Rocket.Chat server settings

PreviousSAML NextSimple SAML php

Rocket.Chat server settings

Connection

Enable: Enables the SAML connection
Custom Provider: The SAML provider name
Custom Entry Point: The custom entry point
IDP SLO Redirect URL: This is the URL provided by your IdP for logging out. In SAML-terminology, it refers to the location (URL) of the SingleLogoutService with the Redirect binding (urn:oasis:names:tc:SAML:2.0:bindings: HTTP-Redirect)
Custom Issuer: The URI is the unique identifier of your service. By convention, this is also the URL of your (unedited) metadata. Again, where you set Custom Provider to 'my-app', this will be: https://my-rocketchat-domain.tld/_saml/metadata/my-app
Enable Debug: Set to true to enable debugging

Certification

Custom Certificate: This is the public certificate for IdP providers used to verify SAML requests. The format for this is PEM without -----BEGIN CERTIFICATE----- and --
Public Cert Contents: The public part of the self-signed certificate you created for encrypting your SAML transactions. .
Format for this is PEM WITH -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
Signature Validation Type: Select the type of signature validation. This setting will be ignored if no Custom Certificate is provided.
Private Key Contents: The private key matches the self-signed certificate you created as PKCS#1 PEM. Format for this is PEM WITH -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----.

Enterprise

Roles

Sync User Roles: Enable to sync user roles on login (overwrites local user roles).
Role Attribute Name: If this attribute is found on the SAML response, its values will be used as role names for new users.

Advanced

Identifier Format: Format of the identifier. Leave this empty to omit the NameID Policy from the request
NameID Policy Template: The NameID policy template. You can use any variable from the Authorize Request Template here.
Custom Authn Context: Leave this empty to omit the authn context from the request.
To add multiple authn contexts, add the additional ones directly to the AuthnContext Template setting.
Authn Context Comparison: Select the Authn context comparison method
AuthnContext Template: You can use any variable from the AuthnRequest Template here.
To add additional authn contexts, duplicate the AuthnContextClassRef tag and replace the __authnContext__ variable with the new context.
AuthnRequest Template: The following variables are available:
- __newId__: Randomly generated id string
- __instant__: Current timestamp
- __callbackUrl__: The Rocket.Chat callback URL.
- __entryPoint__: The value of the Custom Entry Point setting.
- __issuer__: The value of the Custom Issuer setting.
- __identifierFormatTag__: The contents of the NameID Policy Template if a valid Identifier Format is configured.
- __identifierFormat__: The value of the Identifier Format setting.
- __authnContextTag__: The contents of the AuthnContext Template if a valid Custom Authn Context is configured.
- __authnContextComparison__: The value of the Authn Context Comparison setting.
- __authnContext__: The value of the Custom Authn Context setting.
Logout Response Template: The following variables are available:
- __newId__: Randomly generated id string
- __inResponseToId__: The ID of the Logout Request received from the IdP
- __instant__: Current timestamp
- __idpSLORedirectURL__: The IDP Single LogOut URL to redirect to.
- __issuer__: The value of the Custom Issuer setting.
- __identifierFormat__: The value of the Identifier Format setting.
- __nameID__: The NameID received from the IdP Logout Request.
- __sessionIndex__: The sessionIndex received from the IdP Logout Request.
Logout Request Template: The following variables are available:
- __newId__: Randomly generated id string
- __instant__: Current timestamp
- __idpSLORedirectURL__: The IDP Single LogOut URL to redirect to.
- __issuer__: The value of the Custom Issuer setting.
- __identifierFormat__: The value of the Identifier Format setting.
- __nameID__: The NameID received from the IdP when the user logged in.
- __sessionIndex__: The sessionIndex received from the IdP when the user logged in.
Metadata Certificate Template: The following variables are available:
- __certificate__: The private certificate for assertion encryption.
Metadata Template: The following variables are available:
- __sloLocation__: The Rocket.Chat Single LogOut URL.
- __issuer__: The value of the Custom Issuer setting.
- __identifierFormat__: The value of the Identifier Format setting.
- __certificateTag__: If a private certificate is configured, this will include the Metadata Certificate Template, otherwise it will be ignored.
- __callbackUrl__: The Rocket.Chat callback URL.

Mapping

User Data Custom Field Map: Configure how user custom fields are populated from a record in SAML (once found).

General

User Interface

Button Text: Text to display on the button
Button Text Color: Lets you set the button text color
Button Color: The button color

Behavior

Generate Username: Enable to generate username
Normalize username: Set the type of normalization to perform on a username
Immutable field name: Select the field name to be immutable
Overwrite user fullname (use idp attribute): Enable to overwrite user fullname
Overwrite user mail (use idp attribute): Enable to overwrite user mail
Logout Behaviour: Lets you set the behavior to happen on logout
Update Room Subscriptions on Each Login: When enabled, room subscriptions is updated on each login. Ensures the user is a member of all channels in SAML assertion on every login.
Include Private Rooms in Room Subscription: When set to true, private rooms are able to use for a subscription. Adds a user to any private rooms that exist in the SAML assertion.
Default User Role: Lets you set the default user role. You can specify multiple roles, separating them with commas.
Allowed clock drift from Identity Provider: The clock of the Identity Provider may drift slightly ahead of your system clocks. You can allow for a small amount of clock drift. Its value must be given in a number of milliseconds (ms). The value given is added to the current time at which the response is validated.

Mapping

User Data Field Map: Configure how user account fields (like email) are populated from a record in SAML (once found). As an example, {"name":"cn", "email":"mail"} chooses a person's human-readable name from the cn attribute, and their email from the mail attribute. Available fields in Rocket.Chat: name, email and username. Everything else is discarded.

{
  "email": "mail",
  "username": {
    "fieldName": "mail",
    "regex": "(.*)@.+$",
    "template": "user-__regex__"
  },
  "name": {
   "fieldNames": [
      "firstName",
      "lastName"
    ],
    "template": "__firstName__ __lastName__"
  },
  "__identifier__": "uid"
}

PreviousSAML NextSimple SAML php

Connection

Enable: Enables the SAML connection
Custom Provider: The SAML provider name
Custom Entry Point: The custom entry point
IDP SLO Redirect URL: This is the URL provided by your IdP for logging out. In SAML-terminology, it refers to the location (URL) of the SingleLogoutService with the Redirect binding (urn:oasis:names:tc:SAML:2.0:bindings: HTTP-Redirect)
Custom Issuer: The URI is the unique identifier of your service. By convention, this is also the URL of your (unedited) metadata. Again, where you set Custom Provider to 'my-app', this will be: https://my-rocketchat-domain.tld/_saml/metadata/my-app
Enable Debug: Set to true to enable debugging

Certification

Custom Certificate: This is the public certificate for IdP providers used to verify SAML requests. The format for this is PEM without -----BEGIN CERTIFICATE----- and --
Public Cert Contents: The public part of the self-signed certificate you created for encrypting your SAML transactions. .
Format for this is PEM WITH -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
Signature Validation Type: Select the type of signature validation. This setting will be ignored if no Custom Certificate is provided.
Private Key Contents: The private key matches the self-signed certificate you created as PKCS#1 PEM. Format for this is PEM WITH -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----.

Enterprise

Roles

Sync User Roles: Enable to sync user roles on login (overwrites local user roles).
Role Attribute Name: If this attribute is found on the SAML response, its values will be used as role names for new users.

Advanced

Identifier Format: Format of the identifier. Leave this empty to omit the NameID Policy from the request
NameID Policy Template: The NameID policy template. You can use any variable from the Authorize Request Template here.
Custom Authn Context: Leave this empty to omit the authn context from the request.
To add multiple authn contexts, add the additional ones directly to the AuthnContext Template setting.
Authn Context Comparison: Select the Authn context comparison method
AuthnContext Template: You can use any variable from the AuthnRequest Template here.
To add additional authn contexts, duplicate the AuthnContextClassRef tag and replace the __authnContext__ variable with the new context.
AuthnRequest Template: The following variables are available:
- __newId__: Randomly generated id string
- __instant__: Current timestamp
- __callbackUrl__: The Rocket.Chat callback URL.
- __entryPoint__: The value of the Custom Entry Point setting.
- __issuer__: The value of the Custom Issuer setting.
- __identifierFormatTag__: The contents of the NameID Policy Template if a valid Identifier Format is configured.
- __identifierFormat__: The value of the Identifier Format setting.
- __authnContextTag__: The contents of the AuthnContext Template if a valid Custom Authn Context is configured.
- __authnContextComparison__: The value of the Authn Context Comparison setting.
- __authnContext__: The value of the Custom Authn Context setting.
Logout Response Template: The following variables are available:
- __newId__: Randomly generated id string
- __inResponseToId__: The ID of the Logout Request received from the IdP
- __instant__: Current timestamp
- __idpSLORedirectURL__: The IDP Single LogOut URL to redirect to.
- __issuer__: The value of the Custom Issuer setting.
- __identifierFormat__: The value of the Identifier Format setting.
- __nameID__: The NameID received from the IdP Logout Request.
- __sessionIndex__: The sessionIndex received from the IdP Logout Request.
Logout Request Template: The following variables are available:
- __newId__: Randomly generated id string
- __instant__: Current timestamp
- __idpSLORedirectURL__: The IDP Single LogOut URL to redirect to.
- __issuer__: The value of the Custom Issuer setting.
- __identifierFormat__: The value of the Identifier Format setting.
- __nameID__: The NameID received from the IdP when the user logged in.
- __sessionIndex__: The sessionIndex received from the IdP when the user logged in.
Metadata Certificate Template: The following variables are available:
- __certificate__: The private certificate for assertion encryption.
Metadata Template: The following variables are available:
- __sloLocation__: The Rocket.Chat Single LogOut URL.
- __issuer__: The value of the Custom Issuer setting.
- __identifierFormat__: The value of the Identifier Format setting.
- __certificateTag__: If a private certificate is configured, this will include the Metadata Certificate Template, otherwise it will be ignored.
- __callbackUrl__: The Rocket.Chat callback URL.

Mapping

User Data Custom Field Map: Configure how user custom fields are populated from a record in SAML (once found).

General

User Interface

Button Text: Text to display on the button
Button Text Color: Lets you set the button text color
Button Color: The button color

Behavior

Generate Username: Enable to generate username
Normalize username: Set the type of normalization to perform on a username
Immutable field name: Select the field name to be immutable
Overwrite user fullname (use idp attribute): Enable to overwrite user fullname
Overwrite user mail (use idp attribute): Enable to overwrite user mail
Logout Behaviour: Lets you set the behavior to happen on logout
Update Room Subscriptions on Each Login: When enabled, room subscriptions is updated on each login. Ensures the user is a member of all channels in SAML assertion on every login.
Include Private Rooms in Room Subscription: When set to true, private rooms are able to use for a subscription. Adds a user to any private rooms that exist in the SAML assertion.
Default User Role: Lets you set the default user role. You can specify multiple roles, separating them with commas.
Allowed clock drift from Identity Provider: The clock of the Identity Provider may drift slightly ahead of your system clocks. You can allow for a small amount of clock drift. Its value must be given in a number of milliseconds (ms). The value given is added to the current time at which the response is validated.

Mapping

User Data Field Map: Configure how user account fields (like email) are populated from a record in SAML (once found). As an example, {"name":"cn", "email":"mail"} chooses a person's human-readable name from the cn attribute, and their email from the mail attribute. Available fields in Rocket.Chat: name, email and username. Everything else is discarded.

{
  "email": "mail",
  "username": {
    "fieldName": "mail",
    "regex": "(.*)@.+$",
    "template": "user-__regex__"
  },
  "name": {
   "fieldNames": [
      "firstName",
      "lastName"
    ],
    "template": "__firstName__ __lastName__"
  },
  "__identifier__": "uid"
}