SAML single sign-on
SAML-based single sign-on (SSO) gives members access to Slack through an identity provider (IDP) of your choice.
Note: If you're having trouble setting up SAML single sign-on, see our Troubleshoot SAML authorisation errors article.
Tip: Workspace owners (Business+) and org owners (Enterprise Grid) can bypass SSO authentication to sign in with an email address and password. This guarantees access to your workspace or org, even if your IDP is having issues.
Step 1: Configure your identity provider
To get started, you’ll need to set up a connection (or connector) for Slack with your IDP. Many providers that we work with have created help pages for enabling SAML with Slack:
Note: We also offer guides to help you set up custom SAML single sign-on, Google Workspace single sign-on or ADFS single sign-on.
Step 2: Set up SAML SSO for Slack
Business+ subscription
Enterprise Grid subscription
Once you’ve configured your identity provider (IDP), a workspace owner can enable SSO.
- From your desktop, click on your workspace name at the top left.
- Select Settings & administration from the menu, then click Workspace settings.
- Click the Authentication tab.
- Next to SAML authentication, click Configure.
- In the top right, toggle Test mode on.
- Next to SAML SSO URL, enter your SAML 2.0 endpoint URL(HTTP). (This came from setting up your connector. If Okta is your IDP, you can include the IDP URL instead if you like.)
- Next to Identity provider issuer, enter your IDP entity ID.
- Copy the entire x.509 certificate from your identity provider and paste it into the Public certificate field.
- Next to Advanced options, click Expand. Choose how the SAML response from your IDP is signed. If you need an end-to-end encryption key, tick the box next to Sign AuthnRequest to show the certificate.
- Under Settings, decide if members can edit their profile information (like their email or display name) after SSO is enabled. You can also choose whether SSO is required, partially required* or optional.
- Under Customise, enter a Sign-in button label.
- Select Save configuration to finish.
*If you have guest accounts, we recommend choosing the option where SSO is partially required, so guests can still sign in using their email address and password.
Once you’ve configured your identity provider (IDP), an org owner can enable SSO for your Enterprise Grid organisation:
- From your desktop, click on your workspace name at the top left.
- Select Settings & administration from the menu, then click Organisation settings.
- From the left sidebar, click Security.
- Click SSO settings.
- Enter your SSO name.
- Enter your SAML 2.0 endpoint URL (this came from setting up your connector earlier.) This is where authentication requests from Slack will be sent.
- Enter your Identity provider issuer URL (also known as the entity ID).
- The Service provider issuer URL is set to https://slack.com by default. This field should match what you've set in your IDP.
- Copy the entire x.509 certificate from your identity provider.
- Choose whether the SAML responses and assertions are signed. If you require an end-to-end encryption key for your IDP, tick the box next to Sign AuthnRequest to show the certificate. You can also select your preference for AuthnContextClassRef values.
- Click Test configuration. We'll let you know if the changes are successful or whether you need to make further changes.
- When you're ready, click Turn on SSO or Add SSO.
Tip: After setting up SSO, you can manage single sign-on settings and learn how to connect IDP groups to workspaces in your organisation.
Add additional SSO configuration
If you’d like to, you can add up to 11 additional SSO configurations to allow people to log in to Slack from an identity provider of your choice.
- From your desktop, click on your workspace name at the top left.
- Select Settings & administration from the menu, then click Organisation settings.
- From the left sidebar, select Security.
- Click SSO settings.
- Click Add SSO configuration and follow the steps to set up SSO for Slack.
What to expect after SSO is enabled
Once you’ve set up SSO, members that are required to sign in with SSO will receive an email. The email will prompt members to bind their Slack accounts with your IDP. Members will have 72 hours to bind their account before their link expires.
Any members who are already signed in when SSO is enabled will remain signed in. Going forward, all members will sign in to Slack with their IDP account. If you chose to require SSO, your members will see a sign-in page before they can access your workspace.
Tip: To simplify member management, Slack supports the SCIM provisioning standard. Visit Manage members with SCIM provisioning to learn more.
- Workspace owners and org owners
- Business+ and Enterprise Grid subscriptions