Guide to single sign-on with Slack
If single sign-on is enabled for your workspace, you can configure things like display name, email address, and user permission settings.
SSO settings for your workspace
To make changes to your workspace's authentication settings:
- Click your workspace name in the top left to open the menu.
- Select Workspace Settings. This will open your workspace site.
- Click the Authentication tab, and press the green Change Settings button.
- You may be asked to authenticate via your identity provider.
- Next, click on the expand button to view your options.
What Slack's SSO settings do
User profile sync
Selecting the option Update profile each time a user logs in makes it easy to bring information about your users, attributes stored in your identify provider, into Slack.
Attributes for full name, email address, and display name will automatically sync and update a member’s profile fields when they log into Slack.
Some Workspace Owners may want to give their members the option of changing their email address to something other than the whitelisted domain that they used to create their account with.
By default, display names will come from your identity provider for each user. If you want to let members choose their own display name, check the box next to Allow users to choose their own display name.
On the Workspace Settings page, you can include your own display name guidelines if you’d like.
User permission settings
You can change whether single sign-on is required, depending on your authentication preferences. You can choose:
- All members
- All members, except guest accounts
- It’s optional
Tip: Selecting the option to have All members, except guest accounts required to authenticate through your identity provider is the most common preference for workspaces with single sign-on enabled.
Keep in mind: Binding emails are only sent to members when SSO is configured to "All members" or "All members, except guest accounts".
Additional workspace settings with SSO enabled
Session duration gives you the ability to force your members to log back in to Slack after a certain amount of time when using the desktop app or Slack on a web browser.
By default, Slack lets members stay logged in (infinite sessions), but you can choose to require users to log back in either every time they close the app or after a specific number of hours that you choose.
Workspace-wide two-factor authentication
Slack’s built-in two-factor authentication (2FA) settings are intended for who aren’t using single sign-on. 2FA won’t work for members that are bound by SSO, but it’s a great added layer of security for Guests on your workspace that aren’t connected to your identity provider.
Have a look at the Mandatory workspace two-factor authentication article for more.
Forced session reset and SSO binding
With single sign-on enabled, you can initiate a session reset and send an SSO binding email so your members are forced to log back in to Slack.
Jump to Forcing a single sign-on session reset for more on this setting.
Forced password reset
Slack does not store your members' passwords, since they’re required to log in using single sign-on. We do give Workspace Owners a backup password in case they’re unable to log in through the identity provider.
Initiate a password reset for all Workspace Owners if you’d like to instantly end their active sessions. To sign back in to Slack and reset their password, the member must be able to receive the email with the reset link.
Visit the Workspace-wide password reset article, if you’re interested.
Have you undergone a company rebrand, or perhaps been acquired by a larger organization? Pressing the green Switch Domains button will prompt you to choose another Google account. All members will be sent a binding email to link their accounts.
- Workspace Owners can access this feature.
- Available to workspaces on the Standard and Plus plans.