Google Workspace single sign-on

Google Workspace single sign-on (SSO) lets all members of your workspace sign in to Slack using their Google accounts. This can be set up in two ways: with Google Auth using OAuth 2.0 or Google SAML using SAML 2.0.

Note: If you're having trouble setting up SAML single sign-on, see our Troubleshoot SAML authorisation errors article.

Tip: Workspace owners and org owners can bypass SSO authentication by using the link at the bottom of the login page to sign in with their email address and password. This guarantees access to your workspace or org, even if your IDP is having issues.


Google Auth vs. Google SAML

Read the table below to see what each SSO setup supports.

  Google Auth Google SAML
Profile syncing*
Just-in-time provisioning
Authentication with multiple email domains**
Pre-provisioning  
Custom SCIM profile fields  
Automatic user deactivation  
Rule-based access in your identity provider  
Enterprise Grid compatible    ✓


Google Auth only syncs email addresses and display names. Google SAML syncs email addresses, display names, first names and surnames.
** Additional domains need to be manually added when using Google Auth. This process is automatic with Google SAML.


Set up Google Auth

Pro and Business+ subscriptions 

Enterprise Grid subscription

Workspace owners can access and configure Google Auth SSO settings. Here's how:

  1. From your desktop, click your workspace name in the sidebar.
  2. Select Tools & settings from the menu, then click Workspace settings.
  3. Click on the Authentication tab.
  4. Next to Google Apps authentication, click Configure.
  5. Choose your authentication Settings. Visit Guide to single sign-on settings for more.
  6. Click Save configuration.
  7. You will be asked to authenticate with your Google account.

Google Auth isn't available on the Enterprise Grid subscription.

Tip: To approve additional domains for members to create accounts, send us a note. We can help add new domains, or remove others if you need to. 


Set up Google SAML

Business+ subscription

Enterprise Grid subscription

Step 1: Configure an identity provider

  1. Workspace owners need to configure an identity provider by enabling the Slack SAML app with a Google Workspace admin account.
  2. Members will need to have accounts already set up in your workspace to sign in with their Google accounts.

Step 2: Set up SSO for your workspace

  1. From your desktop, click your workspace name in the sidebar.
  2. Select Tools & settings from the menu, then click Workspace settings.
  3. Next to SAML authentication, click Configure.

Step 1: Configure an identity provider

  1. Org owners and admins need to configure an identity provider by enabling the Slack SAML app with a Google Workspace admin account.
  2. Members will need to have accounts already set up in your Enterprise Grid org to sign in with their Google accounts.

Note: When asked for an ACS URL, enter your Enterprise Grid org's URL (e.g. https://domain.enterprise.slack.com/sso/saml).


Step 2: Set up SSO for your organisation

  1. From your desktop, click your workspace name in the sidebar.
  2. Select Tools & settings from the menu, then click Organisation settings.
  3. In the left sidebar, click  Security, then select SSO settings

Note: Enabling SSO disables all other workspace sign-up settings. Any members that are already signed in when SSO is enabled will remain signed in, and can use SSO to sign in to Slack in the future. 


After Google Workspace SSO is enabled

Members can continue to go to your workspace’s URL to sign in after Google Workspace SSO is enabled. Here’s what they can expect:

  • New members
    New members can create an account for your workspace if they use an email address from an approved domain. To get started, they can click Create account.
  • Existing members
    Existing members will receive an SSO binding email to authenticate their accounts. Once binding is complete, they can sign in to your workspace using their Google Workspace credentials.

💡 To learn more, visit Connect your SSO account with Slack.


Manage Google Workspace single sign-on

Switch Google Workspace domains  

Whether your email domain is changing or you're switching from one instance of Google Workspace to another, you can update your Google Workspace domain using the steps below.

Pro and Business+ subscriptions 

Enterprise Grid subscription

  1. From your desktop, click your workspace name in the sidebar.
  2. Select Tools & settings from the menu, then click Workspace settings.
  3. Click the Authentication tab.
  4. Select Change settings. You may be asked to sign in with your Google account.
  5. Select Switch domains.
  6. You’ll be redirected to Google’s sign-in page, where you can sign in with your new Google domain.
  7. All members of your workspace will be sent a binding email to authenticate their accounts.

Org owners and admins can change their Google Workspace domain through their identity provider using a Google Admin account.

Trouble switching domains? You may have multiple approved domains. Contact us and we'll remove the ones that you no longer need.


Change email addresses

Workspace owners and org owners can edit and manage members’ email addresses.  First, they’ll need to adjust their workspace settings to allow this.

Pro and Business+ subscriptions 

Enterprise Grid subscription

  1. From your desktop, click your workspace name in the sidebar.
  2. Select Tools & settings from the menu, then click Workspace settings.
  3. Click on the Authentication tab.
  4. Next to Google authentication settings, click Change settings.
  5. To the right of Settings, click on Expand.
  6. Turn on Allow user to change their email address.
  7. Click on Save configuration.

You can now update email addresses from the Members page.

  1. From your desktop, click your workspace name in the sidebar.
  2. Select Tools & settings from the menu, then click Organisation settings.
  3. From the left sidebar, click  Security, then SSO settings.
  4. Next to Allow user to change their email address, click Enable.
  5. Click Enable again to confirm.

You can now update email addresses from the Members page.

Tip: To make bulk changes to email addresses, please reach out to us. We'd be happy to help!


Provisioning and deprovisioning

Google Workspace Admins using SAML-based SSO can control member provisioning from the Slack SAML app. This can be found under Apps in their Google Admin console.

  • Provisioning
    Slack supports just-in-time provisioning. This lets members create new accounts the first time they sign in to Slack using Google Workspace authentication.
  • Deprovisioning
    If someone leaves your workspace or org, their account will automatically be deactivated. Workspace owners can also manually deactivate accounts from the Members page.
Who can use this feature?

Related articles

Recently viewed articles