Upcoming changes to identity management integrations

NOTE: This message has been edited on September 14th for clarity incorporating constructive suggestions from our supportive community.

TL;DR (Executive Summary)

Rocket.Chat has started refactoring code that will have select advanced identity management features implemented only in Enterprise Edition. This is unlikely to affect current users of SAML, Oauth, or Custom Oauth, as most of the basic features remain in the Community Edition. We are doing this to better support and service those who depend on these advanced features, and to be able to invest back into our ever-growing community. Existing contributors, non-profit, or “do good” organizations should contact us for concession discount and free programs.

To all Rocket.Chat users,

The community of Rocket.Chat users has continued to grow rapidly during 2021. To keep pace, we’ve invested in growing the size of the team to ensure that we can improve the quality and capabilities of the open source community edition and paid versions of the platform.

Our team has recently completed a refactoring of all identity management integrations including LDAP features, SAML integration and advanced Oauth capabilities. In our (tentative) September 27th release, selected advanced functionalities (role mappings, background syncs, etc) of those features will be implemented only in the Rocket.Chat enterprise edition, while all the basic functionalities of LDAP, SAML, Social Logins and Custom OAuth will remain available for use and extension in the community edition.

The community edition LDAP feature will allow workspaces to connect to an LDAP server and import user names and identifiers, but additional capabilities such as syncing extended user attributes, managing group & team assignments and background synchronization will require an enterprise license. Here’s a full description of the feature set available with each edition and a Frequently Answered Questions (FAQ) .

It is important to note that, even after this release, Rocket.Chat will still be the only major open source communications platform to include any LDAP feature in its community edition. All others require a paid license, a complex configuration or a third party integration. It’s worth noting that we’ll continue our commitment to long time community contributors, open source non-profits, and people who do good things around the world - if you’re running a non-commercial initiative on Rocket.Chat, as always, just reach out.

This change will allow our team to support the advanced identity management features more effectively. It will enable us to keep improving quality and reliability, and to enhance support for community features. Accordingly, we will be able to continue to expand our identity management features to keep up with functionality requests while ensuring that the workspaces who leverage those capabilities for commercial purposes help with the evolution of Rocket.Chat.

As a resource and commitment to the community, we’re also putting together a public stewardship document (link to be shared soon) that details the operating principles used to decide how features and capabilities are split between the community edition and the enterprise version of Rocket.Chat. This will ensure complete transparency for the community around how these types of decisions are made.

I’d like to reinforce that we believe in the power of the community and will continue to strengthen it. In order to do that, we have expanded our investment in engineering, design, quality assurance and product resources to address community feedback around improving reliability, usability and capabilities of the platform and will report progress back to the community on a monthly basis.

We’re also investing more resources into engaging and developing the community, ranging from improving documentation all the way to launching an exclusive new community incentive program that will offer more opportunities for community members to collaborate, share knowledge, elevate their presence in the industry and showcase all the amazing things being accomplished with Rocket.Chat.

Thank you for your support.

Gabriel Engel

On September 10th, 2021 Rocket.Chat held an “Community Open Call: Upcoming changes to identity management integrations” session gathering valuable input and suggestions from our supportive community. We invite you to join the conversation at our next community open call.

It is understandable that some of the latest features are not coming down to CE.
But please tell me why these important ones are being removed?

• Filter what LDAP users can log in
• Background Sync

What a bad news. When you have no idea what is Enterprise edition cost…

Time to move to Matrix I guess, really sad.

This is a really concerning news to hear! Our applications totally depends on custom OAuth integration. Due to removal of this feature, we’d have to re-consider if Rocket.chat is a fit for our applications.

As a long-time RocketChat self-hoster (~15 users) and advocate, using only Custom Oauth for logins, who never asked for support or assistance (in fact just opened an account here to post this comment) I can’t believe I am reading this. I will be forced to ask all my users to change to something else now. Well played!

Does this mean that Google Auth integration will stop working?

I fully need to agree to @thash .

I understand to limit new functions to the Enterprise version, but cutting down long existing functionality is a no-go.

The automatic assignment of LDAP users to channel is a core feature I use in my private RC server which I also provide for my non-profit Basketball club as communications tool. Just disabling these features is the next punch into the faces of community users.

I’m really very, very concerned about this kind of strategy. I’ve understood the limitation of the push gateway for community servers as this actively costs your resources and money. Like many others I took the workaround building the mobile app on my own (Whitelabeling).

But functions which are in for ages don’t cost your money. Leave them as they are, and put new extensions into Enterprise.

@gabriel.engel : If you really are that low on money that you need to start to cut functions away from Community, start a sponsor plan for a few bucks per year for Community users. Or put functions for a few bucks into the RC App Store for the Community to support you. I guess many will pay a few bucks per year to you for the Community Edition.

But don’t do this here!
(Onlyoffice did similar to the Community by cutting mobile editing away from their Community Version and it ended not well. Apart from huge shitstorms hundreds of Nextcloud and other users migrated to Collabora and did the same for their paid installations in their companies)

Finally: It’s absolutely wrong that RC is the only platform where you can do LDAP in the Community edition. I’m doing this on my Matrix/Element server from long before I even heard about Rocket Chat.

Marco

I’m completely with @jacotec and @thash .

Limiting Push Notifications was one thing which maybe could have been handled better (e.g. more flexible monetizing models) but now this?

I think it’s very concerning what direction the rocket.chat team is taking. Especially since everything gets put into the EE-Version which, fun fact, simply is too expensive for most of us.

Also don’t get me wrong, I love RC and it was me who managed to excite our management for this product BUT I can tell you here and now that none of our bosses will pay thousands of dollars per month just to get background sync back. Before that happens they will just switch products, no matter how often I try to defend this project.

Same boat here. I’ve forked it, though, for customization (and fixes). I use custom oAuth, because the built in Drupal integration doesn’t work for me. On the bright side, I handle accounts via the API from the Drupal end, so account creation and room ownership should still be okay.

We’re a nonprofit that’s trying to offer a service to our constituents. We really can’t afford to rebuild the service around another product. I guess I’ll just have to become really selective about merges.

It is important to note that […] Rocket.Chat will still be the only major open source communications platform to include any LDAP feature in its community edition.

I’d suggest to reconsider this statement. Of course, depending on how you define “major … communications platform”

That’s a shot in the foot.

I have an alternative proposal:

Let the Community Edition use the identity management configurations without support. If we want access to support, then we have to use the Enterprise Edition. We can rely on the same community support if we have questions, but official Rocket Chat support will not be possible under Community Edition.

Is this doable @gabriel.engel?

If you actually REMOVE LDAP Search Filter and Group Filter from the community edition I am cancelling my sponsorship and moving >200 users to another solution. This is a nail in the coffin. I am furious, you’ve had something good here, we were willing to pay a small fee for push notifications which we are, but this is it, it’s over.

@tomaszd I am hoping that they take consideration to my proposal. Pay for support essentially.

What in the actual f is going on here

Guaranteed we will drop the platform and sponsorship.

Not good, this is almost blackmailing, makes totally sense to limit access to new features to CE but longstanding ones that in fact were tested (and even sometimes contributed) by the community does not sound right.

This is so wrong, maybe time to look for options.

Here, I am using Rocket Chat with my friends and family. We are not many but as an IT Engineer, I have more than a RocketChat server, I am using Keycloak to authenticate them, which removes the account fence users can face when trying a new service.

Today you are removing Oauth for whatever reason (it’s a core feature, but also a basic one that won’t make a difference for companies who needs other advanced options), and what would you remove next time? I have being captive and that’s against opensource minded projects.

Anyway. I get that new features might not be available to CE, but removing what attract users in the first place is a shame.

I was considering an open-source solution instead of using Discord, especially for privacy reasons. I tried Mattermost which was really limited, Matrix which was limited and too complex too. Finally I tried RocketChat and it was good enough for my usage.

If you go down this avenue. I will stop loosing my time with all these greedy projects and go back to Discord, after all, being opensource is useless if you fear the team to remove features at every new release.

Okay,
bad News. LDAP only in Gold Plan?
At the Moment i host 45 small non profit Communities in Rocketchats, they all connect over LDAP. Some wanted the Gold Plan, but i think, i will move all to Matrix cause your Changes.

You kill many Communities with this move and you see other Rocketeers are not amused too.

Time for us to move to another application. We have a non-profit organisation and use LDAP. A shot in the foot indeed.