ADFS single sign-on

You can integrate your Active Directory Federation Services (ADFS) instance to help manage seamless single sign-on for your members.

Note: ADFS does not currently support automatic deprovisioning through our SCIM API. When members are deprovisioned in your IDP, don't forget to deactivate the member in Slack.


Step 1 — Set up ADFS for Slack

Creating a new relying party trust

  1. Sign in to the server where ADFS is installed. If you need help deploying ADFS, check out this guide.
  2. Open the ADFS management console and select Trust Relationships, then Relying Party Trusts in the left console tree.
  3. Click Add Relying Party Trust from the Actions menu on the right.
  4. In the Select Data Source step, toggle the option Enter data about the relying party manually. Select_Data_Source_tab.png
  5. Next, specify the display name for your application in the Specify Display Name tab. We suggest calling it something like Company name - Slack. Add any optional notes you may need.
  6. In the Choose Profile tab, select ADFS Profile.
  7. On the Configure Certificate tab, leave the certificate settings at their defaults.
  8. In the Configure URL tab, select the box Enable Support for the SAML 2.0 WebSSO protocol and enter the SAML service endpoint

    •  Plus plan: 
    https://yourdomain.slack.com/sso/saml
    •  Enterprise Grid: https://yourdomain.enterprise.slack.com/sso/saml
    Configure_URL_tab.png
  9. In the Configure Identifiers tab, enter https://slack.com and click Add. Note: If you choose to specify a unique workspace URL (https://[workspacename].slack.com), ensure you input the same value into the Service Provider Issuer field in Slack.
  10. Add optional multi-factor authentication.
  11. Select Permit all users to access this relying party, then click Next and review your settings
  12. Ensure you’ve toggled Open the Edit Claim Rules dialog for this relying party trust when the wizard closes and select Close.
  13. Next, you'll create rules, or assertion claims, for your relying party trust — in this case, your Slack workspace or Enterprise Grid. Slack only receives the outgoing claim type attributes and values, so the list of attributes might look different. Keep in mind, you will need two claims: one for Slack Attributes and one for NameID.
  14. Click Add Rule.
    attributes_values
  15. Create a rule to send LDAP attributes as claims. Only the outgoing claim type User.Email is required, but you may want to include first_name, last_name, and User.Username. Remember, outgoing claim types are case sensitive. 

    Note: The value sent for User.Username will correspond to a user's username. Ensure this value is unique for each user and will not be re-used
    Add_rule_tab.png
  16. Next, create another rule to transform an incoming claim.
    incoming_claim_rule
  17. Open the required NameID claim rule, and change the outgoing name ID format to Persistent Identifier. Then, click OK to save.
    Edit_rule_tab.png

Note: If you opt to sign the AuthnRequest in Slack, you’ll need to upload the generated Slack certificate to the Signature tab in ADFS. You’ll also need to ensure that you’ve selected the secure hash algorithm SHA-1 in the Advanced tab.


Step 2 — Integrate Slack with your IDP

Plus plan

Slack Enterprise Grid

Next, add ADFS details to your Slack workspace's authentication settings:

  1. From your desktop, click your workspace name in the top left.
  2. Select Administration, then Workspace settings from the menu.
  3. Click Authentication, then click Configure next to SAML authentication (OneLogin, Okta, or your custom SAML 2.0 solution).
  4. Enter your SAML 2.0 Endpoint URL (SAML 2.0/W-Federation URL endpoint). The default installation is /adfs/ls/.
    SAML_SSO_URL__plus_.png
  5. Enter your Identity Provider Issuer. Identity_Provider_Issuer__Plus_.png
  6. In the Public Certificate field, copy and paste your entire x.509 Certificate. 
  7. To set up more than one relying party trust with Slack, expand the Advanced Options menu.
  8. Beside AuthnContextClass Ref, choose PasswordProtectedTransport and windows (use with ADFS for internal/external authentication). Then, enter your unique Service Provider Issuer. This should match your Relying Party Identifier in ADFS.
    service_provider
  9. Click Save.

Next, you'll need to add ADFS details to your Enterprise Grid organization's authentication settings:

  1. From your desktop, click your workspace name in the top left.
  2. Select Administration, then Organization settings from the menu.
  3. Visit the  Security page of the Admin Dashboard.
  4. Under Authentication, enter your SAML 2.0 Endpoint URL (SAML 2.0/W-Federation URL endpoint). The default installation is /adfs/ls/.
    SAML_2.0_Endpoint_URL__Grid_.png
  5. Enter your Identity Provider Issuer. Identity_Provider_Issuer__grid_.png
  6. In the Public Certificate field, copy and paste your entire x.509 Certificate. 
  7. You can set up more than one relying party trust with Slack. Under AuthnContextClass Ref, choose PasswordProtectedTransport and windows (use with ADFS for internal/external authentication).
  8. Enter your unique Service Provider Issuer. This should match your Relying Party Identifier in ADFS.
    service_provider_issuer
  9. Click Save Changes.

Note: While we are happy to help troubleshoot during setup, we may not always be able to guarantee that your connection will work perfectly with Slack. Send us a note and we’ll see if we can help.

Who can use this feature?
  • Workspace Owners and Admins
  • Plus and Enterprise Grid

Related Articles

Recently Viewed Articles