Custom SAML single sign-on

If your preferred identity provider doesn’t have a connector with Slack, you can use a custom SAML connection.

Note: we're happy to help with your setup, but we can't always guarantee your connection will work with Slack. Read our Troubleshoot SAML authorisation errors article or send us a note and we'll do what we can!


Parameters

Follow these parameters to configure your custom SAML connection.

Provisioning

  • Slack supports Identity Provider (IDP) Initiated Flow, Service Provider (SP) Initiated flow, Just In Time provisioning and automatic provisioning through our SCIM API.
  • For SP-initiated single sign-on, go to https://yourdomain.slack.com.

SSO post-backup URL

  • https://yourdomain.slack.com/sso/saml
    (Also known as the Assertion Consumer Service URL)

Entity ID

  • https://slack.com

SAML logout endpoint

  •  https://yourdomain.slack.com/sso/saml/logout  

Bear in mind: Slack does not support single logout or session duration configured in your IdP.

Considerations

  • Slack supports HTTP POST binding, not HTTP REDIRECT. You must configure HTTP POST bindings in the IdP metadata.
  • Your IdP must ensure a user is both authenticated and authorised before sending an assertion. If a user isn’t authorised, assertions should not be sent. We recommend your identity provider to redirect people to an HTTP 403 page or something similar.


Settings to include

NameID (required)

<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="YOURDOMAIN.slack.com" SPNameQualifier="https://slack.com">Your Unique Identifier</saml:NameID>
</saml:Subject>

Note: to meet SAML specifications, the NameID must be unique, pseudo-random and will not change for the user over time — like an employee ID number.

Email attribute (required)

 <saml:Attribute Name="User.Email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xsi:type="xs:anyType">testuser@youremail.com
</saml:AttributeValue>
</saml:Attribute>


Username attribute (optional)

 <saml:Attribute Name="User.Username"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xsi:type="xs:anyType">UserName
</saml:AttributeValue>
</saml:Attribute>


First name attribute (optional)

<saml:Attribute Name="first_name"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xsi:type="xs:anyType">FirstName
</saml:AttributeValue>
</saml:Attribute>


Last name attribute (optional)

  <saml:Attribute Name="last_name"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xsi:type="xs:anyType">LastName
</saml:AttributeValue>
</saml:Attribute>


Certificates

Public certificate

Slack requires that the SAML response is signed, and you will need to paste a valid X.509 .pem Certificate to verify your identity. This is different from your SSL certificate.

End-to-end encryption key 

If you require an end-to-end encryption key for your IDP, you can find a certificate by clicking the Advanced Options button located in your workspace's SSO settings. You can then tick the Sign AuthnRequest preference to reveal Slack's public encryption key.

Note: If you want to connect your Active Directory Federation Services (ADFS) instance, read ADFS single sign-on for details.

Who can use this feature?
  • Only Workspace Owners can access this feature.
  • Business+ and Enterprise Grid