SAML single sign-on

SAML-based single sign-on (SSO) gives members access to Slack through an identity provider (IDP) of your choice.

A list of the identity providers that we’ve partnered with can be found on our App Directory under Security and Compliance.

Note: We also offer guides to help you set up Custom SAML single sign-on or ADFS single sign-on!

 

Plus plan

Slack Enterprise Grid

Step 1 — Configure your identity provider

To get started, you’ll need to set up a connection for Slack SSO — also known as a connector — with your IDP.

Many providers we work with have created help pages for enabling SAML with Slack: OneLogin, Ping Identity, Ping Federate, Okta, Microsoft Azure Active Directory, LastPass, Centrify, ClearloginAuth0, and NoPassword.

Note: If you’d like to use G Suite instead, head over to G Suite single sign-on.

 

Step 2 — Set up SSO for your workspace

Now that you’ve configured your identity provider, a Workspace Owner can enable the SSO feature in Slack.

Here’s how:

  1. Visit the Workspace Settings page at my.slack.com/admin/settings.
  2. Click Authentication.
  3. Click Configure for SAML authentication (OneLogin, Okta, or your custom SAML 2.0 solution).
    Configure_SSO.png

 

Step 3 — Set up SAML 2.0 authentication

Slack has connectors for OneLogin and Okta. To use either of them, search for the Slack application from your IDPs dashboard. 

Tip: Before applying the new SAML authentication configuration, toggle to Test mode to try out the connection and make sure it passes.

Follow the steps below to set up single sign-on:

  1. Choose your SAML provider, then click Configure.
  2. In the space for SAML SSO URL, enter your SAML 2.0 Endpoint URL (HTTP). You would have gotten this information when you set up the connector earlier. If Okta is your provider, you can include the IDP URL if you choose.
  3. Enter your IDP Entity ID in Identity Provider Issuer field. 

  4. Copy the entire x.509 Certificate from your identity provider and paste into the Public Certificate field.

  5. Expand Advanced Options. Choose whether the SAML responses and assertions are signed. If you require an end-to-end encryption key for your IDP, select the checkbox next to Sign AuthnRequest to show the certificate. You will also find the AuthnContextClassRef and Service Provider Issuer in this section.
    Screen_Shot_2017-07-06_at_12.40.46_PM.png
  6. Under Settings, adjust whether you want to let members edit their profile information (like email or display name) after SSO is enabled. You can also choose whether SSO is required, partially required* or optional.
  7. Lastly, Customize the sign in button label that members will see when they log in.
  8. Press Save Configuration to finish. 

Note: If you have guest accounts, we recommend choosing the option where SSO is partially required, so guests can still sign in to the workspaces they have access to.

 

What to expect after SSO is enabled

When you have finished setting up SSO, each member will receive an email letting them know about the change. The email will prompt members to connect — or bind — their Slack accounts with your identity provider.

connec_your_SSO.png

From now on, all members will log in to Slack with their identity provider account. If you chose the option where SSO is required, members will see a login page that looks like this, when they visit your Slack URL.

Tip: To help simplify managing members, Slack supports the SCIM provisioning standard. This allows you to create and remove users automatically with our SCIM API. For more, visit Manage members with SCIM provisioning.


Test updates to your SSO configuration

To update your SSO configuration once it has been implemented, workspaces on the Plus plan can make changes and test them safely without affecting single sign-on for members. 

Here's how:

  1. Visit the Workspace Settings page at my.slack.com/admin/settings
  2. From the menu icon in the top left corner, click Authentication
  3. Click Change Settings.
  4. In the top right, toggle to Test mode.
    testmode.png
  5. Enter any updates you'd like to make to values in your SSO configuration. 
  6. Click Test Configuration. We'll let you know if the changes are successful or whether you need to make further changes.
    testandsave.png
  7. When you're ready, click Save Configuration to implement your changes. 

Step 1 — Configure your identity provider

To get started, you’ll need to set up a connection for Slack SSO — also known as a connector — with your IDP.

Many providers we work with have created help pages for enabling SAML with Slack: OneLogin, Ping Identity, Ping Federate, Okta, Microsoft Azure Active Directory, LastPass, Centrify, ClearloginAuth0, and NoPassword.

Note: If you’d like to use G Suite instead, head over to G Suite single sign-on.

 

Step 2 — Set up SSO for your organization

Now that you’ve configured your identity provider, an Org Owner or Org Admin can enable the SSO feature on your Enterprise Grid organization.

Here’s how:

  1. Sign in to your Slack Enterprise Grid, then click Manage Organization.
  2. Visit the  Security page of the Admin Dashboard.
  3. In the SSO Configuration section, click Configure SSO.

 💡 Learn how to connect IDP groups to workspaces in your organization. 


Step 3 — Set up SAML 2.0 authentication

Slack has connectors for OneLogin and Okta. To use either of them, search for the Slack application from your IDPs dashboard. 

Follow the steps below to configure single sign-on from the Configure SSO page:
  1. Enter your SAML 2.0 Endpoint URL. This is where authentication requests from Slack will be sent. You would have gotten this information when you set up the connector earlier. 
  2. Enter your Identity Provider Issuer URL. This is also known as the entity ID. 
  3. The Service Provider Issuer URL is set to https://slack.com by default. This field should match what you've set in your IDP.
  4. Copy the entire x.509 Certificate from your identity provider.
  5. Choose whether the SAML responses and assertions are signed. If you require an end-to-end encryption key for your IDP, select the checkbox next to Sign AuthnRequest to show the certificate. You can also select your preference for AuthnContextClassRef values.
  6. Click Test Configuration. We'll let you know if the changes are successful or whether you need to make further changes. 
  7. When you're ready, click Turn on SSO

 

What to expect after SSO is enabled

When you have finished setting up SSO, each member will receive an email letting them know about the change. The email will prompt members to connect — or bind — their Slack accounts with your identity provider.

From now on, all members will log in to Slack with their identity provider account. If you chose the option where SSO is required, members will see a login page that looks like this, when they visit your Slack URL.

Tip: To help simplify managing members, Slack supports the SCIM provisioning standard. This allows you to create and remove users automatically with our SCIM API. For more, visit Manage members with SCIM provisioning.


Test updates to your SSO configuration

To update your SSO configuration once it has been implemented, you can make changes and test them safely without affecting single sign-on for members. 

Here's how:

  1. Sign in to your Slack Enterprise Grid, then click Manage Organization.
  2. Visit the  Security page of the Admin Dashboard.
  3. In the SSO Configuration section, click Configure SSO.
  4. Click Change Configuration, then enter any updates you'd like to make to values in your SSO configuration. 
  5. Click Test Configuration. We'll let you know if the changes are successful or not.
  6. When you're ready, click Confirm Update.
Who can use this feature?
  • Workspace Owners can access this feature in Slack for Teams. Org Owners can access this feature for Slack for Enterprise. 
  • Available to workspaces on the Plus plan and Slack Enterprise Grid.

Related Articles

Recently Viewed Articles