ADFS single sign-on

You can integrate your Active Directory Federation Services (ADFS) instance to help manage seamless single sign-on for your team members.


Step 1 — Set up ADFS for Slack

Let's get started: 

  1. Open the ADFS management console, then click the Identifiers tab.
  2. Enter your Display name. Most put their Slack team name here.
  3. Enter your Relying party identifier. For teams that want to add Slack, enter https://slack.com/. You can customize this field, if you need to, but you’ll also need to update the Identity Provider Issuer field. To find it, go to Settings & Permissions, click the Authentication tab, then click Configure next to SAML authentication.
  4. Click Add, then OK to proceed. 

  5. Click to the Endpoints tab. To create an endpoint to your consumer assertion URL, choose the SAML Assertion Consumer option found in the Endpoint type menu. Under URL, enter the value https://teamname.slack.com/sso/saml. Don’t forget to replace “teamname” in the URL above with your Slack team’s subdomain. Click OK to save.

  6. Next, you'll create rules, or assertion claims, for your relying party trust — in this case, your Slack team. Slack only receives the outgoing claim type attributes and values, so the list of attributes might look different. Keep in mind, you will need two claims: one for Slack Attributes and one for NameID.
  7. Click Add Rule. Only the outgoing claim type User.Email is required. Create a rule to send LDAP attributes as claims. Remember, outgoing claim types are case sensitive. 

  8. Next, create another rule to transform an incoming claim.

    Open the required NameID claim rule, and change the outgoing name ID format to Persistent Identifier. Then, click OK to save. 

 

Step 2 — Integrate Slack with your IDP

Next, add ADFS details to your Slack team’s authentication settings. Here’s how:

  1. Click your team name to open the Team Menu.
  2. Select Team settings. This will open your team site.
  3. Click Authentication, then click Configure next to SAML authentication (OneLogin, Okta, or your custom SAML 2.0 solution).
  4. Enter your SAML 2.0 Endpoint (HTTP).

  5. In the Public Certificate field, copy and paste your entire x.509 Certificate. 
  6. To set up more than one relying party trust with Slack, expand the Advanced Options menu. Beside AuthnContextClass Ref, choose PasswordProtectedTransfport and windows (use with ADFS for internal/external authentication). Then, enter your unique Service Provider Issuer.
    Screen_Shot_2017-03-28_at_4.33.51_PM.png

Note: While we are happy to help troubleshoot during setup, we may not always be able to guarantee that your connection will work perfectly with Slack. Send us a note and we’ll see if we can help.

Warning: ADFS does not currently support automatic deprovisioning through our SCIM API. When members are deprovisioned in your IDP, don't forget to deactivate the member in Slack.

Who can use this feature?
  • Team Owners and Admins can access this feature. 
  • Available to teams on the Plus plan and Slack Enterprise Grid.

Related Articles

Recently Viewed Articles