• By Mattermost Charmers
juju deploy mattermost-charmers-mattermost
Show information
You will need Juju 2.9 to be able to run this command. Learn how to upgrade to Juju 2.9.
Channel Version Base
latest/stable 22


When visiting a fresh deployment, you will first be asked to create an admin account. Further accounts must be created using this admin account, or by setting up an external authentication source, such as SAML.

SAML Authentication

This charm supports configuring Ubuntu SSO as the authentication method. This requires the following:

  • a Mattermost Enterprise Edition licence to be obtained and activated
  • a SAML config for the Mattermost installation to be added to
  • the SAML config will need to have a new certificate generated (refer to “Canonical RT#107985” when requesting this)
    • this is because the default certificate available via the SAML metadata URL has expired
  • the new certificate to be installed in the Mattermost database (see below)

Installing the SAML Identity Provider Certificate

Invoke psql against the mattermost database on the current primary and use the following query to install the certificate:

INSERT INTO configurationfiles (name, createat, updateat, data)
    VALUES ('saml-idp.crt', (extract(epoch from now()) * 1000)::bigint ,(extract(epoch from now()) * 1000)::bigint, $-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----$);

Allowing All Users to Create Personal Access Tokens

Setting the “Enable Personal Access Tokens” option in the System Console’s “Integrations” panel does not give all users the ability to use them.

To give access to all new users, add this database trigger:

CREATE OR REPLACE FUNCTION grant_system_user_access_token_role() RETURNS TRIGGER AS $$
    IF position('system_user_access_token' in NEW.roles) = 0 THEN
      NEW.roles = NEW.roles || ' system_user_access_token';
    END IF;

DROP TRIGGER IF EXISTS before_insert_system_user_grant_system_user_access_token ON users;
CREATE TRIGGER before_insert_system_user_grant_system_user_access_token
    FOR EACH ROW WHEN ( NEW.roles = 'system_user' )
    EXECUTE FUNCTION grant_system_user_access_token_role();

And to update all existing users, run this query:

UPDATE users
    SET roles = 'system_user system_user_access_token'
    WHERE roles = 'system_user';

Help us improve this documentation

Most of this documentation can be collaboratively discussed and changed on the respective topic in the doc category of the Charmhub forum. See the documentation guidelines if you’d like to contribute.

Last updated 6 months ago. Help improve this document in the forum.