SAML Configuration

Prev Next

This section walks you through the available SAML configuration settings in Rocket.Chat. These settings allow you to tailor the user sign-in process, map user data, and access additional premium options.

In your Rocket.Chat workspace, go to Administration > Workspace > Settings > SAML. On the SAML page, you’ll find the configuration tabs where you can input the details from your identity provider (IdP). Make sure you have an IdP set up (for example, ADFS or Keycloak) and the required credentials.

You can refer to Active Directory Federation Services and Keycloak for provider-specific configuration guides and sample values.

Connection settings

These settings define the base connection to your SAML identity provider:

  • Enable: Toggle to activate or deactivate the SAML connection.

  • Custom Provider: The name of your SAML provider (for example, entra).

  • Custom Entry Point: The login URL provided by your IdP. This is where authentication requests are sent.

  • IDP SLO Redirect URL: The logout URL provided by your IdP. In SAML terminology, this is the location (URL) of the SingleLogoutService, using the redirect binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect).

  • Custom Issuer: The unique URI that identifies your Rocket.Chat service. By convention, this is also the URL of your unedited metadata. For example:

    https://my-rocketchat-domain.tld/_saml/metadata/my-app
  • Enable Debug: Enable to log debug details during SAML requests and responses—helpful for troubleshooting issues.

Certificate

Configure certificates used for signing and validating SAML requests and responses. The available settings are:

Setting

Description

Custom Certificate

The public certificate for the identity provider, used to verify SAML requests.

  • Format: PEM without -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

Public Cert Contents

The public part of the self-signed certificate created for encrypting SAML transactions.

  • Format: PEM with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

Signature Validation Type

Determines how Rocket.Chat validates signatures. This setting is ignored if no Custom Certificate is provided.

Private Key Contents

The private key that matches the self-signed certificate.

  • Format: PKCS#1 PEM with -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----.

Signature Algorithm

Algorithm used for signing requests and responses sent from Rocket.Chat to the identity provider.

  • This does not affect encryption or validation of signatures received from the provider.

  • Available options: SHA1, SHA256, SHA384, SHA512.


Premium Settings

The following premium SAML settings are only available to workspaces on Rocket.Chat’s premium plans. They provide advanced options for role assignment, authorization policies, and attribute mapping.

Advanced

The Advanced settings let you configure SAML request and response templates, identifier formats, and context policies. The available settings are:

Setting

Description

Identifier Format

Defines the identifier format. Leave empty to omit the NameIDPolicy from the request.

NameID Policy Template

Template for the NameIDPolicy. Any variable from the Authorize Request Template can be used.

Custom Authn Context

Sets a custom authentication context. Leave empty to omit.

To use multiple contexts, add them directly to the AuthnContext Template.

Authn Context Comparison

Method for comparing authentication contexts. Options: Exact, Minimum, Maximum, Better.

AuthnContext Template

Template for the <AuthnContext> element in requests. You can use variables from the AuthnRequest Template. To add more contexts, duplicate the <AuthnContextClassRef> tag and replace the variable.

AuthnRequest Template

Template for the SAML AuthnRequest. Variables available include:

  • __newId__: Randomly generated ID string

  • __instant__: Current timestamp

  • __callbackUrl__: Rocket.Chat callback URL

  • __entryPoint__: The value of the Custom Entry Point setting

  • __issuer__: The value of the Custom Issuer setting

  • __identifierFormatTag__: The contents of the NameID Policy Template if a valid Identifier Format is configured

  • __identifierFormat__: The value of the Identifier Format setting.

  • __authnContextTag__: The contents of the AuthnContext Template if a valid Custom Authn Context is configured.

  • __authnContextComparison__: The value of the Authn Context Comparison setting.

  • __authnContext__: The value of the Custom Authn Context setting.

Logout Response Template

Template for handling IdP logout responses. Variables include:

  • __newId__: Randomly generated id string

  • __inResponseTold__ : The ID of the Logout Request received from the IdP

  • __instant__: Current timestamp

  • __idpSLORedirectURL__ : The IDP Single LogOut URL to redirect to.

  • __issuer__ : The value of the Custom Issuer setting.

  • __identifierFormat__ : The value of the Identifier Format setting.

  • __nameID__ : The NameID received from the IdP Logout Request.

  • __sessionIndex__: The sessionIndex received from the IdP Logout Request.

Logout Request Template

Template for logout requests sent to IdP. Variables include:

  • __newId__ : Randomly generated id string

  • __instant__ : Current timestamp

  • __idpSLORedirectURL__ : The IDP Single LogOut URL to redirect to.

  • __issuer__ : The value of the Custom Issuer setting.

  • __identifierFormat__ : The value of the Identifier Format setting.

  • __nameID__ : The NameID received from the IdP when the user logged in.

  • __sessionIndex__: The sessionIndex received from the IdP when the user logged in.

Metadata Certificate Template

Template for the X.509 certificate descriptor. Variables:

  • __certificate__: Private certificate for assertion encryption.

Metadata Template

Template for the metadata XML. Variables include:

  • __sloLocation__: Rocket.Chat Single Logout URL

  • __issuer__: The value of the Custom Issuer setting.

  • __identifierFormat__: The value of the Identifier Format setting.

  • __certificateTag__: If a private certificate is configured, this will include the Metadata Certificate Template, otherwise it will be ignored.

  • __callbackUrl__: The Rocket.Chat callback URL.

Roles

Role settings let you synchronize user roles between your SAML identity provider and Rocket.Chat. The available settings are:

  • Sync User Roles: Enable to sync user roles during login. This overwrites any roles previously assigned locally in Rocket.Chat.

  • Role Attribute Name: If this attribute is included in the SAML response, its values will be applied as role names for new users.

Mapping

Mapping settings lets you configure how user custom fields are populated from records in SAML responses. The available setting is:

  • User Data Custom Field Map: Defines how user custom fields in Rocket.Chat should be populated from attributes in the SAML response. Once a matching attribute is found in the SAML record, its value will be mapped to the corresponding Rocket.Chat custom field.

    Example:

    {
      "custom1": "custom1",
      "custom2": "custom2",
      "custom3": "custom3"
    }

General settings

The General settings in SAML configuration allow you to customize how users interact with the login interface and how their data is handled during authentication. These settings control three main areas.

User Interface

The User Interface settings let you customize the appearance of the SAML login button, including its text and colors, to align with your organization’s branding while maintaining accessibility. The available settings are:

  • Button Text: The text displayed on the SAML login button.

  • Button Text Color: Sets the color of the button text. Ensure chosen color meets WCAG (Web Content Accessibility Guidelines) contrast and readability standards to maintain accessibility.

  • Button Color: Sets the background color of the SAML login button. Changing this may affect WCAG compliance, verify that the new color maintains proper contrast and accessibility for all users.

Accessibility note

Any changes to button text color or button background color may result in non-compliance with WCAG accessibility requirements. Always test your color choices for contrast and readability.

Behaviour

The Behavior settings in SAML control how user accounts are managed during sign-in, covering usernames, attributes, sessions, roles, subscriptions, and IdP timing to keep Rocket.Chat consistent with your identity provider. The available settings are:

Setting

Description

Generate Username

Enable to generate usernames automatically.

Normalize username

Select the type of normalization to apply to a username.

Immutable field name

Choose the field name that should remain immutable.

Overwrite user fullname (use idp attribute)

Enable to overwrite the user’s full name with the attribute from the IdP.

Overwrite user mail (use idp attribute)

Enable to overwrite the user’s email with the attribute from the IdP.

Logout Behaviour

Define the logout behavior (e.g., terminate the SAML session).

Update Room Subscriptions on Each Login

When enabled, room memberships from the SAML assertion are refreshed at every login, ensuring the user remains subscribed to all channels provided by the IdP.

Include Private Rooms in Room Subscription

Adds the user to any private rooms listed in the SAML assertion.

Default User Role

Specify the default user role by providing its unique role _id. To assign multiple roles, separate them with commas. Use the Get Roles endpoint to retrieve role IDs.

Allowed clock drift from Identity Provider

Accounts for slight clock mismatches between your server and the IdP. Enter the tolerance in milliseconds (ms). This value is added to the response validation time.

Mapping

Mapping defines how user account fields from the SAML response (like email, username, and name) are assigned to Rocket.Chat user fields. This ensures correct synchronization between the Identity Provider (IdP) and Rocket.Chat. The available setting is:

  • User Data Field Map: Defines how user attributes from the SAML response are mapped to Rocket.Chat user fields. Configure attributes such as username, email, and name using JSON mapping.

Example Configuration

Here’s an example of how fields can be mapped from SAML attributes:

{
  "email": "mail",
  "username": {
    "fieldName": "mail",
    "regex": "(.*)@.+$",
    "template": "user-__regex__"
  },
  "name": {
   "fieldNames": [
      "firstName",
      "lastName"
    ],
    "template": "__firstName__ __lastName__"
  },
  "__identifier__": "uid"
}
  • Available fields in Rocket.Chat: name, email, username. Any other attributes will be discarded.

    Example:

    {"name": "cn", "email": "mail"}

    This maps the user’s human-readable name from the cn attribute and their email from the mail attribute.

This concludes the configuration options available for setting up SAML integration in Rocket.Chat. With these settings, administrators can fine-tune authentication, user roles, data mapping, and interface behavior to ensure seamless synchronization with their Identity Provider.

In the upcoming sections, we will explore common SAML identity providers and walk through practical examples of how to integrate them with Rocket.Chat.