SAML single sign-on
SAML-based single sign-on (SSO) gives members access to Slack through an identity provider (IDP) of your choice.
Note: If you're having trouble setting up SAML single sign-on, see our Troubleshoot SAML authorization errors article.
Tip: Workspace Owners (Business+) and Org Owners (Enterprise Grid) can bypass SSO authentication to sign in with an email address and password. This guarantees access to your workspace or org, even if your IDP is having issues.
Step 1: Configure your identity provider
To get started, you’ll need to set up a connection (or connector) for Slack with your IDP. Many providers we work with have created help pages for enabling SAML with Slack:
Note: We also offer guides to help you set up custom SAML single sign-on, Google Workspace single sign-on, or ADFS single sign-on.
Step 2: Set up SAML SSO for Slack
Business+ plan
Enterprise Grid plan
Once you’ve configured your identity provider (IDP), a Workspace Owner can enable SSO.
- From your desktop, click your workspace name in the top left.
- Select Settings & administration from the menu, then click Workspace settings.
- Click the Authentication tab.
- Next to SAML authentication, click Configure.
- In the top right, toggle Test mode on.
- Next to SAML SSO URL, enter your SAML 2.0 Endpoint URL(HTTP). (This came from setting up your connector. If Okta is your IDP, you can include the IDP URL instead if you’d like.)
- Next to Identity Provider Issuer, enter your IDP Entity ID.
- Copy the entire x.509 Certificate from your identity provider and paste it into the Public Certificate field.
- Next to Advanced Options, click Expand. Choose how the SAML response from your IDP is signed. If you need an end-to-end encryption key, check the box next to Sign AuthnRequest to show the certificate.
- Under Settings, decide if members can edit their profile information (like their email or display name) after SSO is enabled. You can also choose whether SSO is required, partially required* or optional.
- Under Customize, enter a Sign In Button Label.
- Select Save Configuration to finish.
*If you have guest accounts, we recommend choosing the option where SSO is partially required, so guests can still sign in using their email address and password.
Once you’ve configured your identity provider (IDP), an Org Owner can enable SSO for your Enterprise Grid organization:
- From your desktop, click your workspace name in the top left.
- Select Settings & administration from the menu, then click Organization settings.
- From the left sidebar, click Security.
- Click SSO Settings.
- Enter your SSO name.
- Enter your SAML 2.0 Endpoint URL (this came from setting up your connector earlier.) This is where authentication requests from Slack will be sent.
- Enter your Identity Provider Issuer URL (also known as the entity ID).
- The Service Provider Issuer URL is set to https://slack.com by default. This field should match what you've set in your IDP.
- Copy the entire x.509 Certificate from your identity provider.
- Choose whether the SAML responses and assertions are signed. If you require an end-to-end encryption key for your IDP, select the checkbox next to Sign AuthnRequest to show the certificate. You can also select your preference for AuthnContextClassRef values.
- Click Test Configuration. We'll let you know if the changes are successful or whether you need to make further changes.
- When you're ready, click Turn on SSO or Add SSO.
Tip: After setting up SSO, you can manage single sign-on settings and learn how to connect IDP groups to workspaces in your organization.
Add additional SSO configuration
If you like, you can add up to 11 additional SSO configurations to allow people to log into Slack from an identity provider of your choice.
- From your desktop, click your workspace name in the top left.
- Select Settings & administration from the menu, then click Organization settings.
- From the left sidebar, select Security.
- Click SSO Settings.
- Click Add SSO Configuration and follow the steps to set up SSO for Slack.
What to expect after SSO is enabled
Once you’ve set up SSO, members that are required to sign in with SSO will get an email. The email will prompt members to bind their Slack accounts with your IDP. Members will have 72 hours to bind their account before their link expires.
Any members already signed in when SSO is enabled will remain signed in. Going forward, all members will sign in to Slack with their IDP account. If you chose to require SSO, your members will see a sign in page before they can access your workspace.
Tip: To simplify member management, Slack supports the SCIM provisioning standard. Visit Manage members with SCIM provisioning to learn more.
- Workspace Owners and Org Owners
- Business+ and Enterprise Grid plans