Add a setting to System Console > SAML 2.0 under the "Enable Synchronizing SAML Accounts With AD/LDAP:" setting. New setting is available when "Enable Synchronizing SAML Accounts With AD/LDAP::= True"
New Setting Name: "Ignore Guest Users when Synchronizing with AD/LDAP"
Description: "When true, Mattermost will ignore Guest Users who are identified by the Guest Attribute, when synchronizing with AD/LDAP for user deactivation and removal and Guest deactivation will need to be managed manually via System Console > Users."
In order to QA this PR, you will need to have SAML and LDAP both setup. So you authenticate via SAML and Sync via LDAP.
1. ADFS setup in Active Directory (adfs.e2etest.dev.spinmint.com)
2. SAML needs to be setup with ADFS. (https://docs.mattermost.com/deployment/sso-saml-adfs-msws2016.html)
2a. Set "Enable Synchronizing SAML Accounts with AD/LDAP" = true
2b. Set "Ignore Guest Users when Synchronizing with AD/LDAP" = true
2c. Set "Guest Filter" = Username=guest
2b. Set "Id Attribute" = "objectGUID"
3. Mattermost must be running in SSL. (https://docs.mattermost.com/install/config-tls-mattermost.html)
1. AD/LDAP setup in Active Directory (adfs.e2etest.dev.spinmint.com)
2. LDAP needs to be setup in Mattermost (https://docs.mattermost.com/deployment/sso-ldap.html)
2a. Set "Enable Synchronization with AD/LDAP" = true
2b. Set "ID Attribute" = "objectGUID"
2c. Set "User Filter" = "(sn=user)"
Once both systems are setup and working independently.
Test SAML Login -
Ensure Guest User can login.
Go to LDAP, run LDAP Sync.
Ensure Guest User was not deactivated.
Should the setting go on the SAML Settings page, since it will only affect users who login via SAML.
If login is via LDAP, this setting doesn’t make any sense. And Email Authorized users don’t get updated via LDAP.
Updated for SAML.