Mattermost는 최대 4가지의 동시 사용자 인증 방법을 지원합니다: 셀프 호스팅 Mattermost를 관리하는 시스템 관리자는 아래 표에 설명된 대로 config.json 파일을 편집할 수 있습니다. System Console에서 Authentication > Signup으로 이동하여 다음 구성 설정에 접근하세요.
Mattermost는 최대 4가지의 동시 사용자 인증 방법을 지원합니다:
OpenID 공급자
SAML 공급자
LDAP 인스턴스 (예: Active Directory, OpenLDAP)
이메일 및 비밀번호
제품 메뉴 → System Console → Authentication에서 다음 인증 구성 옵션을 검토하고 관리하세요:
셀프 호스팅 Mattermost를 관리하는 시스템 관리자는 아래 표에 설명된 대로 config.json 파일을 편집할 수 있습니다. 각 구성 값에는 JSON 인식 도구를 사용하여 프로그래밍 방식으로 config.json 파일에서 값에 접근할 수 있는 JSON 경로가 포함됩니다. 예를 들어, EnableUserCreation 값은 TeamSettings 아래에 있습니다.
jq <https://stedolan.github.io/jq/>`__ 와 같은 도구를 사용하는 경우: cat config/config.json | jq '.TeamSettings.EnableUserCreation'</li><li>config.json 파일을 수동으로 편집할 때는 TeamSettings 와 같은 객체를 찾은 뒤 그 안에서 EnableUserCreation`` 키를 찾으세요.
System Console에서 Authentication > Signup으로 이동하여 다음 구성 설정에 접근하세요.
true: (Default) Anyone can sign up for a user account on this server without needing to be invited. Applies to email-based signups only.
false: The ability to create accounts is disabled. Selecting Create Account displays an error. Applies to email, OpenID Connect, and OAuth 2.0 user account authentication.
- true: (Default) Anyone can sign up for a user account on this server without needing to be invited. Applies to email-based signups only. - false: The ability to create accounts is disabled. Selecting Create Account displays an error. Applies to email, OpenID Connect, and OAuth 2.0 user account authentication.
LDAP 및 SAML 사용자는 이 구성 설정의 활성화 여부와 관계없이 LDAP 또는 SAML 자격 증명으로 로그인하여 Mattermost 계정을 항상 생성할 수 있습니다.
Mattermost v10.9부터 꺾쇠 괄호로 묶인 이메일 주소(예: <billy@example.com>)는 거부됩니다. 문제를 방지하려면 모든 사용자 이메일이 일반 주소 형식(예: billy@example.com)을 준수하는지 확인하세요. 또한, 이 제품 변경 사항에 맞게 Mattermost 사용자 데이터를 사전에 감사하고 업데이트하는 조치를 취하는 것을 강력히 권장합니다. 영향을 받는 사용자는 Mattermost 접근 또는 사용자 프로필 관리에 문제가 생길 수 있습니다. mmctl user email 을 사용하여 이러한 사용자 이메일을 수동으로 업데이트할 수 있습니다.
Mattermost가 SAML에 대해 지원하는 암호화 방법 에 대한 자세한 내용은 암호화 옵션 문서를 참조하세요.
This setting limits the email address domains that can be used to create a new account or team.
This setting limits the email address domains that can be used to create a new account or team. You must set Require Email Verification to true for the restriction to function. This setting only affects email login.
- true: Users can create accounts on the server without an invitation. - false: (Default) Users must have an invitation to create an account on the server.
This button invalidates email invitations that have not been accepted (by default, invitations expire after 48 hours). This option has no config.json setting or environment variable.
- true: (Default) Allows creation of team and user accounts with email and password. - false: Disables creation of team and user accounts with email and password. Requires a single sign-on (SSO) service to create accounts.
- true: (Default for Cloud deployments) Requires email verification for new accounts before allowing the user to sign-in. - false: (Default for self-hosted deployments) Disables email verification. can be used to speed development by skipping the verification process.
true: (Default) Allows users to sign-in with email and password.
false: Disables authentication with email and password, and removes the option from the login screen. Use this option to limit authentication to single sign-on services.
- true: (Default) Allows users to sign-in with email and password. - false: Disables authentication with email and password, and removes the option from the login screen. Use this option to limit authentication to single sign-on services.
로그인 페이지에서 이메일 로그인 옵션만 단일하게 제공하려면, 사용자명으로 로그인 활성화 구성 설정이 false로 설정되어 있는지 확인하세요.
Mattermost v10.9부터 꺾쇠 괄호로 묶인 이메일 주소(예: <billy@example.com>)는 거부됩니다. 문제를 방지하려면 모든 사용자 이메일이 일반 주소 형식(예: billy@example.com)을 준수하는지 확인하세요. 또한, 이 제품 변경 사항에 맞게 Mattermost 사용자 데이터를 사전에 감사하고 업데이트하는 조치를 취하는 것을 강력히 권장합니다. 영향을 받는 사용자는 Mattermost 접근 또는 사용자 프로필 관리에 문제가 생길 수 있습니다. mmctl user email 을 사용하여 이러한 사용자 이메일을 수동으로 업데이트할 수 있습니다.
true: (Default) Allows authentication with a username and password for accounts created with an email address. This setting does not affect AD/LDAP sign-in.
false: Disables authenticaton with a username and removes the option from the login screen.
- true: (Default) Allows authentication with a username and password for accounts created with an email address. This setting does not affect AD/LDAP sign-in. - false: Disables authenticaton with a username and removes the sign in option from. from the login screen.
This setting determines the minimum number of characters in passwords. It must be a whole number greater than or equal to 5 and less than or equal to 72. Numerical input. Default is 5.
This setting controls password character requirements. By checking the corresponding box, passwords must contain: - At least one lowercase letter - At least one uppercase letter - At least one number - At least one symbol out of these: !"#$%&'()*+,-./:;<=>?@[]^_` The error message previewed in the System Console will appear if the user attempts to set an invalid password. The default for all boxes is unchecked. The default for all settings in config.json is false.</th><th>- System Config path: <strong>Authentication > Password</strong> - config.json settings: PasswordSettings > Lowercase > false, PasswordSettings > Uppercase > false, PasswordSettings > Number > false, PasswordSettings > Symbol > false - Environment variables: MM_PASSWORDSETTINGS_LOWERCASE, MM_PASSWORDSETTINGS_UPPERCASE, MM_PASSWORDSETTINGS_NUMBER, MM_PASSWORDSETTINGS_SYMBOL ~.
This setting determines the number of failed sign-in attempts a user can make before being locked out and required to go through a password reset by email. Numerical input. Default is 10.
- true: (Default) Displays the Forget Password link on the Mattermost login page. - false: Hides the Forgot Password link from the Mattermost login page.
System Console에서 Authentication > MFA로 이동하여 다음 구성 설정에 접근하세요.
자체 사설 네트워크 내에 Mattermost를 배포하고 모바일 액세스를 위해 VPN 클라이언트를 사용하여 기존 프로토콜로 Mattermost를 보호하는 것을 권장합니다. 기존 보안 프로토콜을 우회하여 사설 네트워크 외부에서 Mattermost를 실행하려는 경우, Mattermost 액세스를 위한 다중 인증 서비스를 추가하는 것을 권장합니다.
true: Users who sign-in with AD/LDAP or an email address have the option to add multi-factor authentication to their accounts.
- true: Users who sign-in with AD/LDAP or an email address have the option to add multi-factor authentication to their accounts. - false: (Default) Disables multi-factor authentication.
- true: Requires multi-factor authentication (MFA) for users who sign-in with AD/LDAP or an email address. New users must set up MFA. Logged in users are redirected to the MFA setup page until configuration is complete. - false: (Default) MFA is optional.
This setting will display placeholder text in the login field of the sign-in page. This text can remind users to sign-in with their AD/LDAP credentials. String input. Default is AD/LDAP Username.
System Console의 AD/LDAP 설정과의 동기화를 통해 임의 호스트의 연결 및 가용성을 확인할 수 있습니다. 이에 우려가 있는 시스템 관리자는 사용자 지정 관리자 역할을 사용하여 이 설정 수정에 대한 접근을 제한할 수 있습니다. 자세한 내용은 위임된 세분화된 관리 문서를 참조하세요.
This is the username for the account Mattermost utilizes to perform an AD/LDAP search. This should be an account specific to Mattermost.
Limit the permissions of the account to read-only access to the portion of the AD/LDAP tree specified in the Base DN setting.
When using Active Directory, Bind Username should specify domain in "DOMAIN/username" format.
This is the username for the account Mattermost utilizes to perform an AD/LDAP search. This should be an account specific to Mattermost. Limit the permissions of the account to read-only access to the portion of the AD/LDAP tree specified in the Base DN setting. When using Active Directory, Bind Username should specify domain in "DOMAIN/username" format. String input.
This setting controls the type of security Mattermost uses to connect to the AD/LDAP server, with these options:
none: (Default) No encryption. With this option, it is highly recommended that the connection be secured outside of Mattermost, such as by a stunnel proxy.
TLS: Encrypts communication with TLS.
STARTTLS: Attempts to upgrade an existing insecure connection to a secure connection with TLS.
This setting controls the type of security Mattermost uses to connect to the AD/LDAP server, with these options: - None: (Default for self-hosted deployments) No encryption. With this option, it is highly recommended that the connection be secured outside of Mattermost, such as by a stunnel proxy. config.json option: "" - TLS: (Default for Cloud deployments) Encrypts communication with TLS. config.json option: "TLS" - STARTTLS: Attempts to upgrade an existing insecure connection to a secure connection with TLS. config.json option: "STARTTLS"
true: Disables the certificate verification step for TLS and STARTTLS connections. Use this option for testing. Do not use this option when TLS is required in production.
- true: Disables the certificate verification step for TLS and STARTTLS connections. Use this option for testing. Do not use this option when TLS is required in production. - false: (Default) Enables certification verification.
Use this setting to upload the private key file from your LDAP authentication provider, if TLS client certificates are the primary authentication mechanism. String input.
Use this setting to upload the public TLS certificate from your LDAP authentication provider, if TLS client certificates are the primary authentication mechanism. String input.
This setting determines the number of failed sign-in attempts a user can make before being locked out and required to go through a password reset by email. You can unlock the account in System Console on the users page. Setting this value lower than your LDAP maximum login attempts ensures that the users won't be locked out of your LDAP server because of failed login attempts in Mattermost. Numerical input. Default is 10.
This setting accepts a general syntax AD/LDAP filter that is applied when searching for user objects. Only the users selected by the query can access Mattermost. For example, to filter out disabled users, the filter is: (&(objectCategory=Person)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))). To filter by group membership, determine the distinguishedName of the group, then use group membership general syntax to format the filter. For example, if the security group distinguishedName is CN=group1,OU=groups,DC=example,DC=com, then the filter is: (memberOf=CN=group1,OU=groups,DC=example,DC=com). The user must explicitly belong to this group for the filter to apply. String input.
This setting accepts a general syntax AD/LDAP filter that is applied when searching for group objects. Only the groups selected by the query can access Mattermost. String input. Default is (</th><th>- System Config path: <strong>Authentication > AD/LDAP</strong> - config.json setting: LdapSettings > GroupFilter (objectClass=group)(objectClass=groupOfNames)(objectClass=groupOfUniqueNames)).
Note
이 필터는 AD/LDAP 그룹 동기화가 활성화된 경우에만 사용됩니다. 자세한 내용은 AD/LDAP Group Sync 를 참조하세요.
true: Enables the Admin Filter setting that designates system admins using an AD/LDAP filter.
false: (Default) Disables the Admin Filter setting.
This setting accepts an AD/LDAP filter that designates the selected users as system admins. Users are promoted to this role on their next sign-in or on the next scheduled AD/LDAP sync. If the Admin Filter is removed, users who are currently logged in retain their Admin role until their next sign-in. String input.
This setting accepts an AD/LDAP filter to apply when searching for external users with Guest Access to Mattermost. Only users selected by the query can access Mattermost as Guests. See Guest Accounts for more information. String input.
This is the attribute in the AD/LDAP server that is serves as a unique user identifier in Mattermost. The attribute should have a unique value that does not change, such as objectGUID or entryUUID. Confirm that these attributes are available in your environment before making any changes. String input.
This is the attribute in the AD/LDAP server that is used for signing-in to Mattermost. This is normally the same as the Username Attribute. If your team uses domain\username to sign-in to other services with AD/LDAP, you may enter domain\username in this field to maintain consistency between sites. String input.
This is the attribute in the AD/LDAP server that populates the username field in Mattermost. This attribute identifies users in the UI. For example, if a Username Attribute is set to john.smith, typing @john will show @john.smith as an auto-complete option, and posting a message with @john.smith will send a notification to that user. This is normally the same as the Login ID Attribute, but it can be mapped to a different attribute. String input.
This is the attribute in AD/LDAP server that populates the email address field in Mattermost. Email notifications are sent to this address. The address may be seen by other Mattermost users depending on privacy settings. String input.
This is the attribute in the AD/LDAP server that populates the first name field in Mattermost. When set, users cannot edit their first name. When not set, users can edit their first name in their profile settings. String input.
This is the attribute in the AD/LDAP server that populates the last name field in Mattermost. When set, users cannot edit their last name. When not set, users can edit their last name as part of their profile settings. String input.
This is the attribute in the AD/LDAP server that populates the nickname field in Mattermost. When set, users cannot edit their nickname. When not set, users can edit their nickname as part of their profile settings. String input.
This is the attribute in the AD/LDAP server that populates the position field in Mattermost. When set, users cannot edit their position. When not set, users can edit their position as part of their profile settings. String input.
This is the attribute in the AD/LDAP server that syncs and locks the profile picture in Mattermost. The image is updated when users sign-in, not when Mattermost syncs with the AD/LDAP server. The image is not updated if the Mattermost image already matches the AD/LDAP image. String input.
This is an AD/LDAP Group ID attribute that sets a unique identifier for groups. This should be a value that does not change, such as entryUUID or objectGUID. String input.
This value determines how often Mattermost syncs with the AD/LDAP server by setting the number of minutes between each sync. Syncing with the AD/LDAP server will update Mattermost accounts to match any changes made to AD/LDAP attributes. Disabled AD/LDAP accounts become deactivated users in Mattermost, and any active sessions are revoked. Use the AD/LDAP Synchronize Now button to immediately revoke a session after disabling an AD/LDAP account. Numerical input. Default is 60.
This setting paginates the results of AD/LDAP server queries. Use this setting if your AD/LDAP server has a page size limit. The recommended setting is 1500. This is the default AD/LDAP MaxPageSize. A page size of 0 disables pagination of results. Numerical input. Default is 0.
This setting determines the timeout period, in seconds, for AD/LDAP queries. Increase this value to avoid timeout errors when querying a slow server. Numerical input. Default is 60.
Use this button to immediately sync with the AD/LDAP server. The status of the sync is displayed in the table underneath the button (see the figure below). Following a manual sync, the next sync will occur after the time set in the Synchronization Interval.
Enable this setting to re-add members of the LDAP group that were previously removed from group-synchronized teams or channels during LDAP synchronization. - true: Members of the LDAP group who were previously removed are re-added to group-synchronized teams or channels during LDAP synchronization. - false: (Default) Members of the LDAP group who were previously removed are not re-added to group-synchronized teams or channels during LDAP synchronization.
true: Mattermost updates configured Mattermost user attributes (ex. FirstName, Position, Email) with their values from AD/LDAP. From Mattermost v10.9, Mattermost checks whether a user exists on the connected LDAP server during login. If the user doesn't exist on the LDAP server, login fails.
false: (Default) Disables syncing of SAML-authenticated Mattermost users with AD/LDAP. From Mattermost v10.9, Mattermost doesn't check whether a user exists on the connected LDAP server during login.
- true: Mattermost updates configured Mattermost user attributes (ex. FirstName, Position, Email) with their values from AD/LDAP. From v10.9, Mattermost checks whether a user exists on the connected LDAP server during login. If the user doesn't exist on the LDAP server, login fails. - false: (Default) Disables syncing of SAML-authenticated Mattermost users with AD/LDAP. From Mattermost v10.9, Mattermost doesn't check whether a user exists on the connected LDAP server during login.
true: When syncing with the AD/LDAP server, Mattermost does not sync any information about SAML-authenticated Guest Users from the AD/LDAP server.
false: (Default) Syncing Mattermost with the AD/LDAP server updates Guest User attributes and deactivates and removes SAML-authenticated accounts for Guest Users that are no longer active on the AD/LDAP server.
- true: When syncing with the AD/LDAP server, Mattermost does not sync any information about SAML-authenticated Guest Users from the AD/LDAP server. Manage guest deactivation manually via System Console > Users. - false: (Default) Syncing Mattermost with the AD/LDAP server updates Guest User attributes and deactivates and removes SAML-authenticated accounts for Guest Users that are no longer active on the AD/LDAP server.
- true: If the SAML ID attribute is configured, Mattermost overrides the SAML ID attribute with the AD/LDAP ID attribute. If the SAML ID attribute is not present, Mattermost overrides the SAML Email attribute with the AD/LDAP Email attribute. - false: (Default) Mattermost uses the email attribute to bind users to SAML. This setting is only available when SAML authentication is enabled and AD/LDAP synchronization is enabled.
- true: (Default) Mattermost checks that the SAML Response signature matches the Service Provider Login URL. - false: The signature is not verified. This is not recommended for production. Use this option for testing only.
Enter the URL of your Mattermost server, followed by /login/sso/saml, i.e. https://example.com/login/sso/saml.
This setting is also known as the Assertion Consumer Service URL.
Enter the URL of your Mattermost server, followed by /login/sso/saml, i.e. https://example.com/login/sso/saml. Use HTTP or HTTPS depending on the configuration of the server. This setting is also known as the Assertion Consumer Service URL.
This setting is the unique identifier for the Service Provider, which in most cases is the same as the Service Provider Login URL. In ADFS, this must match the Relying Party Identifier. String input.
- true: (Default) Mattermost will decrypt SAML Assertions that are encrypted with your Service Provider Public Certificate. - false: Mattermost does not decrypt SAML Assertions. Use this option for testing only. It is not recommended for production.
This setting stores the certificate file used to sign a SAML request to the Identity Provider for a SAML login when Mattermost is initiating the login as the Service Provider. String input.
This setting determines the signature algorithm used to sign the SAML request. Options are: RSAwithSHA1, RSAwithSHA256, RSAwithSHA512. String input.
Note
From Mattermost v11, the default signature algorithm has been updated from RSAwithSHA1 to RSAwithSHA256 for improved security. Existing configurations will continue to work, but new installations will default to RSAwithSHA256.
This setting determines the attribute from the SAML Assertion that populates the user email address field in Mattermost. Notifications are sent to this email address. This email address may be visible to other users, depending on how the system admin has set-up user privacy. String input.
This setting determines the SAML Assertion attribute that populates the username field in the Mattermost UI. This attribute identifies users in the UI. For example, if a username is set to john.smith, typing @john will show @john.smith as an auto-complete option, and posting a message with @john.smith will send a notification to that user. String input.
(Optional) This setting determines the SAML Assertion attribute used to apply a Guest role to users in Mattermost. See the Guest Accounts documentation for more information. String input.
- true: System admin status is determined by the SAML Assertion attribute set in Admin attribute. - false: (Default) System admin status is not determined by the SAML Assertion attribute.
(Optional) This setting determines the attribute in the SAML Assertion for designating system admins. Users are automatically promoted to this role when logging in to Mattermost. If the Admin attribute is removed, users that are logged in retain Admin status. The role is revoked only when users log out. String input.
(Optional) This setting determines the SAML Assertion attribute that populates the position (job title or role at company) of users in Mattermost. String input.
Use this setting to enable OAuth and specify the service provider, with these options: - Do not allow login via an OAuth 2.0 provider - GitLab (Available in all plans; see GitLab 2.0 OAuth settings) - Google Apps (Available in Mattermost Enterprise and Professional; see Google OAuth 2.0 settings) - Entra ID (Available in Mattermost Enterprise and Professional; see Entra ID OAuth 2.0 settings)
- true: Allows team and account creation using GitLab OAuth authentication. Input the Secret and ID credentials to configure. - false: (Default) Disables GitLab OAuth authentication.
This setting holds the OAuth Application ID from GitLab. Generate the ID by these steps: 1. Login to your GitLab account. 2. Go to Profile Settings > Applications > New Application and enter a name. 3. Enter the Redirect URLs: https://<your-mattermost-url>/login/gitlab/complete and https://<your-mattermost-url>/signup/gitlab/complete. 4. Take the Application ID provided by GitLab and enter it in the Mattermost System Console field, config.json setting, or Environment variable. String input.
- System Config path: Authentication > OAuth 2.0 (or GitLab) - config.json setting: GitLabSettings > Id - Environment variable: MM_GITLABSETTINGS_ID
This setting holds the OAuth Application Secret Key from GitLab. The key is generated at the same time as the Application ID (see GitLab OAuth 2.0 Application ID). Enter the key provided by GitLab in the Mattermost System Console field, config.json setting, or Environment variable. String input.
This setting holds the URL of your GitLab User API endpoint, e.g. https://<your-gitlab-url>/api/v3/user. Use http:// if SSL is not enabled on your GitLab instance. Enter the URL in the Mattermost System Console field, config.json setting, or Environment variable. String input.
This setting holds the URL of your GitLab Auth endpoint, e.g. https://<your-gitlab-url>/oauth/authorize. Use http:// if SSL is not enabled on your GitLab instance. Enter the URL in the Mattermost System Console field, config.json setting, or Environment variable. String input.
This setting holds the URL of your GitLab OAuth Token endpoint, e.g. https://<your-gitlab-url>/oauth/token. Use http:// if SSL is not enabled on your GitLab instance. Enter the URL in the Mattermost System Console field, config.json setting, or Environment variable. String input.
true: Allows team and account creation using Google OAuth authentication.
false: (Default) Disables Google OAuth authentication.
Google과의 OAuth 2.0 인증 활성화
'''''''''''''''''''''''''''''''''
- true: Allows team and account creation using Google OAuth authentication. Input the Client ID and Client Secret credentials to configure. - false: (Default) Disables Google OAuth authentication. See Google Single Sign-On implementation instructions.
This setting stores the OAuth Client ID from Google. Generate the ID by going to the Credentials section of the Google Cloud Platform APIs & Services menu and selecting Create Credentials > OAuth client ID. See Google Single Sign-On for instructions that can be used to implement Google OAuth or OpenID authentication. String input.
- System Config path: Authentication > OAuth 2.0 - config.json setting: GoogleSettings > Id - Environment variable: MM_GOOGLESETTINGS_ID
Google OAuth 2.0 클라이언트 시크릿
''''''''''''''''''''''''''''''''''
This setting stores the OAuth Client Secret from Google. The Secret is generated at the same time as the Client ID. String input.
We recommend https://people.googleapis.com/v1/people/me?personFields=names,emailAddresses,nicknames,metadata as the User API Endpoint. Otherwise, enter a custom endpoint in config.json with HTTP, or HTTPS, if available on the API server. String input.
We recommend https://accounts.google.com/o/oauth2/v2/auth as the Auth Endpoint. Otherwise, enter a custom endpoint in config.json with HTTP, or HTTPS, if available on the server. String input.
We recommend https://www.googleapis.com/oauth2/v4/token as the Token Endpoint. Otherwise, enter a custom endpoint in config.json with HTTP, or HTTPS, if available on the server. String input.
This setting holds the Application ID generated when configuring Entra ID as a Single Sign-On service through the Microsoft Azure Portal. String input.
- System Config path: Authentication > OAuth 2.0 - config.json setting: Office365Settings > Id - Environment variable: MM_OFFICE365SETTINGS_ID
This setting holds the Application Secret Password generated when configuring Entra ID as a Single Sign-On service through the Microsoft Azure Portal. String input.
We recommend https://graph.microsoft.com/v1.0/me as the User API Endpoint. Otherwise, enter a custom endpoint in config.json with http, or https, if available on the server. String input.
We recommend https://login.microsoftonline.com/common/oauth2/v2.0/authorize as the Auth Endpoint. Otherwise, enter a custom endpoint in config.json with http, or https, if available on the server. String input.
We recommend https://login.microsoftonline.com/common/oauth2/v2.0/token as the Token Endpoint. Otherwise, enter a custom endpoint in config.json with http, or https, if available on the server. String input.
Use this setting to enable OpenID Connect, with these options: - Do not allow login via an OpenID provider - GitLab (see settings) - Google Apps (see settings) - Entra ID (see settings) - OpenID Connect (Other) (see settings)
This setting is prepopulated with the Discovery Endpoint for GitLab OpenID Connect. String input. Default is https://gitlab.com/.well-known/openid-configuration
true: Mattermost uses the preferred_username claim from the GitLab OpenID token as the Mattermost username.
false: (Default) Mattermost does not use the preferred_username claim for username assignment.
GitLab OpenID 선호 사용자명 사용
''''''''''''''''''''''''''''''''
- true: Mattermost uses the preferred_username claim from the GitLab OpenID token as the Mattermost username. - false: (Default) Mattermost does not use the preferred_username claim for username assignment.
true: Allow team creation and account signup using Google OpenID Connect.
false: (Default) Google OpenID Connect cannot be used for team creation or account signup.
- true: Allows team and account creation using Google OpenID authentication. - false: (Default) Disables Google OpenID authentication. See Google Single Sign-On implementation instructions.
This setting is prepopulated with the Discovery Endpoint for Google OpenID Connect. See Configure Mattermost for Google Apps SSO. String input. Default is https://accounts.google.com/.well-known/openid-configuration
true: Mattermost uses the preferred_username claim from the Google OpenID token as the Mattermost username.
false: (Default) Mattermost does not use the preferred_username claim for username assignment.
Google OpenID 선호 사용자명 사용
''''''''''''''''''''''''''''''''
- true: Mattermost uses the preferred_username claim from the Google OpenID token as the Mattermost username. - false: (Default) Mattermost does not use the preferred_username claim for username assignment.
true: Allow team creation and account signup using Entra ID OpenID Connect.
false: (Default) Entra ID OpenID Connect cannot be used for team creation or account signup.
Entra ID와의 OpenID Connect 인증 활성화
'''''''''''''''''''''''''''''''''''''''
- true: Allows team and account creation using Entra ID OpenID Connect authentication. - false: (Default) Disables Entra ID OpenID Connect authentication. See Entra ID Single Sign-On implementation instructions.
This setting holds the Directory (tenant) ID set for Mattermost through the Microsoft Azure Portal. See Entra ID Single Sign-On implementation instructions. String input.
This setting is prepopulated with the Discovery Endpoint for Entra ID OpenID Connect. See Entra ID Single Sign-On implementation instructions. String input. Default is https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
This setting stores the Application (client) ID generated through the Microsoft Azure Portal. See Entra ID Single Sign-On implementation instructions. String input.
- System Config path: Authentication > OpenID Connect - config.json setting: Office365Settings > Id - Environment variable: MM_OFFICE365SETTINGS_ID
Entra ID 클라이언트 시크릿
'''''''''''''''''''''''''
This setting stores the Client Secret generated through the Microsoft Azure Portal. See Entra ID Single Sign-On implementation instructions. String input.
true: Mattermost uses the preferred_username claim from the Entra ID OpenID token as the Mattermost username.
false: (Default) Mattermost does not use the preferred_username claim for username assignment.
Entra ID 선호 사용자명 사용
'''''''''''''''''''''''''''
- true: Mattermost uses the preferred_username claim from the Entra ID OpenID token as the Mattermost username. - false: (Default) Mattermost does not use the preferred_username claim for username assignment.
preferred_username 클레임을 사용 가능하게 하려면 Azure Portal의 App registrations > Token configuration 에서 선택적 클레임으로 추가하세요. 설정 세부 정보는 Entra ID Single Sign-On 을 참조하세요.
True: Allow team creation and account signup using OpenID Connect.
False: (Default) OpenID Connect cannot be used for team creation or account signup.
다른 서비스 공급자와의 OpenID Connect 인증 활성화
'''''''''''''''''''''''''''''''''''''''''''''''''
- true: Allows team and account creation using other OpenID Connect service providers. - false: (Default) Disables OpenID Connect authentication with other service providers. See OpenID Connect Single Sign-On implementation instructions.
This setting stores the Discovery Endpoint URL from the OpenID provider. The URL should be in the format of https://myopenid.provider.com/{my_organization}/ .well-known/openid-configuration. See OpenID Connect Single Sign-On implementation instructions. String input.
true: Mattermost uses the preferred_username claim from the OpenID token as the Mattermost username.
false: (Default) Mattermost does not use the preferred_username claim for username assignment.
OpenID Connect (기타) 선호 사용자명 사용
''''''''''''''''''''''''''''''''''''''''
- true: Mattermost uses the preferred_username claim from the provider's OpenID token as the Mattermost username. - false: (Default) Mattermost does not use the preferred_username claim for username assignment.
게스트 청구는 채널 접근에 따라 달라집니다. 정확히 하나의 채널에 있는 게스트는 단일 채널 게스트로 처리되며 기본 유료 시트 수에 포함되지 않습니다. 라이선스된 시트와 1:1 비율까지 무료입니다. 여러 채널에 있는 게스트는 계속해서 유료 활성 사용자로 계산됩니다. 다이렉트 메시지와 그룹 메시지는 게스트가 단일 채널 게스트로 계산되는지 여부에 영향을 미치지 않습니다. 자세한 내용은 게스트 계정 문서를 참조하세요.
Use this setting to restrict the creation of guest accounts. When set, guest accounts require a verified email address from one of the listed domains. String input of one or more domains, separated by commas.
Mattermost는 최대 4가지의 동시 사용자 인증 방법을 지원합니다: 셀프 호스팅 Mattermost를 관리하는 시스템 관리자는 아래 표에 설명된 대로 config.json 파일을 편집할 수 있습니다. System Console에서 Authentication > Signup으로 이동하여 다음 구성 설정에 접근하세요.
Mattermost는 최대 4가지의 동시 사용자 인증 방법을 지원합니다:
OpenID 공급자
SAML 공급자
LDAP 인스턴스 (예: Active Directory, OpenLDAP)
이메일 및 비밀번호
제품 메뉴 → System Console → Authentication에서 다음 인증 구성 옵션을 검토하고 관리하세요:
셀프 호스팅 Mattermost를 관리하는 시스템 관리자는 아래 표에 설명된 대로 config.json 파일을 편집할 수 있습니다. 각 구성 값에는 JSON 인식 도구를 사용하여 프로그래밍 방식으로 config.json 파일에서 값에 접근할 수 있는 JSON 경로가 포함됩니다. 예를 들어, EnableUserCreation 값은 TeamSettings 아래에 있습니다.
jq <https://stedolan.github.io/jq/>`__ 와 같은 도구를 사용하는 경우: cat config/config.json | jq '.TeamSettings.EnableUserCreation'</li><li>config.json 파일을 수동으로 편집할 때는 TeamSettings 와 같은 객체를 찾은 뒤 그 안에서 EnableUserCreation`` 키를 찾으세요.
System Console에서 Authentication > Signup으로 이동하여 다음 구성 설정에 접근하세요.
true: (Default) Anyone can sign up for a user account on this server without needing to be invited. Applies to email-based signups only.
false: The ability to create accounts is disabled. Selecting Create Account displays an error. Applies to email, OpenID Connect, and OAuth 2.0 user account authentication.
- true: (Default) Anyone can sign up for a user account on this server without needing to be invited. Applies to email-based signups only. - false: The ability to create accounts is disabled. Selecting Create Account displays an error. Applies to email, OpenID Connect, and OAuth 2.0 user account authentication.
LDAP 및 SAML 사용자는 이 구성 설정의 활성화 여부와 관계없이 LDAP 또는 SAML 자격 증명으로 로그인하여 Mattermost 계정을 항상 생성할 수 있습니다.
Mattermost v10.9부터 꺾쇠 괄호로 묶인 이메일 주소(예: <billy@example.com>)는 거부됩니다. 문제를 방지하려면 모든 사용자 이메일이 일반 주소 형식(예: billy@example.com)을 준수하는지 확인하세요. 또한, 이 제품 변경 사항에 맞게 Mattermost 사용자 데이터를 사전에 감사하고 업데이트하는 조치를 취하는 것을 강력히 권장합니다. 영향을 받는 사용자는 Mattermost 접근 또는 사용자 프로필 관리에 문제가 생길 수 있습니다. mmctl user email 을 사용하여 이러한 사용자 이메일을 수동으로 업데이트할 수 있습니다.
Mattermost가 SAML에 대해 지원하는 암호화 방법 에 대한 자세한 내용은 암호화 옵션 문서를 참조하세요.
This setting limits the email address domains that can be used to create a new account or team.
This setting limits the email address domains that can be used to create a new account or team. You must set Require Email Verification to true for the restriction to function. This setting only affects email login.
- true: Users can create accounts on the server without an invitation. - false: (Default) Users must have an invitation to create an account on the server.
This button invalidates email invitations that have not been accepted (by default, invitations expire after 48 hours). This option has no config.json setting or environment variable.
- true: (Default) Allows creation of team and user accounts with email and password. - false: Disables creation of team and user accounts with email and password. Requires a single sign-on (SSO) service to create accounts.
- true: (Default for Cloud deployments) Requires email verification for new accounts before allowing the user to sign-in. - false: (Default for self-hosted deployments) Disables email verification. can be used to speed development by skipping the verification process.
true: (Default) Allows users to sign-in with email and password.
false: Disables authentication with email and password, and removes the option from the login screen. Use this option to limit authentication to single sign-on services.
- true: (Default) Allows users to sign-in with email and password. - false: Disables authentication with email and password, and removes the option from the login screen. Use this option to limit authentication to single sign-on services.
로그인 페이지에서 이메일 로그인 옵션만 단일하게 제공하려면, 사용자명으로 로그인 활성화 구성 설정이 false로 설정되어 있는지 확인하세요.
Mattermost v10.9부터 꺾쇠 괄호로 묶인 이메일 주소(예: <billy@example.com>)는 거부됩니다. 문제를 방지하려면 모든 사용자 이메일이 일반 주소 형식(예: billy@example.com)을 준수하는지 확인하세요. 또한, 이 제품 변경 사항에 맞게 Mattermost 사용자 데이터를 사전에 감사하고 업데이트하는 조치를 취하는 것을 강력히 권장합니다. 영향을 받는 사용자는 Mattermost 접근 또는 사용자 프로필 관리에 문제가 생길 수 있습니다. mmctl user email 을 사용하여 이러한 사용자 이메일을 수동으로 업데이트할 수 있습니다.
true: (Default) Allows authentication with a username and password for accounts created with an email address. This setting does not affect AD/LDAP sign-in.
false: Disables authenticaton with a username and removes the option from the login screen.
- true: (Default) Allows authentication with a username and password for accounts created with an email address. This setting does not affect AD/LDAP sign-in. - false: Disables authenticaton with a username and removes the sign in option from. from the login screen.
This setting determines the minimum number of characters in passwords. It must be a whole number greater than or equal to 5 and less than or equal to 72. Numerical input. Default is 5.
This setting controls password character requirements. By checking the corresponding box, passwords must contain: - At least one lowercase letter - At least one uppercase letter - At least one number - At least one symbol out of these: !"#$%&'()*+,-./:;<=>?@[]^_` The error message previewed in the System Console will appear if the user attempts to set an invalid password. The default for all boxes is unchecked. The default for all settings in config.json is false.</th><th>- System Config path: <strong>Authentication > Password</strong> - config.json settings: PasswordSettings > Lowercase > false, PasswordSettings > Uppercase > false, PasswordSettings > Number > false, PasswordSettings > Symbol > false - Environment variables: MM_PASSWORDSETTINGS_LOWERCASE, MM_PASSWORDSETTINGS_UPPERCASE, MM_PASSWORDSETTINGS_NUMBER, MM_PASSWORDSETTINGS_SYMBOL ~.
This setting determines the number of failed sign-in attempts a user can make before being locked out and required to go through a password reset by email. Numerical input. Default is 10.
- true: (Default) Displays the Forget Password link on the Mattermost login page. - false: Hides the Forgot Password link from the Mattermost login page.
System Console에서 Authentication > MFA로 이동하여 다음 구성 설정에 접근하세요.
자체 사설 네트워크 내에 Mattermost를 배포하고 모바일 액세스를 위해 VPN 클라이언트를 사용하여 기존 프로토콜로 Mattermost를 보호하는 것을 권장합니다. 기존 보안 프로토콜을 우회하여 사설 네트워크 외부에서 Mattermost를 실행하려는 경우, Mattermost 액세스를 위한 다중 인증 서비스를 추가하는 것을 권장합니다.
true: Users who sign-in with AD/LDAP or an email address have the option to add multi-factor authentication to their accounts.
- true: Users who sign-in with AD/LDAP or an email address have the option to add multi-factor authentication to their accounts. - false: (Default) Disables multi-factor authentication.
- true: Requires multi-factor authentication (MFA) for users who sign-in with AD/LDAP or an email address. New users must set up MFA. Logged in users are redirected to the MFA setup page until configuration is complete. - false: (Default) MFA is optional.
This setting will display placeholder text in the login field of the sign-in page. This text can remind users to sign-in with their AD/LDAP credentials. String input. Default is AD/LDAP Username.
System Console의 AD/LDAP 설정과의 동기화를 통해 임의 호스트의 연결 및 가용성을 확인할 수 있습니다. 이에 우려가 있는 시스템 관리자는 사용자 지정 관리자 역할을 사용하여 이 설정 수정에 대한 접근을 제한할 수 있습니다. 자세한 내용은 위임된 세분화된 관리 문서를 참조하세요.
This is the username for the account Mattermost utilizes to perform an AD/LDAP search. This should be an account specific to Mattermost.
Limit the permissions of the account to read-only access to the portion of the AD/LDAP tree specified in the Base DN setting.
When using Active Directory, Bind Username should specify domain in "DOMAIN/username" format.
This is the username for the account Mattermost utilizes to perform an AD/LDAP search. This should be an account specific to Mattermost. Limit the permissions of the account to read-only access to the portion of the AD/LDAP tree specified in the Base DN setting. When using Active Directory, Bind Username should specify domain in "DOMAIN/username" format. String input.
This setting controls the type of security Mattermost uses to connect to the AD/LDAP server, with these options:
none: (Default) No encryption. With this option, it is highly recommended that the connection be secured outside of Mattermost, such as by a stunnel proxy.
TLS: Encrypts communication with TLS.
STARTTLS: Attempts to upgrade an existing insecure connection to a secure connection with TLS.
This setting controls the type of security Mattermost uses to connect to the AD/LDAP server, with these options: - None: (Default for self-hosted deployments) No encryption. With this option, it is highly recommended that the connection be secured outside of Mattermost, such as by a stunnel proxy. config.json option: "" - TLS: (Default for Cloud deployments) Encrypts communication with TLS. config.json option: "TLS" - STARTTLS: Attempts to upgrade an existing insecure connection to a secure connection with TLS. config.json option: "STARTTLS"
true: Disables the certificate verification step for TLS and STARTTLS connections. Use this option for testing. Do not use this option when TLS is required in production.
- true: Disables the certificate verification step for TLS and STARTTLS connections. Use this option for testing. Do not use this option when TLS is required in production. - false: (Default) Enables certification verification.
Use this setting to upload the private key file from your LDAP authentication provider, if TLS client certificates are the primary authentication mechanism. String input.
Use this setting to upload the public TLS certificate from your LDAP authentication provider, if TLS client certificates are the primary authentication mechanism. String input.
This setting determines the number of failed sign-in attempts a user can make before being locked out and required to go through a password reset by email. You can unlock the account in System Console on the users page. Setting this value lower than your LDAP maximum login attempts ensures that the users won't be locked out of your LDAP server because of failed login attempts in Mattermost. Numerical input. Default is 10.
This setting accepts a general syntax AD/LDAP filter that is applied when searching for user objects. Only the users selected by the query can access Mattermost. For example, to filter out disabled users, the filter is: (&(objectCategory=Person)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))). To filter by group membership, determine the distinguishedName of the group, then use group membership general syntax to format the filter. For example, if the security group distinguishedName is CN=group1,OU=groups,DC=example,DC=com, then the filter is: (memberOf=CN=group1,OU=groups,DC=example,DC=com). The user must explicitly belong to this group for the filter to apply. String input.
This setting accepts a general syntax AD/LDAP filter that is applied when searching for group objects. Only the groups selected by the query can access Mattermost. String input. Default is (</th><th>- System Config path: <strong>Authentication > AD/LDAP</strong> - config.json setting: LdapSettings > GroupFilter (objectClass=group)(objectClass=groupOfNames)(objectClass=groupOfUniqueNames)).
Note
이 필터는 AD/LDAP 그룹 동기화가 활성화된 경우에만 사용됩니다. 자세한 내용은 AD/LDAP Group Sync 를 참조하세요.
true: Enables the Admin Filter setting that designates system admins using an AD/LDAP filter.
false: (Default) Disables the Admin Filter setting.
This setting accepts an AD/LDAP filter that designates the selected users as system admins. Users are promoted to this role on their next sign-in or on the next scheduled AD/LDAP sync. If the Admin Filter is removed, users who are currently logged in retain their Admin role until their next sign-in. String input.
This setting accepts an AD/LDAP filter to apply when searching for external users with Guest Access to Mattermost. Only users selected by the query can access Mattermost as Guests. See Guest Accounts for more information. String input.
This is the attribute in the AD/LDAP server that is serves as a unique user identifier in Mattermost. The attribute should have a unique value that does not change, such as objectGUID or entryUUID. Confirm that these attributes are available in your environment before making any changes. String input.
This is the attribute in the AD/LDAP server that is used for signing-in to Mattermost. This is normally the same as the Username Attribute. If your team uses domain\username to sign-in to other services with AD/LDAP, you may enter domain\username in this field to maintain consistency between sites. String input.
This is the attribute in the AD/LDAP server that populates the username field in Mattermost. This attribute identifies users in the UI. For example, if a Username Attribute is set to john.smith, typing @john will show @john.smith as an auto-complete option, and posting a message with @john.smith will send a notification to that user. This is normally the same as the Login ID Attribute, but it can be mapped to a different attribute. String input.
This is the attribute in AD/LDAP server that populates the email address field in Mattermost. Email notifications are sent to this address. The address may be seen by other Mattermost users depending on privacy settings. String input.
This is the attribute in the AD/LDAP server that populates the first name field in Mattermost. When set, users cannot edit their first name. When not set, users can edit their first name in their profile settings. String input.
This is the attribute in the AD/LDAP server that populates the last name field in Mattermost. When set, users cannot edit their last name. When not set, users can edit their last name as part of their profile settings. String input.
This is the attribute in the AD/LDAP server that populates the nickname field in Mattermost. When set, users cannot edit their nickname. When not set, users can edit their nickname as part of their profile settings. String input.
This is the attribute in the AD/LDAP server that populates the position field in Mattermost. When set, users cannot edit their position. When not set, users can edit their position as part of their profile settings. String input.
This is the attribute in the AD/LDAP server that syncs and locks the profile picture in Mattermost. The image is updated when users sign-in, not when Mattermost syncs with the AD/LDAP server. The image is not updated if the Mattermost image already matches the AD/LDAP image. String input.
This is an AD/LDAP Group ID attribute that sets a unique identifier for groups. This should be a value that does not change, such as entryUUID or objectGUID. String input.
This value determines how often Mattermost syncs with the AD/LDAP server by setting the number of minutes between each sync. Syncing with the AD/LDAP server will update Mattermost accounts to match any changes made to AD/LDAP attributes. Disabled AD/LDAP accounts become deactivated users in Mattermost, and any active sessions are revoked. Use the AD/LDAP Synchronize Now button to immediately revoke a session after disabling an AD/LDAP account. Numerical input. Default is 60.
This setting paginates the results of AD/LDAP server queries. Use this setting if your AD/LDAP server has a page size limit. The recommended setting is 1500. This is the default AD/LDAP MaxPageSize. A page size of 0 disables pagination of results. Numerical input. Default is 0.
This setting determines the timeout period, in seconds, for AD/LDAP queries. Increase this value to avoid timeout errors when querying a slow server. Numerical input. Default is 60.
Use this button to immediately sync with the AD/LDAP server. The status of the sync is displayed in the table underneath the button (see the figure below). Following a manual sync, the next sync will occur after the time set in the Synchronization Interval.
Enable this setting to re-add members of the LDAP group that were previously removed from group-synchronized teams or channels during LDAP synchronization. - true: Members of the LDAP group who were previously removed are re-added to group-synchronized teams or channels during LDAP synchronization. - false: (Default) Members of the LDAP group who were previously removed are not re-added to group-synchronized teams or channels during LDAP synchronization.
true: Mattermost updates configured Mattermost user attributes (ex. FirstName, Position, Email) with their values from AD/LDAP. From Mattermost v10.9, Mattermost checks whether a user exists on the connected LDAP server during login. If the user doesn't exist on the LDAP server, login fails.
false: (Default) Disables syncing of SAML-authenticated Mattermost users with AD/LDAP. From Mattermost v10.9, Mattermost doesn't check whether a user exists on the connected LDAP server during login.
- true: Mattermost updates configured Mattermost user attributes (ex. FirstName, Position, Email) with their values from AD/LDAP. From v10.9, Mattermost checks whether a user exists on the connected LDAP server during login. If the user doesn't exist on the LDAP server, login fails. - false: (Default) Disables syncing of SAML-authenticated Mattermost users with AD/LDAP. From Mattermost v10.9, Mattermost doesn't check whether a user exists on the connected LDAP server during login.
true: When syncing with the AD/LDAP server, Mattermost does not sync any information about SAML-authenticated Guest Users from the AD/LDAP server.
false: (Default) Syncing Mattermost with the AD/LDAP server updates Guest User attributes and deactivates and removes SAML-authenticated accounts for Guest Users that are no longer active on the AD/LDAP server.
- true: When syncing with the AD/LDAP server, Mattermost does not sync any information about SAML-authenticated Guest Users from the AD/LDAP server. Manage guest deactivation manually via System Console > Users. - false: (Default) Syncing Mattermost with the AD/LDAP server updates Guest User attributes and deactivates and removes SAML-authenticated accounts for Guest Users that are no longer active on the AD/LDAP server.
- true: If the SAML ID attribute is configured, Mattermost overrides the SAML ID attribute with the AD/LDAP ID attribute. If the SAML ID attribute is not present, Mattermost overrides the SAML Email attribute with the AD/LDAP Email attribute. - false: (Default) Mattermost uses the email attribute to bind users to SAML. This setting is only available when SAML authentication is enabled and AD/LDAP synchronization is enabled.
- true: (Default) Mattermost checks that the SAML Response signature matches the Service Provider Login URL. - false: The signature is not verified. This is not recommended for production. Use this option for testing only.
Enter the URL of your Mattermost server, followed by /login/sso/saml, i.e. https://example.com/login/sso/saml.
This setting is also known as the Assertion Consumer Service URL.
Enter the URL of your Mattermost server, followed by /login/sso/saml, i.e. https://example.com/login/sso/saml. Use HTTP or HTTPS depending on the configuration of the server. This setting is also known as the Assertion Consumer Service URL.
This setting is the unique identifier for the Service Provider, which in most cases is the same as the Service Provider Login URL. In ADFS, this must match the Relying Party Identifier. String input.
- true: (Default) Mattermost will decrypt SAML Assertions that are encrypted with your Service Provider Public Certificate. - false: Mattermost does not decrypt SAML Assertions. Use this option for testing only. It is not recommended for production.
This setting stores the certificate file used to sign a SAML request to the Identity Provider for a SAML login when Mattermost is initiating the login as the Service Provider. String input.
This setting determines the signature algorithm used to sign the SAML request. Options are: RSAwithSHA1, RSAwithSHA256, RSAwithSHA512. String input.
Note
From Mattermost v11, the default signature algorithm has been updated from RSAwithSHA1 to RSAwithSHA256 for improved security. Existing configurations will continue to work, but new installations will default to RSAwithSHA256.
This setting determines the attribute from the SAML Assertion that populates the user email address field in Mattermost. Notifications are sent to this email address. This email address may be visible to other users, depending on how the system admin has set-up user privacy. String input.
This setting determines the SAML Assertion attribute that populates the username field in the Mattermost UI. This attribute identifies users in the UI. For example, if a username is set to john.smith, typing @john will show @john.smith as an auto-complete option, and posting a message with @john.smith will send a notification to that user. String input.
(Optional) This setting determines the SAML Assertion attribute used to apply a Guest role to users in Mattermost. See the Guest Accounts documentation for more information. String input.
- true: System admin status is determined by the SAML Assertion attribute set in Admin attribute. - false: (Default) System admin status is not determined by the SAML Assertion attribute.
(Optional) This setting determines the attribute in the SAML Assertion for designating system admins. Users are automatically promoted to this role when logging in to Mattermost. If the Admin attribute is removed, users that are logged in retain Admin status. The role is revoked only when users log out. String input.
(Optional) This setting determines the SAML Assertion attribute that populates the position (job title or role at company) of users in Mattermost. String input.
Use this setting to enable OAuth and specify the service provider, with these options: - Do not allow login via an OAuth 2.0 provider - GitLab (Available in all plans; see GitLab 2.0 OAuth settings) - Google Apps (Available in Mattermost Enterprise and Professional; see Google OAuth 2.0 settings) - Entra ID (Available in Mattermost Enterprise and Professional; see Entra ID OAuth 2.0 settings)
- true: Allows team and account creation using GitLab OAuth authentication. Input the Secret and ID credentials to configure. - false: (Default) Disables GitLab OAuth authentication.
This setting holds the OAuth Application ID from GitLab. Generate the ID by these steps: 1. Login to your GitLab account. 2. Go to Profile Settings > Applications > New Application and enter a name. 3. Enter the Redirect URLs: https://<your-mattermost-url>/login/gitlab/complete and https://<your-mattermost-url>/signup/gitlab/complete. 4. Take the Application ID provided by GitLab and enter it in the Mattermost System Console field, config.json setting, or Environment variable. String input.
- System Config path: Authentication > OAuth 2.0 (or GitLab) - config.json setting: GitLabSettings > Id - Environment variable: MM_GITLABSETTINGS_ID
This setting holds the OAuth Application Secret Key from GitLab. The key is generated at the same time as the Application ID (see GitLab OAuth 2.0 Application ID). Enter the key provided by GitLab in the Mattermost System Console field, config.json setting, or Environment variable. String input.
This setting holds the URL of your GitLab User API endpoint, e.g. https://<your-gitlab-url>/api/v3/user. Use http:// if SSL is not enabled on your GitLab instance. Enter the URL in the Mattermost System Console field, config.json setting, or Environment variable. String input.
This setting holds the URL of your GitLab Auth endpoint, e.g. https://<your-gitlab-url>/oauth/authorize. Use http:// if SSL is not enabled on your GitLab instance. Enter the URL in the Mattermost System Console field, config.json setting, or Environment variable. String input.
This setting holds the URL of your GitLab OAuth Token endpoint, e.g. https://<your-gitlab-url>/oauth/token. Use http:// if SSL is not enabled on your GitLab instance. Enter the URL in the Mattermost System Console field, config.json setting, or Environment variable. String input.
true: Allows team and account creation using Google OAuth authentication.
false: (Default) Disables Google OAuth authentication.
Google과의 OAuth 2.0 인증 활성화
'''''''''''''''''''''''''''''''''
- true: Allows team and account creation using Google OAuth authentication. Input the Client ID and Client Secret credentials to configure. - false: (Default) Disables Google OAuth authentication. See Google Single Sign-On implementation instructions.
This setting stores the OAuth Client ID from Google. Generate the ID by going to the Credentials section of the Google Cloud Platform APIs & Services menu and selecting Create Credentials > OAuth client ID. See Google Single Sign-On for instructions that can be used to implement Google OAuth or OpenID authentication. String input.
- System Config path: Authentication > OAuth 2.0 - config.json setting: GoogleSettings > Id - Environment variable: MM_GOOGLESETTINGS_ID
Google OAuth 2.0 클라이언트 시크릿
''''''''''''''''''''''''''''''''''
This setting stores the OAuth Client Secret from Google. The Secret is generated at the same time as the Client ID. String input.
We recommend https://people.googleapis.com/v1/people/me?personFields=names,emailAddresses,nicknames,metadata as the User API Endpoint. Otherwise, enter a custom endpoint in config.json with HTTP, or HTTPS, if available on the API server. String input.
We recommend https://accounts.google.com/o/oauth2/v2/auth as the Auth Endpoint. Otherwise, enter a custom endpoint in config.json with HTTP, or HTTPS, if available on the server. String input.
We recommend https://www.googleapis.com/oauth2/v4/token as the Token Endpoint. Otherwise, enter a custom endpoint in config.json with HTTP, or HTTPS, if available on the server. String input.
This setting holds the Application ID generated when configuring Entra ID as a Single Sign-On service through the Microsoft Azure Portal. String input.
- System Config path: Authentication > OAuth 2.0 - config.json setting: Office365Settings > Id - Environment variable: MM_OFFICE365SETTINGS_ID
This setting holds the Application Secret Password generated when configuring Entra ID as a Single Sign-On service through the Microsoft Azure Portal. String input.
We recommend https://graph.microsoft.com/v1.0/me as the User API Endpoint. Otherwise, enter a custom endpoint in config.json with http, or https, if available on the server. String input.
We recommend https://login.microsoftonline.com/common/oauth2/v2.0/authorize as the Auth Endpoint. Otherwise, enter a custom endpoint in config.json with http, or https, if available on the server. String input.
We recommend https://login.microsoftonline.com/common/oauth2/v2.0/token as the Token Endpoint. Otherwise, enter a custom endpoint in config.json with http, or https, if available on the server. String input.
Use this setting to enable OpenID Connect, with these options: - Do not allow login via an OpenID provider - GitLab (see settings) - Google Apps (see settings) - Entra ID (see settings) - OpenID Connect (Other) (see settings)
This setting is prepopulated with the Discovery Endpoint for GitLab OpenID Connect. String input. Default is https://gitlab.com/.well-known/openid-configuration
true: Mattermost uses the preferred_username claim from the GitLab OpenID token as the Mattermost username.
false: (Default) Mattermost does not use the preferred_username claim for username assignment.
GitLab OpenID 선호 사용자명 사용
''''''''''''''''''''''''''''''''
- true: Mattermost uses the preferred_username claim from the GitLab OpenID token as the Mattermost username. - false: (Default) Mattermost does not use the preferred_username claim for username assignment.
true: Allow team creation and account signup using Google OpenID Connect.
false: (Default) Google OpenID Connect cannot be used for team creation or account signup.
- true: Allows team and account creation using Google OpenID authentication. - false: (Default) Disables Google OpenID authentication. See Google Single Sign-On implementation instructions.
This setting is prepopulated with the Discovery Endpoint for Google OpenID Connect. See Configure Mattermost for Google Apps SSO. String input. Default is https://accounts.google.com/.well-known/openid-configuration
true: Mattermost uses the preferred_username claim from the Google OpenID token as the Mattermost username.
false: (Default) Mattermost does not use the preferred_username claim for username assignment.
Google OpenID 선호 사용자명 사용
''''''''''''''''''''''''''''''''
- true: Mattermost uses the preferred_username claim from the Google OpenID token as the Mattermost username. - false: (Default) Mattermost does not use the preferred_username claim for username assignment.
true: Allow team creation and account signup using Entra ID OpenID Connect.
false: (Default) Entra ID OpenID Connect cannot be used for team creation or account signup.
Entra ID와의 OpenID Connect 인증 활성화
'''''''''''''''''''''''''''''''''''''''
- true: Allows team and account creation using Entra ID OpenID Connect authentication. - false: (Default) Disables Entra ID OpenID Connect authentication. See Entra ID Single Sign-On implementation instructions.
This setting holds the Directory (tenant) ID set for Mattermost through the Microsoft Azure Portal. See Entra ID Single Sign-On implementation instructions. String input.
This setting is prepopulated with the Discovery Endpoint for Entra ID OpenID Connect. See Entra ID Single Sign-On implementation instructions. String input. Default is https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
This setting stores the Application (client) ID generated through the Microsoft Azure Portal. See Entra ID Single Sign-On implementation instructions. String input.
- System Config path: Authentication > OpenID Connect - config.json setting: Office365Settings > Id - Environment variable: MM_OFFICE365SETTINGS_ID
Entra ID 클라이언트 시크릿
'''''''''''''''''''''''''
This setting stores the Client Secret generated through the Microsoft Azure Portal. See Entra ID Single Sign-On implementation instructions. String input.
true: Mattermost uses the preferred_username claim from the Entra ID OpenID token as the Mattermost username.
false: (Default) Mattermost does not use the preferred_username claim for username assignment.
Entra ID 선호 사용자명 사용
'''''''''''''''''''''''''''
- true: Mattermost uses the preferred_username claim from the Entra ID OpenID token as the Mattermost username. - false: (Default) Mattermost does not use the preferred_username claim for username assignment.
preferred_username 클레임을 사용 가능하게 하려면 Azure Portal의 App registrations > Token configuration 에서 선택적 클레임으로 추가하세요. 설정 세부 정보는 Entra ID Single Sign-On 을 참조하세요.
True: Allow team creation and account signup using OpenID Connect.
False: (Default) OpenID Connect cannot be used for team creation or account signup.
다른 서비스 공급자와의 OpenID Connect 인증 활성화
'''''''''''''''''''''''''''''''''''''''''''''''''
- true: Allows team and account creation using other OpenID Connect service providers. - false: (Default) Disables OpenID Connect authentication with other service providers. See OpenID Connect Single Sign-On implementation instructions.
This setting stores the Discovery Endpoint URL from the OpenID provider. The URL should be in the format of https://myopenid.provider.com/{my_organization}/ .well-known/openid-configuration. See OpenID Connect Single Sign-On implementation instructions. String input.
true: Mattermost uses the preferred_username claim from the OpenID token as the Mattermost username.
false: (Default) Mattermost does not use the preferred_username claim for username assignment.
OpenID Connect (기타) 선호 사용자명 사용
''''''''''''''''''''''''''''''''''''''''
- true: Mattermost uses the preferred_username claim from the provider's OpenID token as the Mattermost username. - false: (Default) Mattermost does not use the preferred_username claim for username assignment.
게스트 청구는 채널 접근에 따라 달라집니다. 정확히 하나의 채널에 있는 게스트는 단일 채널 게스트로 처리되며 기본 유료 시트 수에 포함되지 않습니다. 라이선스된 시트와 1:1 비율까지 무료입니다. 여러 채널에 있는 게스트는 계속해서 유료 활성 사용자로 계산됩니다. 다이렉트 메시지와 그룹 메시지는 게스트가 단일 채널 게스트로 계산되는지 여부에 영향을 미치지 않습니다. 자세한 내용은 게스트 계정 문서를 참조하세요.
Use this setting to restrict the creation of guest accounts. When set, guest accounts require a verified email address from one of the listed domains. String input of one or more domains, separated by commas.
