docs: clarify Entra ID SAML attribute namespace matching#9003
Open
ewwollesen wants to merge 1 commit into
Open
docs: clarify Entra ID SAML attribute namespace matching#9003ewwollesen wants to merge 1 commit into
ewwollesen wants to merge 1 commit into
Conversation
Mattermost matches SAML assertion attributes by their full Name (including namespace) exactly. Entra ID emits built-in claims under the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ namespace by default, so entering short names (e.g. "email", "name") in the Mattermost attribute fields silently fails to match, producing "<attribute> attribute is missing" login errors. - sso-saml-entraid.rst: add an important note under the Attributes & Claims step explaining exact full-name matching and the two ways to reconcile it; cross-reference from the Mattermost attribute step. - sso-saml-faq.rst: add a troubleshooting entry for the "one of the attributes is incorrect" / "<attribute> attribute is missing" failure (included on all SAML provider pages). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds documentation guidance for a recurring SAML support issue: Mattermost matches SAML attribute names character-for-character against the IdP assertion, including any namespace prefix. The Entra ID guide and the shared SAML FAQ are updated so admins understand and can troubleshoot the "<attribute> attribute is missing" login failure caused by namespaced claim names.
Changes:
- Add an
.. important::block under step 9 of the Entra ID guide explaining full-name (namespace-aware) matching and the two reconciliation paths (clear the namespace in Entra, or use the fully-qualified name in Mattermost), plus a cross-reference from step 15. - Add a provider-agnostic FAQ entry covering the
"one of the attributes is incorrect"error, with guidance to inspect the assertion via SAML-tracer.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
source/administration-guide/onboard/sso-saml-entraid.rst |
Adds emphasis on namespaces in step 9.b, an .. important:: block detailing the namespace pitfall and two fixes, and a pointer from step 15 to that note. |
source/administration-guide/onboard/sso-saml-faq.rst |
Adds a new FAQ entry explaining the "<attribute> attribute is missing" failure and how to resolve it, included on all SAML provider pages. |
I did not find any blocking issues. Verified:
- The
.. important::directive at column 0 follows the same pattern as the existing.. note::block between steps 14 and 15 in the same file, and the surrounding numbered list uses explicit numbering (10–15), so the directive does not disrupt list continuity. - The FAQ heading underline (
~) length is sufficient for the new question heading. - Cross-reference text ("step 15 of Configure SAML Sign-On for Mattermost" and "step 9 of the Set up an enterprise app for Mattermost SSO in Entra ID section") matches the actual headings and step numbering in the file.
- The
SAML-tracerexternal link target is identical in both files.
Verification gap: I did not independently confirm the exact server log string "<attribute> attribute is missing" against the Mattermost server source; the PR description attributes it to a specific support ticket, which is reasonable.
Contributor
📝 WalkthroughWalkthroughThis PR enhances Mattermost's SAML authentication documentation by adding detailed guidance on claim name matching. The Entra ID configuration guide now explains namespace handling and provides troubleshooting steps, while the Mattermost setup instructions emphasize exact claim name alignment. A new FAQ section addresses common SAML login failures caused by attribute mismatches. ChangesSAML Claim Name Matching Guidance
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~4 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
🧹 Nitpick comments (1)
source/administration-guide/onboard/sso-saml-faq.rst (1)
42-46: ⚡ Quick winUse numbered steps for the resolution procedure.
This is an actionable procedure; numbering improves run order and novice readability.
As per coding guidelines: "Use numbered, atomic steps (one action per step) when providing procedural instructions".Suggested minimal diff
To resolve this: -- Capture and decode the SAML response (for example, with the `SAML-tracer <https://addons.mozilla.org/firefox/addon/saml-tracer/>`__ browser extension) and read the ``Name`` attribute of each ``<Attribute>`` element in the ``<AttributeStatement>``. -- Set each Mattermost attribute field to the **exact** ``Name`` value from the assertion — including any namespace prefix — or reconfigure the IdP to emit the claim under the short name you want to use in Mattermost. +1. Capture and decode the SAML response (for example, with the `SAML-tracer <https://addons.mozilla.org/firefox/addon/saml-tracer/>`__ browser extension) and read the ``Name`` attribute of each ``<Attribute>`` element in the ``<AttributeStatement>``. +2. Set each Mattermost attribute field to the **exact** ``Name`` value from the assertion — including any namespace prefix — or reconfigure the IdP to emit the claim under the short name you want to use in Mattermost.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@source/administration-guide/onboard/sso-saml-faq.rst` around lines 42 - 46, The procedure is currently an unnumbered bullet list; convert it into numbered, atomic steps so each action is a separate step and order is clear: 1) Capture and decode the SAML response (e.g., using the SAML-tracer browser extension) 2) Inspect each <Attribute> element inside the <AttributeStatement> and read the Name attribute value 3) For each Mattermost attribute field, set it to the exact Name value (including any namespace prefix) from the assertion 4) Alternatively, reconfigure the IdP to emit the claim under the short name you want to use in Mattermost; ensure each step references the exact symbols (<Attribute>, <AttributeStatement>, Name, Mattermost attribute field, IdP, SAML-tracer) so reviewers can locate and verify the changes.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@source/administration-guide/onboard/sso-saml-faq.rst`:
- Around line 42-46: The procedure is currently an unnumbered bullet list;
convert it into numbered, atomic steps so each action is a separate step and
order is clear: 1) Capture and decode the SAML response (e.g., using the
SAML-tracer browser extension) 2) Inspect each <Attribute> element inside the
<AttributeStatement> and read the Name attribute value 3) For each Mattermost
attribute field, set it to the exact Name value (including any namespace prefix)
from the assertion 4) Alternatively, reconfigure the IdP to emit the claim under
the short name you want to use in Mattermost; ensure each step references the
exact symbols (<Attribute>, <AttributeStatement>, Name, Mattermost attribute
field, IdP, SAML-tracer) so reviewers can locate and verify the changes.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: d44e9a0d-106a-4d9c-a5a7-87d7513f2baf
📒 Files selected for processing (2)
source/administration-guide/onboard/sso-saml-entraid.rstsource/administration-guide/onboard/sso-saml-faq.rst
Contributor
|
Newest code from mattermost has been published to preview environment for Git SHA 0d3ece8 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Mattermost matches SAML assertion attributes by their full
Name(orFriendlyName), including any namespace, character-for-character. Microsoft Entra ID emits its built-in claims under thehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/namespace by default, so an admin who enters the short name shown in the Entra UI (e.g.email,name) into the Mattermost attribute fields gets a silent mismatch and login fails with:The current Entra ID guide mentions editing "claim names and namespaces" but doesn't explain that the value entered in Mattermost must be the fully-qualified claim name (or that the namespace must be cleared in Entra). The SAML FAQ has no entry for this error at all. This is a recurring support issue.
Changes
sso-saml-entraid.rst: add an.. important::note under the Attributes & Claims step explaining exact full-name matching, the two ways to reconcile it (clear the namespace in Entra, or use the fully-qualified name in Mattermost), and how to confirm the real claim names with SAML-tracer. Cross-referenced from the Mattermost-side attribute step.sso-saml-faq.rst: add a provider-agnostic troubleshooting entry for the"one of the attributes is incorrect" / "<attribute> attribute is missing"failure. This FAQ isinclude-ed on all SAML provider pages, so it surfaces for Okta/OneLogin/ADFS/Keycloak/Entra alike.Source
Derived from a support investigation (ticket 51591) where a captured Entra assertion confirmed the IdP sent
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/{email,name,emailaddress}while the config used short names.🤖 Generated with Claude Code