currently works but a code issue in that it should not be setup like this.
Any chance for you to share the value of Relying party trust identifier that you configured for step 8?
Since you mentioned that they are 2 different things, we can include this detail in the https://mattermost.atlassian.net/browse/MM-24434 ticket for future references in case other users might run into the same problem.
I used the as shown
to make it work.The problem is now ADFS has a relying party that it thinks the ID of is the ADFS url.
This ID should be a unique value to the relying party/service provider. All other SSO apps we have configured SAML on define this as either the URL of the app or some form of uri:federation:app-name
In the case of Mattermost I would expect this to be the SAML endpoint of https://mattermost.example.com/login/sso/saml
This would mean ADFS sees these IDs:
compared to how it is now:
Hi, @amy.blais @justinegeffen
May I know if the information provided by @Terafirma is sufficient for us to update the https://github.com/mattermost/docs/issues/3529 ticket?
If yes, may we know what will be the next step from his or my end? Thanks.