Custom SAML single sign-on

If your preferred identity provider doesn't have a connector with Slack, you can use a custom SAML connection.

Note: We're happy to help troubleshoot your setup, but we can't always guarantee your connection will work with Slack. Send us a note and we'll do what we can!


Follow these parameters to configure your custom SAML connection. 


  • Slack supports Identity Provider (IDP) Initiated Flow, Service Provider (SP) Initiated flow, Just In Time provisioning, and automatic provisioning through our SCIM API
  • For SP-Initiated single sign-on, go to

SSO post-back up URL

    (Also known as the Assertion Consumer Service URL)

Entity ID


SAML Logout Endpoint



  • Slack supports HTTP POST binding, not HTTP REDIRECT. You must configure HTTP POST bindings in the IDP metadata.
  • Your IDP must ensure a user is both authenticated and authorized before sending an assertion. If a user isn't authorized, assertions should not be sent. We recommend your identity provider redirects people to an HTTP 403 page or something similar.

Settings to include

NameID (Required)

<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="" SPNameQualifier="">Your Unique Identifier</saml:NameID>

Note: To meet SAML specifications, the NameID must be unique, pseudo-random, and will not change for the user over time — like an employee ID number. 

Email Attribute (Required)

 <saml:Attribute Name="User.Email"
<saml:AttributeValue xsi:type="xs:anyType">

Username Attribute (Optional)

 <saml:Attribute Name="User.Username"
<saml:AttributeValue xsi:type="xs:anyType">UserName

First Name Attribute (Optional)

<saml:Attribute Name="first_name"
<saml:AttributeValue xsi:type="xs:anyType">FirstName

Last Name Attribute (Optional)

  <saml:Attribute Name="last_name"
<saml:AttributeValue xsi:type="xs:anyType">LastName


Public Certificate

Slack requires that the SAML response is signed, and you will need to paste a valid X.509 .pem Certificate to verify your identity. This is different from your SSL certificate.  

End-to-end encryption key 

If you require an end-to-end encryption key for your IDP, you can find a certificate by clicking the Advanced Options button located in your workspace's SSO settings. You can then check the Sign AuthnRequest preference to reveal Slack's public encryption key. 

Note: If you'd like to connect your Active Directory Federation Services (ADFS) instance, read ADFS single sign-on for details.

Who can use this feature?
  • Only Workspace Owners can access this feature. 
  • Available to workspaces on the Plus plan and Slack Enterprise Grid.

Related Articles

Recently Viewed Articles