I'm trying to use WSO2is as a service provider for Mattermost CE. My idea is to use the Mattermost GitHub social login feature with WSO2is instead of GitHub.
To do that, I have configured Wso2is with Oauth service provider, which works fine. I'm able to authenticate myself and Mattermost accept the token. However, Mattermost can't log me in.
After some digging, I strongly suggest that this issue came from Claims. Mattermost and Wso2is can't speak the same "language". I have tried lots of unsuccessful configurations, especially with http://wso2.org/oidc/claim.
I'm wondering if anyone knows how to configure Wso2is with Mattermost?
For information, this is one of my tested configurations :
<?xml version="1.0" encoding="UTF-8"?><ServiceProvider>
<ApplicationName>Mattermost</ApplicationName>
<Description>test</Description>
<InboundAuthenticationConfig>
<InboundAuthenticationRequestConfigs>
<InboundAuthenticationRequestConfig>
<InboundAuthKey>Mattermost</InboundAuthKey>
<InboundAuthType>openid</InboundAuthType>
<InboundConfigType>standardAPP</InboundConfigType>
<Properties/>
</InboundAuthenticationRequestConfig>
<InboundAuthenticationRequestConfig>
<InboundAuthKey>Mattermost</InboundAuthKey>
<InboundAuthType>passivests</InboundAuthType>
<InboundConfigType>standardAPP</InboundConfigType>
<Properties/>
</InboundAuthenticationRequestConfig>
<InboundAuthenticationRequestConfig>
<InboundAuthKey>_FPI1OvbJHV_3In6kdYiQMmnIZIa</InboundAuthKey>
<InboundAuthType>oauth2</InboundAuthType>
<InboundConfigType>standardAPP</InboundConfigType>
<inboundConfiguration><![CDATA[<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<oAuthAppDO>
<oauthConsumerKey>_FPI1OvbJHV_3In6kdYiQMmnIZIa</oauthConsumerKey>
<oauthConsumerSecret>tPelnXdrnQjr0cpn2pxPT9YuQkUa</oauthConsumerSecret>
<applicationName>Mattermost</applicationName>
<callbackUrl>https://team.ticoop.fr/signup/gitlab/complete</callbackUrl>
<oauthVersion>OAuth-2.0</oauthVersion>
<grantTypes>refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer implicit password client_credentials iwa:ntlm authorization_code urn:ietf:params:oauth:grant-type:jwt-bearer </grantTypes>
<scopeValidators/>
<pkceSupportPlain>true</pkceSupportPlain>
<pkceMandatory>false</pkceMandatory>
<userAccessTokenExpiryTime>3600</userAccessTokenExpiryTime>
<applicationAccessTokenExpiryTime>3600</applicationAccessTokenExpiryTime>
<refreshTokenExpiryTime>84600</refreshTokenExpiryTime>
<idTokenExpiryTime>3600</idTokenExpiryTime>
<audiences/>
<bypassClientCredentials>false</bypassClientCredentials>
<requestObjectSignatureValidationEnabled>false</requestObjectSignatureValidationEnabled>
<idTokenEncryptionEnabled>false</idTokenEncryptionEnabled>
<idTokenEncryptionAlgorithm>null</idTokenEncryptionAlgorithm>
<idTokenEncryptionMethod>null</idTokenEncryptionMethod>
<backChannelLogoutUrl></backChannelLogoutUrl>
<tokenType>JWT</tokenType>
</oAuthAppDO>
]]></inboundConfiguration>
<Properties/>
</InboundAuthenticationRequestConfig>
</InboundAuthenticationRequestConfigs>
</InboundAuthenticationConfig>
<LocalAndOutBoundAuthenticationConfig>
<AuthenticationSteps/>
<AuthenticationType>default</AuthenticationType>
<alwaysSendBackAuthenticatedListOfIdPs>false</alwaysSendBackAuthenticatedListOfIdPs>
<subjectClaimUri>http://wso2.org/claims/emailaddress</subjectClaimUri>
<UseTenantDomainInUsername>false</UseTenantDomainInUsername>
<UseUserstoreDomainInRoles>true</UseUserstoreDomainInRoles>
<UseUserstoreDomainInUsername>false</UseUserstoreDomainInUsername>
<EnableAuthorization>false</EnableAuthorization>
</LocalAndOutBoundAuthenticationConfig>
<RequestPathAuthenticatorConfigs/>
<InboundProvisioningConfig>
<ProvisioningUserStore/>
<IsProvisioningEnabled>false</IsProvisioningEnabled>
<IsDumbModeEnabled>false</IsDumbModeEnabled>
</InboundProvisioningConfig>
<OutboundProvisioningConfig>
<ProvisioningIdentityProviders/>
</OutboundProvisioningConfig>
<ClaimConfig>
<RoleClaimURI/>
<LocalClaimDialect>true</LocalClaimDialect>
<IdpClaim/>
<ClaimMappings>
<ClaimMapping>
<LocalClaim>
<ClaimUri>http://wso2.org/claims/username</ClaimUri>
<claimId>0</claimId>
</LocalClaim>
<RemoteClaim>
<ClaimUri>http://wso2.org/claims/username</ClaimUri>
<claimId>0</claimId>
</RemoteClaim>
<RequestClaim>true</RequestClaim>
<MandatoryClaim>false</MandatoryClaim>
</ClaimMapping>
<ClaimMapping>
<LocalClaim>
<ClaimUri>http://wso2.org/claims/fullname</ClaimUri>
<claimId>0</claimId>
</LocalClaim>
<RemoteClaim>
<ClaimUri>http://wso2.org/claims/fullname</ClaimUri>
<claimId>0</claimId>
</RemoteClaim>
<RequestClaim>true</RequestClaim>
<MandatoryClaim>false</MandatoryClaim>
</ClaimMapping>
<ClaimMapping>
<LocalClaim>
<ClaimUri>http://wso2.org/claims/photourl</ClaimUri>
<claimId>0</claimId>
</LocalClaim>
<RemoteClaim>
<ClaimUri>http://wso2.org/claims/photourl</ClaimUri>
<claimId>0</claimId>
</RemoteClaim>
<RequestClaim>true</RequestClaim>
<MandatoryClaim>false</MandatoryClaim>
</ClaimMapping>
<ClaimMapping>
<LocalClaim>
<ClaimUri>http://wso2.org/claims/emailaddress</ClaimUri>
<claimId>0</claimId>
</LocalClaim>
<RemoteClaim>
<ClaimUri>http://wso2.org/claims/emailaddress</ClaimUri>
<claimId>0</claimId>
</RemoteClaim>
<RequestClaim>true</RequestClaim>
<MandatoryClaim>false</MandatoryClaim>
</ClaimMapping>
<ClaimMapping>
<LocalClaim>
<ClaimUri>http://wso2.org/claims/url</ClaimUri>
<claimId>0</claimId>
</LocalClaim>
<RemoteClaim>
<ClaimUri>http://wso2.org/claims/url</ClaimUri>
<claimId>0</claimId>
</RemoteClaim>
<RequestClaim>true</RequestClaim>
<MandatoryClaim>false</MandatoryClaim>
</ClaimMapping>
<ClaimMapping>
<LocalClaim>
<ClaimUri>http://wso2.org/claims/active</ClaimUri>
<claimId>0</claimId>
</LocalClaim>
<RemoteClaim>
<ClaimUri>http://wso2.org/claims/active</ClaimUri>
<claimId>0</claimId>
</RemoteClaim>
<RequestClaim>true</RequestClaim>
<MandatoryClaim>false</MandatoryClaim>
</ClaimMapping>
<ClaimMapping>
<LocalClaim>
<ClaimUri>http://wso2.org/claims/nickname</ClaimUri>
<claimId>0</claimId>
</LocalClaim>
<RemoteClaim>
<ClaimUri>http://wso2.org/claims/nickname</ClaimUri>
<claimId>0</claimId>
</RemoteClaim>
<RequestClaim>true</RequestClaim>
<MandatoryClaim>false</MandatoryClaim>
</ClaimMapping>
<ClaimMapping>
<LocalClaim>
<ClaimUri>http://wso2.org/claims/identity/emailVerified</ClaimUri>
<claimId>0</claimId>
</LocalClaim>
<RemoteClaim>
<ClaimUri>http://wso2.org/claims/identity/emailVerified</ClaimUri>
<claimId>0</claimId>
</RemoteClaim>
<RequestClaim>true</RequestClaim>
<MandatoryClaim>false</MandatoryClaim>
</ClaimMapping>
</ClaimMappings>
<AlwaysSendMappedLocalSubjectId>false</AlwaysSendMappedLocalSubjectId>
<SPClaimDialects>
<SPClaimDialect>http://wso2.org/oidc/claim</SPClaimDialect>
</SPClaimDialects>
</ClaimConfig>
<PermissionAndRoleConfig>
<Permissions/>
<RoleMappings/>
<IdpRoles/>
</PermissionAndRoleConfig>
<IsSaaSApp>false</IsSaaSApp>
</ServiceProvider>Notice : It's needed to change Mattermost Gitlab configuration URL from /ouath/ to /oauth2/ for Wso2is.
Thank you
Regards
I was unable to solve this issue with wso2is. Indeed, it does appear wso2is doesn't send claims with the token. Moreover, Git token structure uses an integer as ID, not a string. So, is not possible to use the default user GUID generated be almost all IAM.
To answer my need, I found another solution: KeyCloak. KeyCloak works fine and it allow to define claims by code, so it's possible to auto-generate the integer ID needed for Mattermost.
Regards,