Guide to single sign-on with Slack
If single sign-on is enabled for your team, you can configure things like username, email address, and user permission settings.
SSO settings for your team
To make changes to your team’s authentication settings:
- Click your team name to open the Team Menu.
- Select Team Settings. This will open your team site.
- Click the Authentication tab, and press the green Change Settings button.
- You may be asked to authenticate via your identity provider.
- Next, click on the expand button to view your options.
What Slack's SSO settings do
User profile sync
Selecting the option to Enable identity provider user profile syncing makes it easy to bring information about your users, attributes stored in your identify provider, into Slack.
Attributes for first and last name, email address, and username will automatically sync and update a member’s profile fields when they log into Slack.
Some Team Owners may want to give their members the option of changing their email address to something other than the whitelisted domain that they used to create their account with.
By default, usernames will come from your identity provider for each user. If you want to let members choose their own username, check the box next to Allow users to choose their own username.
On the Team Settings page you can include your own username guidelines, if you’d like.
User permission settings
You can change whether single sign-on is required, depending on your authentication preferences. You can choose:
- All team members
- All team members, except guest accounts
- It’s optional
Tip: Selecting the option to have All team members, except guest accounts required to authenticate through your identity provider is the most common preference for teams with single sign-on enabled.
Keep in mind: Binding emails are only sent to team members when SSO is configured to "All team members" or "All team members, except guest accounts".
Additional team settings with SSO enabled
Session duration gives you the ability to force your members to log back in to Slack after a certain amount of time when using the desktop app or Slack on a web browser.
By default, Slack lets members stay logged in (infinite sessions), but you can choose to require users to log back in either every time they close the app or after a specific number of hours that you choose.
Team-wide two-factor authentication
Slack’s built-in two-factor authentication (2FA) settings are intended for teams who aren’t using single sign-on. 2FA won’t work for team members that are bound by SSO, but it’s a great added layer of security for Guests on your team that aren’t connected to your identity provider.
Have a look at the Team-wide two-factor authentication article for more.
Forced session reset and SSO binding
With single sign-on enabled, you can initiate a session reset and send an SSO binding email so your members are forced to log back in to Slack.
Jump to Forcing a single sign-on session reset for more on this setting.
Forced password reset
Slack does not store your team members passwords, since they’re required to log in using single sign-on. We do give Team Owners a backup password in case they’re unable to log in through the identity provider.
Initiate a password reset for all Team Owners if you’d like to instantly end their active sessions. To sign back in to Slack and reset their password, the member must be able to receive the email with the reset link.
Visit the Team-wide password reset article, if you’re interested.
Have you undergone a company rebrand, or perhaps been acquired by a larger organization? Pressing the green Switch Domains button will prompt you to choose another Google account. All team members will be sent a binding email to link their accounts.
- Team Owners can access this feature.
- Available to teams on the Standard and Plus plans.