Custom SAML single sign-on

If your preferred identity provider doesn't have a connector with Slack, you can use a custom SAML connection.

Note: We're happy to help with your setup, but we can't always guarantee your connection will work with Slack. Read our Troubleshoot SAML authorization errors article or send us a note and we'll do what we can!


Parameters

Follow these parameters to configure your custom SAML connection.

Provisioning

  • Slack supports Identity Provider (IDP) Initiated Flow, Service Provider (SP) Initiated flow, Just In Time provisioning, and automatic provisioning through our SCIM API.
  • For SP-Initiated single sign-on, go to https://yourdomain.slack.com.

SSO post-back up URL

  • https://yourdomain.slack.com/sso/saml
    (Also known as the Assertion Consumer Service URL)

Entity ID

  • https://slack.com

Note: Slack does not support Single Logout or session duration configured in your IDP. As an alternative, you can set up a session duration to limit how long your members stay signed into Slack.

Considerations

  • Slack supports HTTP POST binding, not HTTP REDIRECT. You must configure HTTP POST bindings in the IDP metadata.
  • Your IDP must ensure a user is both authenticated and authorized before sending an assertion. If a user isn't authorized, assertions should not be sent. We recommend your identity provider redirects people to an HTTP 403 page or something similar.


Settings to include

NameID (Required)

<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="YOURDOMAIN.slack.com" SPNameQualifier="https://slack.com">Your Unique Identifier</saml:NameID>
</saml:Subject>

Note: To meet SAML specifications, the NameID must be unique, pseudo-random, and will not change for the user over time — like an employee ID number.

Email Attribute (Required)

 <saml:Attribute Name="User.Email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xsi:type="xs:anyType">testuser@youremail.com
</saml:AttributeValue>
</saml:Attribute>


Username Attribute (Optional)

 <saml:Attribute Name="User.Username"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xsi:type="xs:anyType">UserName
</saml:AttributeValue>
</saml:Attribute>


First Name Attribute (Optional)

<saml:Attribute Name="first_name"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xsi:type="xs:anyType">FirstName
</saml:AttributeValue>
</saml:Attribute>


Last Name Attribute (Optional)

  <saml:Attribute Name="last_name"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xsi:type="xs:anyType">LastName
</saml:AttributeValue>
</saml:Attribute>


Certificates

Public Certificate

Slack requires that the SAML response is signed, and you will need to paste a valid X.509 .pem Certificate to verify your identity. This is different from your SSL certificate.

End-to-end encryption key 

If you require an end-to-end encryption key for your IDP, you can find a certificate by clicking the Advanced Options button located in your workspace's SSO settings. You can then check the Sign AuthnRequest preference to reveal Slack's public encryption key.

Note: If you'd like to connect your Active Directory Federation Services (ADFS) instance, read ADFS single sign-on for details.

Who can use this feature?
  • Only Workspace Owners can access this feature
  • Available on the Business+ and Enterprise Grid plans