Skip to content
This repository has been archived by the owner on Mar 17, 2023. It is now read-only.

Latest commit

 

History

History
121 lines (99 loc) · 7.47 KB

rocket.chat-server-settings.md

File metadata and controls

121 lines (99 loc) · 7.47 KB
Raw

Rocket.Chat server settings

Connection

  • Enable: Enables the SAML connection
  • Custom Provider: The SAML provider name
  • Custom Entry Point: The custom entry point
  • IDP SLO Redirect URL: This is the URL provided by your IdP for logging out. In SAML-terminology, it refers to the location (URL) of the SingleLogoutService with the Redirect binding (urn:oasis:names:tc:SAML:2.0:bindings: HTTP-Redirect)
  • Custom Issuer: The URI is the unique identifier of your service. By convention, this is also the URL of your (unedited) metadata. Again, where you set Custom Provider to 'my-app', this will be: https://my-rocketchat-domain.tld/_saml/metadata/my-app
  • Enable Debug: Set to true to enable debugging

Certification

  • Custom Certificate: This is the public certificate for IdP providers used to verify SAML requests. The format for this is PEM without -----BEGIN CERTIFICATE----- and --

  • Public Cert Contents: The public part of the self-signed certificate you created for encrypting your SAML transactions. Example of self-signed certificate on the SimpleSAMLphp website here.

    Format for this is PEM WITH -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----

  • Signature Validation Type: Select the type of signature validation. This setting will be ignored if no Custom Certificate is provided.

  • Private Key Contents: The private key matches the self-signed certificate you created as PKCS#1 PEM. Format for this is PEM WITH -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----.

Enterprise

Roles

  • Sync User Roles: Enable to sync user roles on login (overwrites local user roles).
  • Role Attribute Name: If this attribute is found on the SAML response, its values will be used as role names for new users.

Advanced

  • Identifier Format: Format of the identifier. Leave this empty to omit the NameID Policy from the request

  • NameID Policy Template: The NameID policy template. You can use any variable from the Authorize Request Template here.

  • Custom Authn Context: Leave this empty to omit the authn context from the request.

    To add multiple authn contexts, add the additional ones directly to the AuthnContext Template setting.

  • Authn Context Comparison: Select the Authn context comparison method

  • AuthnContext Template: You can use any variable from the AuthnRequest Template here.

    To add additional authn contexts, duplicate the AuthnContextClassRef tag and replace the __authnContext__ variable with the new context.

  • AuthnRequest Template: The following variables are available:

    • __newId__: Randomly generated id string
    • __instant__: Current timestamp
    • __callbackUrl__: The Rocket.Chat callback URL.
    • __entryPoint__: The value of the Custom Entry Point setting.
    • __issuer__: The value of the Custom Issuer setting.
    • __identifierFormatTag__: The contents of the NameID Policy Template if a valid Identifier Format is configured.
    • __identifierFormat__: The value of the Identifier Format setting.
    • __authnContextTag__: The contents of the AuthnContext Template if a valid Custom Authn Context is configured.
    • __authnContextComparison__: The value of the Authn Context Comparison setting.
    • __authnContext__: The value of the Custom Authn Context setting.

  • Logout Response Template: The following variables are available:

    • __newId__: Randomly generated id string
    • __inResponseToId__: The ID of the Logout Request received from the IdP
    • __instant__: Current timestamp
    • __idpSLORedirectURL__: The IDP Single LogOut URL to redirect to.
    • __issuer__: The value of the Custom Issuer setting.
    • __identifierFormat__: The value of the Identifier Format setting.
    • __nameID__: The NameID received from the IdP Logout Request.
    • __sessionIndex__: The sessionIndex received from the IdP Logout Request.

  • Logout Request Template: The following variables are available:

    • __newId__: Randomly generated id string
    • __instant__: Current timestamp
    • __idpSLORedirectURL__: The IDP Single LogOut URL to redirect to.
    • __issuer__: The value of the Custom Issuer setting.
    • __identifierFormat__: The value of the Identifier Format setting.
    • __nameID__: The NameID received from the IdP when the user logged in.
    • __sessionIndex__: The sessionIndex received from the IdP when the user logged in.

  • Metadata Certificate Template: The following variables are available:

    • __certificate__: The private certificate for assertion encryption.

  • Metadata Template: The following variables are available:

    • __sloLocation__: The Rocket.Chat Single LogOut URL.
    • __issuer__: The value of the Custom Issuer setting.
    • __identifierFormat__: The value of the Identifier Format setting.
    • __certificateTag__: If a private certificate is configured, this will include the Metadata Certificate Template, otherwise it will be ignored.
    • __callbackUrl__: The Rocket.Chat callback URL.

Mapping

  • User Data Custom Field Map: Configure how user custom fields are populated from a record in SAML (once found).

General

User Interface

  • Button Text: Text to display on the button
  • Button Text Color: Lets you set the button text color
  • Button Color: The button color

Behavior

  • Generate Username: Enable to generate username
  • Normalize username: Set the type of normalization to perform on a username
  • Immutable field name: Select the field name to be immutable
  • Overwrite user fullname (use idp attribute): Enable to overwrite user fullname
  • Overwrite user mail (use idp attribute): Enable to overwrite user mail
  • Logout Behaviour: Lets you set the behavior to happen on logout
  • Update Room Subscriptions on Each Login: When enabled, room subscriptions is updated on each login. Ensures the user is a member of all channels in SAML assertion on every login.
  • Include Private Rooms in Room Subscription: When set to true, private rooms are able to use for a subscription. Adds a user to any private rooms that exist in the SAML assertion.
  • Default User Role: Lets you set the default user role. You can specify multiple roles, separating them with commas.
  • Allowed clock drift from Identity Provider: The clock of the Identity Provider may drift slightly ahead of your system clocks. You can allow for a small amount of clock drift. Its value must be given in a number of milliseconds (ms). The value given is added to the current time at which the response is validated.

Mapping

  • User Data Field Map: Configure how user account fields (like email) are populated from a record in SAML (once found). As an example, {"name":"cn", "email":"mail"} chooses a person's human-readable name from the cn attribute, and their email from the mail attribute. Available fields in Rocket.Chat: name, email and username. Everything else is discarded.
"email": "mail",
  "username": {
    "fieldName": "mail",
    "regex": "(.*)@.+$",
    "template": "user-__regex__"
  },
  "name": {
   "fieldNames": [
      "firstName",
      "lastName"
    ],
    "template": "__firstName__ __lastName__"
  },
  "__identifier__": "uid"
}