This topic describes how to configure OneLogin to provide SSO for Slack using SAML. (If you want to set up SSO for Slack with form-based authentication, see Adding a Form-Based Application.)
-
Log in to OneLogin and go to Applications > Applications.
-
Search for Slack. Select the version that supports SAML2.0 and provisioning.
-
On the initial Configuration tab, click Save to add the app to your Company Apps and display additional configuration tabs.
-
On the Configuration tab, enter your Slack Team domain value.
This value tells OneLogin where to send the SAML message in Slack. It's the value of yourdomain in https://yourdomain.slack.com.
Note. If you used the Slack SAML connector to add the SAML app to your OneLogin App Catalog before Sept 9, 2016, your Configuration tab will look a little different than this. If you aren't using provisioning, then pay it no mind. But if you do use provisioning, see Provisioning Users to Slack for some upgrade instructions.
- On the Parameters tab, map Slack user attributes to OneLogin attributes.
Some parameters are included in the SAML assertion during SSO. Others are used when provisioning users to Slack using the Slack SCIM API. For SSO using SAML, you should accept the defaults, unless otherwise noted:
-
On the Access tab, assign the OneLogin roles that should have access to Slack and provide any app security policy that you want to apply to Slack.
You can also go to Users > All Users to add the app to individual user accounts, and return to this app configuration page to complete SSO configuration.
-
Click Save.
-
On the SSO tab, copy the two SAML values that you'll need to provide in Slack: SAML 2.0 Endpoint (HTTP) and X.509 Certificate.
To copy the X.509 certificate, click View Details. Then, click the Copy to Clipboard icon for the X.509 Certificate.
If you want to use a different certificate, go back to the SSO tab, click Change, select the new certificate, and follow the above instructions.
Alternatively, you can create an entirely new X.509 certificate for selection by going to Settings > Certificates and clicking New.
-
Go to slack.com/admin and sign in to your Slack account as a team owner.
-
Click Menu and then click Authentication.
-
Start configuring SAML authentication by clicking Configure next to SAML authentication.
-
Select OneLogin as your SAML provider and click Configure.
-
In the SAML SSO URL field, paste the value from your SAML 2.0 Endpoint (HTTP) field in OneLogin.
-
In the Public Certificate field, paste the entirety of your X.509 Certificate string from OneLogin. Be sure to include the BEGIN and END CERTIFICATE portion of the string.
-
Under Settings, select the All team members except Restricted Accounts and Single-Channel Guests option and clear the Allow users to change their email address option.
- Check the box for Responses signed and do not check the box Assertions signed.
-
If you plan to use SCIM provisioning via the Slack API, clear the Enable identity provider user profile syncing option.
See Using single sign-on with Slack for more details.
-
Test the SAML connection.
-
Verify that your Slack user has the same email address as your OneLogin account, or create a test user that does.
-
Make sure you are logged out of Slack.
-
Give yourself or your test user access to the Slack app in OneLogin.
-
Log in to OneLogin.
-
Click the Slack icon on your OneLogin dashboard.
If you are able to access Slack, then SAML works.
Next steps:
Provisioning Users to Slack |