Custom SAML single sign-on

If your preferred identity provider doesn’t have a connector with Slack, you can use a custom SAML connection.

Note: We’re happy to help troubleshoot your setup, but we can’t always guarantee your connection will work with Slack. Let us know if you have any problems and we’ll see what we can do.


Parameters

Follow these parameters to configure your custom SAML connection. 

Provisioning

  • Slack supports Identity Provider (IdP) Initiated Flow, Service Provider (SP) Initiated flow, Just In Time provisioning and automatic provisioning through our SCIM API
  • For SP-initiated single sign-on, go to https://yourdomain.slack.com.

SSO post-backup URL

  • https://yourdomain.slack.com/sso/saml
    (Also known as the Assertion Consumer Service URL)

Entity ID

  • https://slack.com

SAML logout endpoint

  •  https://yourdomain.slack.com/sso/saml/logout  

Bear in mind: Slack does not support single log-out or session duration configured in your IdP.

Considerations

  • Slack supports HTTP POST binding, not HTTP REDIRECT. You must configure HTTP POST bindings in the IDP metadata.
  • Your IdP must ensure a user is both authenticated and authorised before sending an assertion. If a user isn’t authorised, assertions should not be sent. We recommend that your identity provider redirect people to an HTTP 403 page or something similar.


Settings to include

NameID (required)

<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="YOURDOMAIN.slack.com" SPNameQualifier="https://slack.com">Your Unique Identifier</saml:NameID>
</saml:Subject>

Note: To meet SAML specifications, the NameID must be unique pseudo-random, and not change for the user over time, e.g. an employee ID number. 

Email attribute (required)

 <saml:Attribute Name="User.Email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xsi:type="xs:anyType">testuser@youremail.com
</saml:AttributeValue>
</saml:Attribute>


Username Attribute (Optional)

 <saml:Attribute Name="User.Username"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xsi:type="xs:anyType">UserName
</saml:AttributeValue>
</saml:Attribute>


First Name Attribute (Optional)

<saml:Attribute Name="first_name"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xsi:type="xs:anyType">FirstName
</saml:AttributeValue>
</saml:Attribute>


Last Name Attribute (Optional)

  <saml:Attribute Name="last_name"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xsi:type="xs:anyType">LastName
</saml:AttributeValue>
</saml:Attribute>


Certificates

Public certificate

Slack requires the SAML response to be signed and you will need to paste a valid X.509 .pem certificate to verify your identity. This is different from your SSL certificate.  

End-to-end encryption key 

If you require an end-to-end encryption key for your IdP, you can find a certificate by clicking the Advanced options button located in your workspace’s SSO settings. You can then tick the Sign AuthnRequest preference to reveal Slack’s public encryption key. 

Note: If you want to connect your Active Directory Federation Services (ADFS) instance, read ADFS single sign-on for details.

Who can use this feature?
  • Only workspace owners and admins can access this feature. 
  • Available to workspaces on the Plus subscription and Slack Enterprise Grid.

Related articles

Recently viewed articles