Custom SAML single sign-on

If your identity provider of choice does not have a connector with Slack, you have the option to use a custom SAML connection.

Note: We are happy to help troubleshoot during setup, but we may not be able to guarantee your connection will work perfectly with Slack. Send us a note and we’ll see if we can help. 


Parameters

Follow these parameters to configure your custom SAML connection:

  • Provisioning: Slack supports Identity Provider (IDP) Initiated flow, Service Provider (SP) Initiated flow, Just In Time (JIT) provisioning, and automatic provisioning through our SCIM API. For SP-initiated single sign-on, go to https://yourdomain.slack.com.
  • SSO post-back URL (also known as the Assertion Consumer Service URL)https://yourdomain.slack.com/sso/saml
  • Entity ID: https://slack.com
  • SAML Logout Endpoint: https://yourdomain.slack.com/sso/saml/logout


Considerations

  • Slack supports HTTP POST binding for IDP Response, not HTTP REDIRECT. You must configure HTTP POST bindings in the IDP metadata. SP-initiated requests will be sent to your IDP as HTTP REDIRECT.
  • Your IDP must ensure a user is both authenticated and authorized before sending an assertion. If a user isn't authorized, assertions should not be sent. We recommend your IDP redirect a user to an HTTP 403 page or something similar.


Settings to include

NameID (Required)

<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="YOURDOMAIN.slack.com" SPNameQualifier="https://slack.com">Your Unique Identifier</saml:NameID>
</saml:Subject>

Note: To meet SAML specifications, the NameID must be unique, pseudo-random, and will not change for the user over time — like an employee ID number. 


Email Attribute (Required)

 <saml:Attribute Name="User.Email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xsi:type="xs:anyType">testuser@youremail.com
</saml:AttributeValue>
</saml:Attribute>

 

Username Attribute (Optional)

 <saml:Attribute Name="User.Username"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xsi:type="xs:anyType">UserName
</saml:AttributeValue>
</saml:Attribute>

 

First Name Attribute (Optional)

<saml:Attribute Name="first_name"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xsi:type="xs:anyType">FirstName
</saml:AttributeValue>
</saml:Attribute>

 

Last Name Attribute (Optional)

  <saml:Attribute Name="last_name"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xsi:type="xs:anyType">LastName
</saml:AttributeValue>
</saml:Attribute>

 

Certificates

Public Certificate

Slack requires that the SAML response is signed, and you will need to paste a valid X.509 .pem Certificate to verify your identity. This is different from your SSL certificate.  

End-to-end encryption key 

If you require an end-to-end encryption key for your IDP, you can find a certificate by clicking the Advanced Options button located in your workspace's SSO settings. You can then check the Sign AuthnRequest preference to reveal Slack's public encryption key. 

Screen_Shot_2017-07-06_at_10.55.10_AM.png

Note: If you'd like to connect your Active Directory Federation Services (ADFS) instance, read ADFS single sign-on for details.

Who can use this feature?
  • Only Workspace Owners can access this feature. 
  • Available to workspaces on the Plus plan and Slack Enterprise Grid.

Related Articles

Recently Viewed Articles