• By Canonical IS DevOps
Channel Revision Published Runs on
latest/stable 27 22 Nov 2023
Ubuntu 20.04
latest/edge 18 14 Jun 2021
Ubuntu 20.04
juju deploy mattermost-k8s
Show information


When visiting a fresh deployment, you will first be asked to create an admin account. Further accounts must be created using this admin account, or by setting up an external authentication source, such as SAML.

SAML Authentication

This charm supports configuring Ubuntu SSO as the authentication method. This requires the following:

  • a Mattermost Enterprise Edition licence to be obtained and activated
  • a SAML config for the Mattermost installation to be added to
  • the SAML config will need to have a new certificate generated (refer to “Canonical RT#107985” when requesting this)
    • this is because the default certificate available via the SAML metadata URL has expired
  • the new certificate to be installed in the Mattermost database (see below)

Installing the SAML Identity Provider Certificate

Invoke psql against the mattermost database on the current primary and use the following query to install the certificate:

INSERT INTO configurationfiles (name, createat, updateat, data)
    VALUES ('saml-idp.crt', (extract(epoch from now()) * 1000)::bigint ,(extract(epoch from now()) * 1000)::bigint, $-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----$);

Allowing All Users to Create Personal Access Tokens

Setting the “Enable Personal Access Tokens” option in the System Console’s “Integrations” panel does not give all users the ability to use them.

To give access to all new users, add this database trigger:

CREATE OR REPLACE FUNCTION grant_system_user_access_token_role() RETURNS TRIGGER AS $$
    IF position('system_user_access_token' in NEW.roles) = 0 THEN
      NEW.roles = NEW.roles || ' system_user_access_token';
    END IF;

DROP TRIGGER IF EXISTS before_insert_system_user_grant_system_user_access_token ON users;
CREATE TRIGGER before_insert_system_user_grant_system_user_access_token
    FOR EACH ROW WHEN ( NEW.roles = 'system_user' )
    EXECUTE FUNCTION grant_system_user_access_token_role();

And to update all existing users, run this query:

UPDATE users
    SET roles = 'system_user system_user_access_token'
    WHERE roles = 'system_user';