Change your single sign-on provider
Want to change your single sign-on (SSO) provider? This guide will help you make a seamless transition. Keep in mind that you'll need to set aside some time in order to complete the process in one go.
Tip: Org owners on Enterprise subscriptions can add up to 11 additional SSO configurations to use SSO with multiple identity providers (IDPs).
Change your SSO provider
Free, Pro and Business+ subscriptions
Enterprise subscriptions
Step 1: Remove SSO configuration
- Click your workspace name in the sidebar.
- Hover over Tools & settings, then click Workspace settings.
- Under Administration in the left sidebar, click SSO & authentication.
- Click Disable SSO Config in the top-right corner of the page.
- Choose whether to send an email to your members to let them know SSO has been turned off, then click Disable SSO.
Anyone already logged in to Slack when you disable SSO will remain logged in.
Step 2: Set up your new SSO configuration
- Click your workspace name in the sidebar.
- Hover over Tools & settings, then click Workspace settings.
- Under Administration in the left sidebar, click SSO & authentication.
- Next to An identity provider or custom SAML, click Configure SAML.
- In the top right, toggle Test mode on.
- Next to SAML SSO URL, enter your SAML 2.0 endpoint URL (HTTP). (This came from setting up your connector earlier). If Okta is your IDP, you can include the IDP URL instead if you like.
- Next to Identity Provider Issuer, enter your IDP Entity ID.
- Copy the entire x.509 certificate from your IDP and paste it into the Public Certificate field.
- Next to Advanced Options, click Expand. Choose how the SAML response from your IDP is signed. If you need an end-to-end encryption key, tick the box next to SignAuthnRequest to show the certificate.
- Below Settings, decide if members can edit their profile information (e.g., their email or display name) after SSO is enabled. You can also choose whether SSO is required, partially required or optional.
- Below Customise, enter a sign-in button label.
- Click Save Configuration to finish.
Members will receive an email asking them to connect their existing Slack account with their profile in your updated IDP. Members need to click the SSO binding email within 72 hours, but admins can re-send these emails from the Manage members page.
- Click your organisation name in the sidebar.
- Hover over Tools & settings, then click Organisation settings.
- From the sidebar, click Security, then click SSO Settings.
- Next to your current IDP, click Edit Configuration.
- Replace the SAML 2.0 endpoint URL with the new value provided by your IDP when you set up the connector.
- Replace your Identity provider issuer URL.
- Replace the Service provider issuer URL if this has been set in your IDP. This value is set to https://slack.com by default.
- Copy the entire x.509 certificate from your identity provider and paste it into the Public certificate field.
- Choose whether the SAML responses and assertions are signed. You can also change your preference for AuthnContextClassRef values.
- Click Test configuration. We'll let you know if the changes are successful or whether you need to make further changes.
- When you’re ready, click Apply Changes.
Tip: If you have guests in your workspace or organisation, we recommend choosing the option where SSO is partially required so that they can still sign in with their email address and password.
Tips for changing over
Here are a few things to keep in mind to ensure that the change goes smoothly.
- Keep your password handy: If you don’t know your Slack password, request a password reset email so that you can sign in to your workspace when SSO is turned off or bypass SSO during sign-in. Owners and admins may be signed out and asked to configure two-factor authentication when SSO is turned off.
- Plan ahead: Make sure that the email addresses in Slack match the primary email addresses in your IDP.
- Communicate the change: Use the #general channel or another announcements channel to let members know what to expect.
- Check your provisioning settings: If you manage members with automatic provisioning, check that your provisioning settings are still valid.
Who can use this feature?
- Workspace owners and org owners
- Available on the Business+ and Enterprise subscriptions
- Available on the Free and Pro subscriptions if you’ve connected a Salesforce org to Slack