Change your single sign-on provider
Want to change your single sign-on (SSO) provider? This guide will help you make a seamless transition. Keep in mind that you'll need to set aside some time in order to complete the process in one go.
Tip: Org owners on Enterprise Grid can add up to 11 additional SSO configurations to use SSO with multiple identity providers.
Change your SSO provider
Business+ subscription
Enterprise Grid subscription
Step 1: Remove SSO configuration
- Click your workspace name in the sidebar.
- Hover over Tools & settings, then click Workspace settings.
- Click the Authentication tab.
- Select Turn off SSO.
- Click Turn off and choose whether or not to send an email to your team to let them know SSO has been turned off. Any members already logged in to Slack at the time will remain logged in.
Step 2: Set up your new SSO configuration
- Click your workspace name in the sidebar.
- Hover over Tools & settings, then click Workspace settings.
- Click the Authentication tab.
- Select Configure next to SAML authentication.
- Next to SAML SSO URL, enter your SAML 2.0 endpoint URL (HTTP). (This came from setting up your connector. If Okta is your identity provider (IDP), you can include the IDP URL if you like.)
- Enter your IdP entity ID next to Identity provider issuer.
- Copy the entire x.509 certificate from your identity provider and paste it into the Public certificate field.
- Click Expand next to Advanced options. Choose how the SAML response from your IDP is signed. If you need an end-to-end encryption key, tick the box next to SignAuthnRequest to show the certificate.
- Under Settings, decide if members can edit their profile information (like their email or display name) after SSO is enabled. You can also choose whether SSO is required, partially required* or optional.
- Under Customise, enter a Sign-in button label.
- Select Save configuration to finish.
*If you have guest accounts, we recommend choosing the option where SSO is partially required, so guests can still sign in to the workspaces that they have access to.
Once finished, members will receive an email asking them to connect their existing Slack account with their profile in your updated IDP. Members need to click on the SSO binding email within 72 hours, but admins can resend these emails from the Manage members page.
- Click your organisation name in the sidebar.
- Hover over Tools & settings, then click Organisation settings.
- Click Security in the left column, then SSO settings.
- Select Edit in the top right.
- Replace the SAML 2.0 endpoint URL with the new value provided by your identity provider when you set up the connector.
- Replace your Identity provider issuer URL.
- Replace the Service provider issuer URL if this has been set in your IDP. This value is set to https://slack.com by default.
- Copy the entire x.509 certificate from your identity provider and paste it into the Public certificate field.
- Select whether the SAML responses and assertions are signed. You can also change your preference for AuthnContextClassRef values.
- Click Test configuration. We'll let you know if the changes are successful or whether you need to make further changes.
- Once you’re ready, click Confirm update.
Tips for changing over
Here are a few things to keep in mind to ensure that the change goes smoothly.
- Keep your password handy: If you don’t know your Slack password, request a password reset email so that you can sign in to your workspace when SSO is turned off or bypass SSO during sign-in. Owners and admins may be signed out and asked to configure two-factor authentication when SSO is turned off.
- Plan ahead: Make sure that the email addresses in Slack match the primary email addresses in your identity provider.
- Communicate the change: Use your #general channel to make an announcement and let members know what to expect.
- Check your provisioning settings: If you manage members with automatic provisioning, check that your provisioning settings are still valid.
Tip: You may need to approve the slack.com domain so that emails don’t get caught in your members' spam or junk mail folders.
Who can use this feature?
- Workspace owners and org owners
- Business+ and Enterprise Grid subscriptions