1. Slack Help Centre
  2. Workspace administration
  3. Configure access & security
    4. Custom SAML single sign-on

Custom SAML single sign-on

If your preferred identity provider doesn't have a connector with Slack, you can use a custom SAML connection.

Note: We're happy to help with your setup, but we can't always guarantee your connection will work with Slack. Read our Troubleshoot SAML authorisation errors article, or send us a note, and we'll do what we can!


Parameters

Follow these parameters to configure your custom SAML connection.

Provisioning

  • Slack supports Identity Provider (IDP) Initiated Flow, Service Provider (SP) Initiated flow, Just In Time provisioning and automatic provisioning through our SCIM API.
  • For SP-Initiated single sign-on, go to https://yourdomain.slack.com.

SSO post-back up URL

  • https://yourdomain.slack.com/sso/saml
    (Also known as the Assertion Consumer Service URL)

Entity ID

  • https://slack.com

Note: Slack does not support Single Logout or session duration configured in your IDP. As an alternative, you can set up a session duration to limit how long your members stay signed into Slack.

Considerations

  • Slack supports HTTP POST binding, not HTTP REDIRECT. You must configure HTTP POST bindings in the IDP metadata.
  • Your IDP must ensure a user is both authenticated and authorised before sending an assertion. If a user isn't authorised, assertions should not be sent. We recommend your identity provider redirects people to an HTTP 403 page or something similar.


Settings to include

NameID (Required)


 Your Unique Identifier

Note: To meet SAML specifications, the NameID must be unique, pseudo-random, and will not change for the user over time – like an employee ID number.

Email Attribute (Required)

  NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
 testuser@youremail.com


Username Attribute (Optional)

  NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
 UserName


First Name Attribute (Optional)

 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
 FirstName


Last Name Attribute (Optional)

   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
 LastName


Certificates

Public Certificate

Slack requires that the SAML response is signed, and you will need to paste a valid X.509 .pem Certificate to verify your identity. This is different from your SSL certificate.

End-to-end encryption key 

If you require an end-to-end encryption key for your IDP, you can find a certificate by clicking the Advanced Options button located in your workspace's SSO settings. You can then check the Sign AuthnRequest preference to reveal Slack's public encryption key.

Note: If you'd like to connect your Active Directory Federation Services (ADFS) instance, read ADFS single sign-on for details.

Who can use this feature?
  • Only Workspace Owners can access this feature
  • Available on the Business+ and Enterprise Grid subscriptions

Nice one!

Thanks a lot for your feedback!

If you’d like a member of our support team to respond to you, please send a message to feedback@slack.com.

Was this article helpful?Yes, thanks!Not really
Sorry about that. What did you find most unhelpful?
0/600
Submit article feedback

If you’d like a member of our support team to respond to you, please send a message to feedback@slack.com.

Whoops! We’re having some problems. Please try again later.