Package com.cloudforge.core.oidc

Class MattermostSamlIntegration

java.lang.Object
com.cloudforge.core.oidc.MattermostSamlIntegration
All Implemented Interfaces:
OidcIntegration
public class MattermostSamlIntegration extends Object implements OidcIntegration
SAML 2.0 integration for Mattermost.

Why SAML over OIDC:

  • SAML supports group synchronization via AD/LDAP integration
  • OIDC in Mattermost does NOT support LDAP data sync
  • SAML enables automatic team/channel membership management
  • Role mapping from IdP groups to Mattermost roles

AWS Cognito as SAML IdP:

  • Configure Cognito User Pool as SAML 2.0 Identity Provider
  • Set ACS URL to: https://{mattermost}/login/sso/saml
  • Map attributes: email, firstName, lastName, groups

IAM Identity Center as SAML IdP:

  • Create custom SAML 2.0 application in Identity Center
  • Configure attribute mappings for user attributes
  • Assign users and groups to the application

Group Sync (Enterprise):

With SAML + AD/LDAP sync enabled, Mattermost can:

  • Automatically add users to teams based on group membership
  • Manage channel membership via groups
  • Assign admin roles based on group membership
See Also:

  • Field Details

  • Constructor Details

    • MattermostSamlIntegration

      public MattermostSamlIntegration()

  • Method Details

    • isSupported

      public boolean isSupported()
      Description copied from interface: OidcIntegration
      Returns whether this application supports OIDC integration.
      Specified by:
      isSupported in interface OidcIntegration
      Returns:
      true if application has OIDC support

    • getIntegrationMethod

      public String getIntegrationMethod()
      Description copied from interface: OidcIntegration
      Returns the OIDC integration method for this application.

      Examples:

      • jenkins: OIDC Plugin
      • gitlab: Built-in OmniAuth
      • grafana: Built-in generic_oauth
      • sonarqube: OIDC Plugin
      Specified by:
      getIntegrationMethod in interface OidcIntegration
      Returns:
      integration method description

    • getEnvironmentVariables

      public Map<String,String> getEnvironmentVariables(OidcConfiguration config)
      Description copied from interface: OidcIntegration
      Returns environment variables needed for OIDC configuration.

      These are passed to the container or EC2 userdata script.

      Example for Grafana:

       GF_AUTH_GENERIC_OAUTH_ENABLED=true
 GF_AUTH_GENERIC_OAUTH_NAME=Cognito
 GF_AUTH_GENERIC_OAUTH_CLIENT_ID=${clientId}
 GF_AUTH_GENERIC_OAUTH_AUTH_URL=${authUrl}
      Specified by:
      getEnvironmentVariables in interface OidcIntegration
      Parameters:
      config - OIDC configuration from provider
      Returns:
      map of environment variable name to value

    • getUserDataCommands

      public List<String> getUserDataCommands(OidcConfiguration config, Ec2Context context)
      Description copied from interface: OidcIntegration
      Returns UserData commands for setting up OIDC integration.

      These commands are added to the EC2 userdata script to configure OIDC integration during instance initialization.

      Specified by:
      getUserDataCommands in interface OidcIntegration
      Parameters:
      config - OIDC configuration from provider
      context - EC2 context with stack information
      Returns:
      list of shell commands

    • getContainerStartupCommand

      public String getContainerStartupCommand()
      Description copied from interface: OidcIntegration
      Returns the application startup command for Fargate containers.

      This command is used to start the application after the OIDC configuration file has been created. Each application has a different startup script.

      Examples:

      • Jenkins: /usr/local/bin/jenkins.sh
      • GitLab: /assets/wrapper
      • Grafana: /run.sh
      • Mattermost: /mattermost/bin/mattermost (distroless - Go binary)
      Specified by:
      getContainerStartupCommand in interface OidcIntegration
      Returns:
      startup command path

    • isDistroless

      public boolean isDistroless()
      Description copied from interface: OidcIntegration
      Returns whether the container image is distroless (has no shell).

      Distroless images contain only the application binary and dependencies, without a shell (/bin/sh). This affects how OIDC configuration is applied:

      • Normal images: Use /bin/sh -c to write config files at startup
      • Distroless images: Must use environment variables only

      Examples of distroless images:

      • mattermost/mattermost-team-edition - Go binary, no shell
      • gcr.io/distroless/* - Google distroless images
      Specified by:
      isDistroless in interface OidcIntegration
      Returns:
      true if the container is distroless and has no shell

    • supportsCognito

      public boolean supportsCognito()
      Description copied from interface: OidcIntegration
      Returns whether this application supports Cognito as an identity provider.

      Cognito provides:

      • User pool with email/password authentication
      • MFA support (TOTP, SMS)
      • OAuth 2.0 / OIDC endpoints
      • Hosted UI for login
      Specified by:
      supportsCognito in interface OidcIntegration
      Returns:
      true if Cognito OIDC is supported (default: true)

    • supportsIdentityCenterSaml

      public boolean supportsIdentityCenterSaml()
      Description copied from interface: OidcIntegration
      Returns whether this application supports IAM Identity Center SAML.

      IAM Identity Center (formerly AWS SSO) provides:

      • SAML 2.0 authentication
      • Enterprise directory integration
      • Group-based access control
      • Centralized user management

      Applications that use SAML (Mattermost, Metabase) support this. Applications that only use OIDC may not.

      Specified by:
      supportsIdentityCenterSaml in interface OidcIntegration
      Returns:
      true if IAM Identity Center SAML is supported (default: false)

    • getAuthenticationType

      public String getAuthenticationType()
      Description copied from interface: OidcIntegration
      Returns the authentication type this integration uses.
      Specified by:
      getAuthenticationType in interface OidcIntegration
      Returns:
      "OIDC" or "SAML"

    • getPostDeploymentInstructions

      public String getPostDeploymentInstructions()
      Description copied from interface: OidcIntegration
      Returns post-deployment instructions for completing OIDC setup.

      Some applications require manual steps after deployment (e.g., installing plugins).

      Specified by:
      getPostDeploymentInstructions in interface OidcIntegration
      Returns:
      human-readable instructions (optional)

    • getSamlCertificateMountPath

      public String getSamlCertificateMountPath()
      Description copied from interface: OidcIntegration
      Returns the directory path where SAML certificate should be mounted.

      This path is used by the init container to write the certificate and by the main container to read it.

      Examples:

      • Mattermost: /mattermost/saml (NOT /mattermost/config to avoid conflicts)
      • Metabase: /metabase/saml
      Specified by:
      getSamlCertificateMountPath in interface OidcIntegration
      Returns:
      mount path for SAML certificate directory

    • getSamlCertificateFilePath

      public String getSamlCertificateFilePath()
      Description copied from interface: OidcIntegration
      Returns the full file path for the SAML IdP certificate.

      This is the complete path including filename where the certificate will be written. Applications reference this path in their SAML configuration.

      Specified by:
      getSamlCertificateFilePath in interface OidcIntegration
      Returns:
      full path to the certificate file

    • getSamlCertificateEnvVar

      public String getSamlCertificateEnvVar()
      Description copied from interface: OidcIntegration
      Returns the environment variable name for the SAML certificate path.

      Applications configure SAML via environment variables. This returns the variable name that holds the certificate file path.

      Examples:

      • Mattermost: MM_SAMLSETTINGS_IDPCERTIFICATEFILE
      • Metabase: MB_SAML_IDENTITY_PROVIDER_CERTIFICATE
      Specified by:
      getSamlCertificateEnvVar in interface OidcIntegration
      Returns:
      environment variable name for certificate path, or null if not applicable