Change your single sign-on provider

Want to change your single sign-on (SSO) provider? This guide will help you make a seamless transition. Keep in mind that you'll need to set aside some time in order to complete the process in one go.


Change your SSO provider

Plus plan

Enterprise Grid plan

Step 1: Remove SSO configuration

  1. From your desktop, click your workspace name in the top left.
  2. Select Administration, then Workspace settings from the menu.
  3. Click the Authentication tab.
  4. Select Turn off SSO.Turn_off_SSO.png
  5. Click Turn Off and choose whether or not to send an email to your team to let them know SSO has been turned off. 

Step 2: Set up your new SSO configuration 

  1. From your desktop, click your workspace name in the top left.
  2. Select Administration, then Workspace settings from the menu.
  3. Click the Authentication tab.
  4. Select Configure next to SAML authentication.
  5. Next to SAML SSO URL, enter your SAML 2.0 Endpoint URL (HTTP). (This came from setting up your connector. If Okta is your Identity Provider (IDP), you can include the IDP URL if you'd like.)
  6. Enter your IDP Entity ID next to Identity Provider Issuer.
  7. Copy the entire x.509 Certificate from your identity provider and paste it into the Public Certificate field.
  8. Click Expand next to Advanced Options. Choose how the SAML response from your IDP is signed. If you need an end-to-end encryption key, check the box next to Sign AuthnRequest to show the certificate.
  9. Under Settings, decide if members can edit their profile information (like their email or display name) after SSO is enabled. You can also choose whether SSO is required, partially required* or optional.
  10. Under Customize, enter a Sign In Button Label.
  11. Select Save Configuration to finish.

*If you have guest accounts, we recommend choosing the option where SSO is partially required, so guests can still sign in to the workspaces they have access to.

Note: Once finished, members will receive an email asking them to connect their existing Slack account with their profile in your updated IDP. 

  1. From your desktop, click your workspace name in the top left.
  2. Select Administration, then Organization settings from the menu.
  3. Click Security in the left-hand column, then SSO Configuration.
  4. Select Change Configuration in the top right.
  5. Replace the SAML 2.0 Endpoint URL with the new value provided by your Identity Provider when you set up the connector.
  6. Replace your Identity Provider Issuer URL.
  7. Replace the Service Provider Issuer URL if this has been set in your IDP. This value is set to https://slack.com by default.
  8. Copy the entire x.509 Certificate from your identity provider and paste it into the Public Certificate field.
  9. Select whether the SAML responses and assertions are signed. You can also change your preference for AuthnContextClassRef values.
  10. Click Test Configuration. We'll let you know if the changes are successful or whether you need to make further changes.
  11. When you're ready, click Confirm Update.


Tips for changing over 

Here are a few things to keep in mind to ensure the change goes smoothly:

  • Plan ahead: Make sure the email addresses in Slack match the primary email addresses in your identity provider. 
  • Communicate the change: Use your #general channel to make an announcement and let members know what to expect.
  • Reconnect members: After the change is done, ask members to click the SSO binding email within 72 hours. Admins can resend binding emails from the Members page.

Tip: You may need to whitelist the slack.com domain so emails don’t get caught in your spam or junk mail folders. 

 Who can use this feature?

  • Only Workspace Owners/Admins and Org Owners/Admins can access this feature.
  • Available on the Plus plan and Slack Enterprise Grid.

Related Articles

Recently Viewed Articles