SAML single sign-on

SAML-based single sign-on (SSO) gives members access to Slack through an identity provider (IdP) of your choice.

Note: if you're having trouble setting up SAML single sign on, see our Troubleshoot SAML authorisation errors article.


Step 1: configure your identity provider

To get started, you’ll need to set up a connection (or connector) for Slack with your IDP. Many providers we work with have created help pages for enabling SAML with Slack:

Note: we also offer guides to help you set up custom SAML single sign-onG Suite single sign-on, or ADFS single sign-on.


Step 2: Set up SAML SSO for Slack

Plus subscription

Enterprise Grid subscription

Now that you’ve configured your identity provider (IDP), a Workspace Owner can enable the SSO feature in Slack.

  1. From your desktop, click your workspace name in the top left.
  2. Select Administration, then Workspace settings from the menu.
  3. Click the Authentication tab.
  4. Click Configure next to SAML authentication.
  5. In the top right, toggle Test mode on.
  6. Next to SAML SSO URL, enter your SAML 2.0 Endpoint URL(HTTP). (This came from setting up your connector. If Okta is your IDP, you can include the IDP URL instead if you’d like.)
  7. Enter your IdP entity ID next to Identity provider issuer
  8. Copy the entire x.509 certificate from your identity provider and paste it into the Public certificate field.
  9. Click Expand next to Advanced options. Choose how the SAML response from your IdP is signed. If you need an end-to-end encryption key, tick the box next to Sign AuthnRequest to show the certificate.
  10. Under Settings, decide whether members can edit their profile information (such as their email address or display name) after SSO is enabled. You can also choose whether SSO is required, partially required* or optional.
  11. Under Customise, enter a Sign-in button label.
  12. Select Save configurationto finish.

*If you have guest accounts, we recommend choosing the option where SSO is partially required, so guests can still sign in using their email address and password.

Tip: learn more about single sign-on settings.

Now that you’ve configured your identity provider (IDP), an Org Owner can enable the SSO feature on your Enterprise Grid organisation:

  1. From your desktop, click your workspace name in the top left.
  2. Select Administration, then Organisation settings from the menu.
  3. Click Security in the left-hand column.
  4. In the SSO configuration section, click Configure SSO.
  5. Enter your SAML 2.0 endpoint URL (this came from setting up your connector earlier). This is where authentication requests from Slack will be sent.
  6. Enter your Identity provider issuer URL (also known as the entity ID). 
  7. The service provider issuer URL is set to https://slack.com by default. This field should match what you’ve set in your IdP.
  8. Copy the entire x.509 certificate from your identity provider.
  9. Choose whether the SAML responses and assertions are signed. If you require an end-to-end encryption key for your IdP, select the tick box next to Sign AuthnRequest to show the certificate. You can also select your preference for AuthnContextClassRef values.
  10. Click Test Configuration. We'll let you know if the changes are successful or whether you need to make further changes.
  11. When you're ready, click Turn on SSO.

Tip:  Now that you’ve set up SSO, learn how to connect IdP groups to workspaces in your organisation.


What to expect after SSO is enabled

Once you’ve set up SSO, each member of your workspace or org will get an email. The email will prompt members to connect, or bind, their Slack accounts with your IdP. Members will have 72 hours to bind their account before their link expires.

Going forward, all members will sign in to Slack with their IdP account. If you chose to require SSO, your members will see a sign-in page before they can access your workspace.

Tip: to simplify member management, Slack supports the SCIM provisioning standard. Visit Manage members with SCIM provisioning to learn more.

Who can use this feature?
  • Workspace Owners and Org Owners
  • Plus and Enterprise Grid