SAML single sign-on
SAML-based single sign-on (SSO) gives your team members access to Slack through an identity provider (IDP) of your choice.
A list of the identity providers that we’ve partnered with can be found on our App Directory under the Security and Compliance section.
Step 1 — Configure your identity provider
To get started, you’ll need to set up a connection for Slack SSO — also known as a connector app — with your IDP.
Many providers we work with have created help pages for enabling SAML with Slack: OneLogin, Ping Identity, Ping Federate, Okta, Microsoft Azure Active Directory, Bitium, LastPass, Centrify, Clearlogin, Auth0, and NoPassword.
Note: If you’d like to use G Suite instead, head over to G Suite single sign-on.
Step 2 — Set up SSO for your team
Now that you’ve configured your identity provider, a Team Owner can enable the SSO feature on your Slack team. Here’s how:
- Visit the Team Settings page at my.slack.com/admin/settings.
- From the menu icon in the top left corner, click Authentication.
- Next, click Configure for SAML authentication (OneLogin, Okta, or your custom SAML 2.0 solution).
Step 3 — Set up SAML 2.0 authentication
Slack has connector apps for OneLogin and Okta. To use either of them, search for the “Slack” application from your IDPs dashboard.
Tip: Before applying the new SAML authentication configuration, toggle to Test mode to try out the connection and make sure it passes. For now, this feature is only available on the Plus plan.
- Choose your SAML provider, and click Configure.
- In the space for SAML SSO URL, enter your IDP SAML 2.0 Endpoint URL (HTTP). You would have gotten this information when you set up the connector app earlier. If Okta is your provider, you can include the IDP URL if you choose.
- You have the option to include the IDP Entity ID in Identity Provider Issuer field.
- Next, copy the entire x.509 Certificate from your identity provider and paste into the Public Certificate field.
- Expand Advanced Options to choose how the SAML response from your IDP is signed.
- Under Settings, adjust whether you want to let your team members edit profile information (like their email or username) after SSO is enabled. You can also choose whether SSO is required, partially required* or optional.
- Lastly, Customize the sign in button label that members will see when they log in.
- Press Save Configuration to finish.
Note: If you have Guest accounts on your team, we recommend choosing the option where SSO is partially required, so those members can still access your Slack team.
After SSO is enabled
When you have finished setting up single sign-on for your Slack team, each member will receive an email letting them know about the change. The email will prompt members to connect — or bind — their Slack accounts with your identity provider.
From now on, all members will log in to Slack with their identity provider account. If you chose the option where SSO is required, members will see a login page that looks like this, when they visit your team's URL:
Tip: To help simplify user management, Slack supports the SCIM provisioning standard. This allows you to create and remove users automatically with our SCIM API. For more, visit Manage team members with SCIM provisioning.
- Team Owners can access this feature.
- Available to teams on the Plus plan and Slack Enterprise Grid.