ADFS single sign-on
You can integrate your Active Directory Federation Services (ADFS) instance to help manage seamless single sign-on for your members.
Note: On its own, ADFS does not support automatic de-provisioning through Slack’s SCIM API. After de-provisioning a member in your IDP, make sure to also deactivate them in Slack if you haven’t implemented an SCIM provisioning solution outside of ADFS.
Step 1: Set up ADFS for Slack
Creating a new relying party trust
- Sign in to the server where ADFS is installed. If you need help deploying ADFS, check out this guide.
- Open the ADFS management console, and select Trust relationships, then Relying party trusts in the left console tree.
- Click Add relying party trust from the Actions menu on the right.
- In the Select data source step, toggle the option Enter data about the relying party manually.
- Next, specify the display name for your application in the Specify display name tab. We suggest calling it something like Company name – Slack. Add any optional notes that you may need.
- In the Choose profile tab, select ADFS profile.
- On the Configure certificate tab, leave the certificate settings at their defaults.
-
In the Configure URL tab, select the box Enable support for the SAML 2.0 WebSSO protocol, and enter the SAML service endpoint.
• Business+ subscription: https://yourdomain.slack.com/sso/saml
• Enterprise Grid: https://yourdomain.enterprise.slack.com/sso/saml
- In the Configure identifiers tab, enter https://slack.com, and click Add. Note: If you choose to specify a unique workspace URL (https://[workspacename].slack.com), make sure that you input the same value into the Service provider issuer field in Slack.
- Add optional multi-factor authentication.
- Select Permit all users to access this relying party, then click Next and review your settings
- Make sure that you’ve toggled Open the edit claim rules dialogue for this relying party trust when the wizard closes, and select Close.
- Next, you'll create rules, or assertion claims, for your relying party trust – in this case, your Slack workspace or Enterprise Grid. Slack only receives the outgoing claim type attributes and values, so the list of attributes might look different. Keep in mind that you will need two claims: one for Slack attributes and one for NameID.
-
Click Add rule.
- Create a rule to send LDAP attributes as claims. Only the outgoing claim type User.Email is required, but you may want to include first_name, last_name, and User.Username. Remember that outgoing claim types are case sensitive.
Note: The value sent for User.Username will correspond to a user's username. Make sure that this value is unique for each user and will not be re-used. - Next, create another rule to transform an incoming claim.
- Open the required NameID claim rule, and change the outgoing name ID format to Persistent identifier. Then click OK to save.
Note: If you opt to sign the AuthnRequest in Slack, you’ll need to upload the generated Slack certificate to the Signature tab in ADFS. You’ll also need to ensure that you’ve selected the secure hash algorithm SHA-1 in the Advanced tab.
Step 2: Integrate Slack with your IDP
Business+ subscription
Slack Enterprise Grid
Next, add ADFS details to your Slack workspace’s authentication settings:
- From your desktop, click your workspace name in the sidebar.
- Select Tools & settings from the menu, then click Workspace settings.
- Click the Authentication tab, then click Configure next to SAML authentication (OneLogin, Okta or your custom SAML 2.0 solution).
- Enter your SAML 2.0 endpoint URL (SAML 2.0/W-Federation URL endpoint). The default installation is /adfs/ls/.
- Enter your identity provider issuer. If you’re unsure of these endpoints, run PS C:/> Get-AdfsEndpoint in Powershell on the device where ADFS is installed.
- From ADFS’s Encryption tab, copy your entire token-signing x.509 certificate and paste it in the Public certificate field.
- To set up more than one relying party trust with Slack, expand the Advanced options menu.
- Beside AuthnContextClass Ref, choose PasswordProtectedTransport and windows (use with ADFS for internal/external authentication). Then enter your unique service provider issuer. This should match your relying party identifier in ADFS.
- Click Save.
Next, you’ll need to add ADFS details to your Enterprise Grid organisation’s authentication settings:
- From your desktop, click your workspace name in the sidebar.
- Select Tools & settings from the menu, then click Organisation settings.
- From the left sidebar, click Security, then select SSO Settings.
-
Enter your SAML 2.0 endpoint URL (SAML 2.0/W-Federation URL endpoint). The default installation is /adfs/ls/.
- Enter your identity provider issuer. If you're unsure of these endpoints, run PS C:/> Get-AdfsEndpoint in Powershell on the device where ADFS is installed.
- In the Public certificate field, copy and paste your entire x.509 Certificate.
- You can set up more than one relying party trust with Slack. Under AuthnContextClass Ref, choose PasswordProtectedTransport and windows (use with ADFS for internal/external authentication).
- Enter your unique service provider issuer. This should match your relying party identifier in ADFS.
- Click Save changes.
Note: We're happy to help with your setup, but we can't always guarantee your connection will work with Slack. Read our Troubleshoot SAML authorisation errors article, or send us a note, and we'll do what we can!
- Workspace owners and org owners
- Business+ and Enterprise Grid subscriptions