Integrate with Mattermost
Support level: Community
What is Mattermost?
Mattermost is an open source collaboration platform for team messaging, workflow orchestration, and integrations.
Preparation
The following placeholders are used in this guide:
mattermost.companyis the FQDN of the Mattermost installation.authentik.companyis the FQDN of the authentik installation.
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
Configuration methods
Mattermost Team Edition can use OAuth 2.0. SAML is available only in Mattermost Enterprise Edition. This guide explains both options.
- Team Edition
- Enterprise Edition
authentik configuration
In authentik versions earlier than 2026.5, all Redirect URIs are automatically treated as Authorization type. If you are using one of these older authentik versions, add only the Authorization URL to your Redirect URIs and do not configure a Post Logout URI.
To support the integration of Mattermost Team Edition with authentik, you need to create a property mapping and an application/provider pair in authentik.
Create a property mapping
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to Customization > Property Mappings and click Create. Create a Scope Mapping with the following settings:
-
Name:
mattermost-read-user -
Scope Name:
read_user -
Description:
Mattermost Team Edition user profile -
Expression:
username = request.user.usernamereturn {"id": request.user.pk,"username": username,"login": username,"preferred_username": username,"email": request.user.email,"name": request.user.name or username,}
-
Mattermost requires the id and email values from the user profile response. Ensure that users who log in to Mattermost have an email address in authentik.
Create an application and provider
-
Log in to authentik as an administrator and open the authentik Admin interface.
-
Navigate to Applications > Applications and click New Application to open the application wizard.
- Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- Choose a Provider type: select OAuth2/OpenID Connect as the provider type.
- Configure the Provider: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the Client ID and Client Secret values because they will be required later.
- Add the following Redirect URIs:
StrictAuthorization:https://mattermost.company/login/gitlab/completeStrictAuthorization:https://mattermost.company/signup/gitlab/complete
- Under Advanced protocol settings, ensure the
openidscope and themattermost-read-userscope mapping are selected.
- Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's Application Dashboard page.
-
Click Submit to save the new application and provider.
Mattermost configuration
Mattermost Team Edition supports the GitLab OAuth 2.0 authentication path. This guide configures Mattermost's GitLab authentication settings to use authentik as the OAuth provider. GitLab is not required.
Mattermost displays this sign-in method as GitLab in some areas of the System Console. The login button text can be changed in config.json. If you are using a hosted Mattermost deployment without filesystem access to config.json, you cannot complete this setup.
Mattermost Team Edition does not let you freely set all required GitLab OAuth endpoint values in the System Console. Edit the Mattermost config.json file directly and update the GitLabSettings object.
"GitLabSettings": {
"Enable": true,
"Secret": "<Client Secret from authentik>",
"Id": "<Client ID from authentik>",
"Scope": "",
"AuthEndpoint": "https://authentik.company/application/o/authorize/",
"TokenEndpoint": "https://authentik.company/application/o/token/",
"UserAPIEndpoint": "https://authentik.company/application/o/userinfo/",
"ButtonText": "Log in with authentik"
}
Restart Mattermost after saving the file.
Leave Scope empty as shown so authentik can issue the scopes selected on the provider.
If new Mattermost users should be created on first login, log in to Mattermost as an administrator, open the product menu, select System Console, and navigate to Authentication > Signup. Ensure account creation is enabled, or create Mattermost users before they log in with authentik.
authentik configuration
authentik 2026.5 introduces changes to how the SAML provider behaves. Specifically, the provider now automatically sets the Issuer value to: https://authentik.company/application/saml/<application_slug>/metadata/
Older versions of authentik set this value to authentik by default. If you're running an older version, please set Issuer to https://authentik.company/application/saml/<application_slug>/metadata/, where <application_slug> is the slug that you selected for the application.
To support the integration of Mattermost Enterprise Edition with authentik via SAML, you need a certificate-key pair for Mattermost and an application/provider pair in authentik.
Prepare a Mattermost certificate-key pair
Use an existing certificate-key pair from authentik, or generate one if you do not already have one available.
To generate one:
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to System > Certificates and click Generate.
- Configure the following settings:
- Common Name:
mattermost.company - Private key Algorithm:
RSA
- Common Name:
- Click Generate.
- Click the caret next to the certificate-key pair you will use for Mattermost, then click Download Certificate and Download Private key.
These files will be required in the Mattermost configuration. Keep them safe. Mattermost uses the private key for request signing and assertion decryption.
Create an application and provider
-
Log in to authentik as an administrator and open the authentik Admin interface.
-
Navigate to Applications > Applications and click New Application to open the application wizard.
- Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the Slug as it will be required later.
- Choose a Provider type: select SAML Provider as the provider type.
- Configure the Provider: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the ACS URL to
https://mattermost.company/login/sso/saml. - Set the Audience to
https://mattermost.company/login/sso/saml. - Under Advanced protocol settings:
- Select an available Signing Certificate.
- Enable Sign responses.
- Set the Verification Certificate to the Mattermost certificate-key pair.
- Set the Encryption Certificate to the Mattermost certificate-key pair.
- Set the ACS URL to
- Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's Application Dashboard page.
-
Click Submit to save the new application and provider.
Download the authentik signing certificate
- Navigate to Applications > Providers and click the name of the SAML provider you created earlier.
- Under Related objects > Download signing certificate, click Download. This certificate file will be required in the next section.
Mattermost configuration
- Log in to Mattermost as an administrator.
- Open the product menu, select System Console, and navigate to Authentication > SAML 2.0.
- Configure the following settings:
- Enable Login With SAML 2.0: enable this setting.
- Identity Provider Metadata URL:
https://authentik.company/application/saml/<application_slug>/metadata/ - Click Get SAML Metadata from IdP to populate the Identity Provider fields from authentik metadata.
- Identity Provider Public Certificate: upload the authentik signing certificate you downloaded earlier if it was not populated from metadata.
- Verify Signature: enable this setting.
- Service Provider Login URL:
https://mattermost.company/login/sso/saml - Service Provider Identifier:
https://mattermost.company/login/sso/saml - Enable Encryption: enable this setting.
- Service Provider Private Key: upload the Mattermost private key downloaded from authentik.
- Service Provider Public Certificate: upload the Mattermost certificate downloaded from authentik.
- Sign Request: enable this setting.
- Signature Algorithm:
RSAwithSHA256 - Email Attribute:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress - Username Attribute:
http://schemas.goauthentik.io/2021/02/saml/username - Id Attribute:
http://schemas.goauthentik.io/2021/02/saml/uid
- Click Save.
Ensure that users who log in to Mattermost have both an email address and username in authentik.
Configuration verification
To confirm that authentik is properly configured with Mattermost, log out and log back in via authentik.