SAML single sign-on

SAML-based single sign-on (SSO) gives your team members access to Slack through an identity provider (IDP) of your choice.

A list of the identity providers that we’ve partnered with can be found on our App Directory under the Security and Compliance section.

Note: We offer guides to help you set up Custom SAML single sign-on or ADFS single sign-on, too!

 

Step 1 — Configure your identity provider

To get started, you’ll need to set up a connection for Slack SSO — also known as a connector app — with your IDP.

Many providers we work with have created help pages for enabling SAML with Slack: OneLogin, Ping Identity, Ping Federate, Okta, Microsoft Azure, Bitium, LastPass, Centrify, Clearlogin, and Auth0.

Note: If you’d like to use G Suite instead, head over to G Suite single sign-on.

 

Step 2 — Set up SSO for your team

Now that you’ve configured your identity provider, a Team Owner can enable the SSO feature on your Slack team. Here’s how:

  1. Visit the Team Settings page at my.slack.com/admin/settings.
  2. From the menu icon in the top left corner, click Authentication.
  3. Next, click Configure for SAML authentication (OneLogin, Okta, or your custom SAML 2.0 solution).

 

Step 3 — Set up SAML 2.0 authentication

Slack has connector apps for OneLogin and Okta. To use either of them, search for the “Slack” application from your IDPs dashboard. Next, all you need to do is follow these quick instructions:

  1. Choose your SAML provider, and click Configure.
     
  2. In the space for SAML SSO URL, enter the SAML 2.0 Endpoint URL (HTTP) for your identity provider. You would have gotten this information when you set up the connector app earlier. If Okta is your provider, you can include the IDP URL if you choose.
  3. You have the option to include the IDP Entity ID in Identity Provider Issuer field. 

  4. Next, copy the entire x.509 Certificate from your identity provider and paste into the Public Certificate field.

  5. Now you can adjust whether you want to let your team members edit profile information (like their email or username) after SSO is enabled. You can also choose whether SSO is required, partially required* or optional.
  6. Lastly, Customize the sign in button label that your team members will see when they log in.
  7. Press Save Configuration to finish. 

Note: If you have Guest accounts on your team, we recommend choosing the option where SSO is partially required, so those members can still access your Slack team.

 

After SSO is enabled

When you have finished setting up single sign-on for your Slack team, each member will receive an email letting them know about the change. The email will prompt members to connect — or bind — their Slack accounts with your identity provider.

From now on, all members will log in to Slack with their identity provider account. If you chose the option where SSO is required, members will see a login page that looks like this, when they visit your team's URL:

Tip: To help simplify user management, Slack supports the SCIM provisioning standard. This allows you to create and remove users automatically with our SCIM API. For more, visit Manage team members with SCIM provisioning.

Who can use this feature?
  • Team Owners can access this feature. 
  • Available to teams on the Plus plan and Slack Enterprise Grid.