SAML single sign-on

SAML-based single sign-on (SSO) gives members access to Slack through an identity provider (IDP) of your choice.

A list of the identity providers that we’ve partnered with can be found on our App Directory under Security and Compliance.

Note: We also offer guides to help you set up custom SAML single sign-on or ADFS single sign-on


Step 1: Configure your identity provider

To get started, you’ll need to set up a connection for Slack SSO — also known as a connector — with your IDP.

Many providers we work with have created help pages for enabling SAML with Slack: 

Note: If you’d like to use G Suite oAuth2.0 instead, head over to G Suite single sign-on.


Step 2: Set up SAML SSO for Slack

Plus plan

Enterprise Grid plan

Now that you’ve configured your identity provider, a Workspace Owner can enable the SSO feature in Slack:

Tip: Before applying the new SAML authentication configuration, toggle to Test mode to try out the connection and make sure it passes.

    1. From your desktop, click your workspace name in the top left.
    2. Select Administration, then Workspace settings from the menu.
    3. Click the Authentication tab.
    4. Click Configure next to SAML authentication, choose your SAML provider, then click Configure.
    5. Next to SAML SSO URL, enter your SAML 2.0 Endpoint URL (HTTP). (This would have come from setting up your connector. If Okta is your provider, you can include the IDP URL if you'd like.)
    6. Enter your IDP Entity ID next to Identity Provider Issuer
    7. Copy the entire x.509 Certificate from your identity provider and paste it in the Public Certificate field.
    8. Click Expand next to Advanced Options. Choose how the SAML response from your IDP is signed. If you need an end-to-end encryption key, check the box next to Sign AuthnRequest to show the certificate.
    9. Under Settings, decide if members can edit their profile information (like their email or display name) after SSO is enabled. You can also choose whether SSO is required, partially required* or optional.
    10. Under Customize, enter a Sign In Button label.
    11. Select Save Configuration to finish. 

Note: If you have guest accounts, we recommend choosing the option where SSO is partially required, so guests can still sign in to the workspaces they have access to.

Now that you’ve configured your identity provider, an Org Owner or Org Admin can enable the SSO feature on your Enterprise Grid organization:

  1. Sign in to your Slack Enterprise Grid, then click Manage Organization.
  2. Visit the  Security page of the Admin Dashboard.
  3. In the SSO Configuration section, click Configure SSO.
  4. Enter your SAML 2.0 Endpoint URL. This is where authentication requests from Slack will be sent. You would have gotten this information when you set up the connector earlier. 
  5. Enter your Identity Provider Issuer URL. This is also known as the entity ID. 
  6. The Service Provider Issuer URL is set to https://slack.com by default. This field should match what you've set in your IDP.
  7. Copy the entire x.509 Certificate from your identity provider.
  8. Choose whether the SAML responses and assertions are signed. If you require an end-to-end encryption key for your IDP, select the checkbox next to Sign AuthnRequest to show the certificate. You can also select your preference for AuthnContextClassRef values.
  9. Click Test Configuration. We'll let you know if the changes are successful or whether you need to make further changes. 
  10. When you're ready, click Turn on SSO


 💡  Learn how to connect IDP groups to workspaces in your organization. 


What to expect after SSO is enabled

When you've finished setting up SSO, each member will receive an email letting them know about the change. The email will prompt members to connect — or bind — their Slack accounts with your identity provider. Members will have 72 hours to bind their account before their link expires.

From now on, all members will sign in to Slack with their identity provider account. If you chose to require SSO, members will see a sign in page when they visit your Slack URL.

Tip: To simplify member management, Slack supports the SCIM provisioning standard. Visit Manage members with SCIM provisioning to learn how to automatically manage members.


Test updates to your SSO configuration

Plus plan

Enterprise Grid plan

To update your SSO configuration after it's been set up, you can make and test changes safely without disrupting single sign-on for members. 

  1. Click your workspace name in the top left to open the menu.
  2. Select Administration, then Workspace settings from the menu.
  3. Click the Authentication tab. 
  4. Click Change Settings.
  5. In the top right, toggle Test mode on.
  6. Enter any updates you'd like to make. 
  7. When you're ready, click Save Configuration to save your changes. 

To update your SSO configuration after it's been set up, you can make and test changes safely without disrupting single sign-on for members. 

  1. Sign in to your Slack Enterprise Grid, then click Manage Organization.
  2. Visit the  Security page of the Admin Dashboard.
  3. In the SSO Configuration section, click Configure SSO.
  4. Click Change Configuration, then enter any updates you'd like to make to values in your SSO configuration. 
  5. Click Test Configuration. We'll let you know if the changes are successful or not.
  6. When you're ready, click Confirm Update.

 

Who can use this feature?
  • Only Workspace Owners and Admins can access this feature. 
  • Available to workspaces on the Plus plan and Slack Enterprise Grid.

Related Articles

Recently Viewed Articles