SAML single sign-on

SAML-based single sign-on (SSO) gives your team members access to Slack through an identity provider (IDP) of your choice.

A list of the identity providers that we’ve partnered with can be found on our App Directory under the Security and Compliance section.

Note: We offer guides to help you set up Custom SAML single sign-on or ADFS single sign-on, too!

 

Step 1 — Configure your identity provider

To get started, you’ll need to set up a connection for Slack SSO — also known as a connector — with your IDP.

Many providers we work with have created help pages for enabling SAML with Slack: OneLogin, Ping Identity, Ping Federate, Okta, Microsoft Azure Active Directory, Bitium, LastPass, Centrify, ClearloginAuth0, and NoPassword.

Note: If you’d like to use G Suite instead, head over to G Suite single sign-on.

 

Step 2 — Set up SSO for your team

Now that you’ve configured your identity provider, a Team Owner can enable the SSO feature on your Slack team. Here’s how:

  1. Visit the Team Settings page at my.slack.com/admin/settings.
  2. From the menu icon in the top left corner, click Authentication.
  3. Next, click Configure for SAML authentication (OneLogin, Okta, or your custom SAML 2.0 solution).

 

Step 3 — Set up SAML 2.0 authentication

Slack has connectors for OneLogin and Okta. To use either of them, search for the “Slack” application from your IDPs dashboard. 

Tip: Before applying the new SAML authentication configuration, toggle to Test mode to try out the connection and make sure it passes. For now, this feature is only available on the Plus plan.

Follow the sets below to set up single sign-on:
  1. Choose your SAML provider, and click Configure.
  2. In the space for SAML SSO URL, enter your IDP SAML 2.0 Endpoint URL (HTTP). You would have gotten this information when you set up the connector earlier. If Okta is your provider, you can include the IDP URL if you choose.
  3. You have the option to include the IDP Entity ID in Identity Provider Issuer field. 

  4. Next, copy the entire x.509 Certificate from your identity provider and paste into the Public Certificate field.

  5. Expand Advanced Options to choose how the SAML response from your IDP is signed.

  6. Under Settings, adjust whether you want to let your team members edit profile information (like their email or username) after SSO is enabled. You can also choose whether SSO is required, partially required* or optional.
  7. Lastly, Customize the sign in button label that members will see when they log in.
  8. Press Save Configuration to finish. 

Note: If you have Guest accounts on your team, we recommend choosing the option where SSO is partially required, so those members can still access your Slack team.

 

What to expect after SSO is enabled

When you have finished setting up single sign-on for your Slack team, each member will receive an email letting them know about the change. The email will prompt members to connect — or bind — their Slack accounts with your identity provider.

From now on, all members will log in to Slack with their identity provider account. If you chose the option where SSO is required, members will see a login page that looks like this, when they visit your team's URL:

Tip: To help simplify user management, Slack supports the SCIM provisioning standard. This allows you to create and remove users automatically with our SCIM API. For more, visit Manage team members with SCIM provisioning.


Test updates to your SSO configuration

To update your SSO configuration once it has been implemented, teams on the Plus plan can make changes and test them safely without affecting single sign-on for team members. 

Here's how:
  1. Visit the Team Settings page at my.slack.com/admin/settings
  2. From the menu icon in the top left corner, click Authentication
  3. Click Change Settings.
  4. In the top right, toggle to Test mode.
    testmode.png
  5. Enter any updates you'd like to make to values in your SSO configuration. 
  6. Click Test Configuration. We'll let you know if the changes are successful or whether you need to make further changes.
    testandsave.png
  7. When you're ready, click Save Configuration to implement your changes. 

 

Who can use this feature?
  • Team Owners can access this feature. 
  • Available to teams on the Plus plan and Slack Enterprise Grid.

Related Articles

Recently Viewed Articles