ADFS single sign-on

You can integrate your Active Directory Federation Services (ADFS) instance to help manage seamless single sign-on for your members.

Note: On its own, ADFS does not support automatic de-provisioning through Slack’s SCIM API. After de-provisioning a member in your IDP, make sure to also deactivate them in Slack if you haven’t implemented an SCIM provisioning solution outside of ADFS.


Step 1: Set up ADFS for Slack

Creating a new relying party trust

  1. Sign in to the server where ADFS is installed. If you need help deploying ADFS, check out this guide.
  2. Open the ADFS management console, and select Trust relationships, then Relying party trusts in the left console tree.
  3. Click Add relying party trust from the Actions menu on the right.
  4. In the Select data source step, toggle the option Enter data about the relying party manually.  ‘Select data source’ step, with the option to enter data about the relying party manually selected
  5. Next, specify the display name for your application in the Specify display name tab. We suggest calling it something like Company name – Slack. Add any optional notes that you may need.
  6. In the Choose profile tab, select ADFS profile.
  7. On the Configure certificate tab, leave the certificate settings at their defaults.
  8. In the Configure URL tab, select the box Enable support for the SAML 2.0 WebSSO protocol, and enter the SAML service endpoint

    •  Business+ subscription:
    https://yourdomain.slack.com/sso/saml
    •  Enterprise Grid: https://yourdomain.enterprise.slack.com/sso/saml
    ‘Configure URL’ step, with the option to enable support for the SAML 2.0 WebSSO protocol selected
  9. In the Configure identifiers tab, enter https://slack.com, and click Add. Note: If you choose to specify a unique workspace URL (https://[workspacename].slack.com), make sure that you input the same value into the Service provider issuer field in Slack.
  10. Add optional multi-factor authentication.
  11. Select Permit all users to access this relying party, then click Next and review your settings
  12. Make sure that you’ve toggled Open the edit claim rules dialogue for this relying party trust when the wizard closes, and select Close.
  13. Next, you'll create rules, or assertion claims, for your relying party trust – in this case, your Slack workspace or Enterprise Grid. Slack only receives the outgoing claim type attributes and values, so the list of attributes might look different. Keep in mind that you will need two claims: one for Slack attributes and one for NameID.
  14. Click Add rule.
    List of rules for Slack attributes and NameID, with buttons to add, edit or remove rule
  15. Create a rule to send LDAP attributes as claims. Only the outgoing claim type User.Email is required, but you may want to include first_name, last_name, and User.Username. Remember that outgoing claim types are case sensitive. 

    Note: The value sent for User.Username will correspond to a user's username. Make sure that this value is unique for each user and will not be re-used.
    ‘Configure claim rule’ step, showing a list of LDAP attributes and outgoing claim types
  16. Next, create another rule to transform an incoming claim.
  17. Open the required NameID claim rule, and change the outgoing name ID format to Persistent identifier. Then click OK to save.
    NameID claim rule, showing drop-down menus for incoming claim type and outgoing claim type

Note: If you opt to sign the AuthnRequest in Slack, you’ll need to upload the generated Slack certificate to the Signature tab in ADFS. You’ll also need to ensure that you’ve selected the secure hash algorithm SHA-1 in the Advanced tab.


Step 2: Integrate Slack with your IDP

Business+ subscription

Slack Enterprise Grid

Next, add ADFS details to your Slack workspace’s authentication settings:

  1. From your desktop, click your workspace name in the sidebar.
  2. Select Tools & settings from the menu, then click Workspace settings.
  3. Click the Authentication tab, then click Configure next to SAML authentication (OneLogin, Okta or your custom SAML 2.0 solution).
  4. Enter your SAML 2.0 endpoint URL (SAML 2.0/W-Federation URL endpoint). The default installation is /adfs/ls/.
    SAML SSO URL and text box with URL entered
  5. Enter your identity provider issuer. If you’re unsure of these endpoints, run PS C:/> Get-AdfsEndpoint in Powershell on the device where ADFS is installed.Identity provider issuer and text box with IdP entity ID for the service that you use entered
  6. From ADFS’s Encryption tab, copy your entire token-signing x.509 certificate and paste it in the Public certificate field.ADFS’s Encryption tab with token-signing field selected
  7. To set up more than one relying party trust with Slack, expand the Advanced options menu.
  8. Beside AuthnContextClass Ref, choose PasswordProtectedTransport and windows (use with ADFS for internal/external authentication). Then enter your unique service provider issuer. This should match your relying party identifier in ADFS.
    Advanced options with AuthnContextClass Ref drop-down menu open
  9. Click Save.

Next, you’ll need to add ADFS details to your Enterprise Grid organisation’s authentication settings:

  1. From your desktop, click your workspace name in the sidebar.
  2. Select Tools & settings from the menu, then click Organisation settings.
  3. From the left sidebar, click  Security, then select SSO Settings.  
  4. Enter your SAML 2.0 endpoint URL (SAML 2.0/W-Federation URL endpoint). The default installation is /adfs/ls/.
    SAML_2.0_Endpoint_URL__Grid_.png
  5. Enter your identity provider issuer. If you're unsure of these endpoints, run PS C:/> Get-AdfsEndpoint in Powershell on the device where ADFS is installed.Identity_Provider_Issuer__grid_.png
  6. In the Public certificate field, copy and paste your entire x.509 Certificate. adfs_clint.png
  7. You can set up more than one relying party trust with Slack. Under AuthnContextClass Ref, choose PasswordProtectedTransport and windows (use with ADFS for internal/external authentication).
  8. Enter your unique service provider issuer. This should match your relying party identifier in ADFS.
    service_provider_issuer
  9. Click Save changes.

Note: We're happy to help with your setup, but we can't always guarantee your connection will work with Slack. Read our Troubleshoot SAML authorisation errors article, or send us a note, and we'll do what we can!

Who can use this feature?
  • Workspace owners and org owners
  • Business+ and Enterprise Grid subscriptions

Related articles

Recently viewed articles