Rocket.chat - SSO configuration

Rocket.chat - SSO configuration

This documentation has been tested and approved by Kelvin Zero's team
This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Rocket.chat using MPAS. SSO simplifies user authentication by allowing access to multiple applications with a single set of credentials. This integration enhances security and improves user experience across your organization.
To set up Multi-Pass withRocket.chat, ensure you meet the following requirements:
- Rocket.chat admin rights
- MPAS Admin rights
- Make sure that all users intended to use SSO in Rocket.chat are registered in your IdP and have the necessary permissions to access Rocket.chat.
Important: Custom elements in URLs (like realm names) are case sensitive. Make sure to match the exact casing from your environment.


Rocket.chat - SSO configuration



Step 1 – Access Rocket.Chat SAML Settings

  1. From your Rocket.Chat dashboard, click the three vertical dots on the left sidebar and go to Workspace.

  1. In the left column, scroll down and click on Settings.
  2. Use the search bar or scroll to find the SAML section and click Open.

  1. Complete the following two fields:
    1. Custom Provider: multipass (example)
    2. Custom Issuer: https://<YOUR_ROCKETCHAT_DOMAIN>/_saml/metadata/<CUSTOM_PROVIDER_NAME>

Step 2 – Configure MPAS (Multi-Pass)

  1. Open Multi-Pass Dashboard

  1. Select the appropriate deployment, then click on Advanced Console.

  1. In the left menu, click Clients → Create Client.

  1. Fill in the following:
FieldValue
Client TypeSAML
Client IDhttps://<YOUR_ROCKETCHAT_DOMAIN>/_saml/metadata/<CUSTOM_PROVIDER_NAME>
Namerocketchat
Descriptiontest SSO
Always display in UION


  1. Click Next, then complete:
FieldValue
Home URLhttps://ca.auth.kzero.com/realms/<TENANT_NAME>/protocol/saml/clients/<SSO_Name>
Valid Redirect URIshttps://<YOUR_ROCKETCHAT_DOMAIN>/_saml/validate/<CUSTOM_PROVIDER_NAME>
IDP-Initiated SSO URL Namerocketchat


  1. Click Save
Make sure the next fields are correctly completed : 
  1. In the settings tab, SAML capabilities section : 
FieldValue
Name ID Formatemail
Force Name ID FormatON
  1. in the Signature and Encryption section 
    1. Sign Assertions : ON 
  2. Click Save, and go to the keys tab : 
    1. Signing keys config: OFF
    2. Encryption keys config: OFF
  3. Now, go to the advanced tab: 
    1. Assertion Consumer Service POST Binding URL: https://<YOUR_ROCKETCHAT_DOMAIN>/_saml/validate/<CUSTOM_PROVIDER_NAME> (Same than the one you add to Valid Redirect URIs)
  4. Click Save

Step 3 – Retrieve the Certificate

  1. On the left menu, click Realm Settings → Keys tab.
  2. Locate the line labeled RS256 and click Certificate.

  1. Copy the certificate and paste it into a .pem file, surrounded by: 
-----BEGIN CERTIFICATE-----
(your cert)
-----END CERTIFICATE-----

Step 4 – Finalize Rocket.Chat Configuration

Back in Rocket.Chat, complete the fields:
  1. Custom Entry Point: https://ca.auth.kzero.com/realms/<TENANT_NAME>/protocol/saml
  2. IDP SLO Redirect URL: https://ca.auth.kzero.com/realms/<TENANT_NAME>/protocol/saml
  3. Public Cert Contents: Paste the .pem certificate from the previous step.
  4. Click Save changes at the bottom right of the page.
  5. Finally, enable SSO using the toggle at the top right corner of the page.

Info
If you want to customize layout or user role mappings, explore the Premium and General tabs in Rocket.Chat settings.


    • Related Articles

    • SAML SSO Integration Guide

      This guide provides an overview of how to configure SAML Single Sign-On (SSO) between Multi-Pass and a third-party Service Provider (SP). Multi-Pass acts as the Identity Provider (IdP) in this federation model. Multi-Pass is working on SCIM support ...

    • ConnectWise - SSO configuration

      This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for ConnectWise using MPAS. SSO simplifies user authentication by allowing access to multiple ...

    • SuperOps - SSO configuration

      This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for SuperOps using MPAS. SSO simplifies user authentication by allowing access to multiple ...

    • Auvik - SSO configuration

      This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Auvik using MPAS. SSO simplifies user authentication by allowing access to multiple ...

    • HaloPSA - SSO configuration

      This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for HaloPSA using MPAS. SSO simplifies user authentication by allowing access to multiple ...