Google Workspace single sign-on
Google Workspace single sign-on (SSO) lets all members of your workspace sign in to Slack using their Google accounts. This can be set up in two ways: with Google Auth using OAuth 2.0 or Google SAML using SAML 2.0.
Note: If you're having trouble setting up SAML single sign-on, see our Troubleshoot SAML authorization errors article.
Tip: Workspace Owners and Org Owners can bypass SSO authentication by using the link at the bottom of the login page to sign in with email address and password. This guarantees access to your workspace or org, even if your IDP is having issues.
Google Auth vs. Google SAML
Read the table below to see what each SSO setup supports.
Google Auth | Google SAML | |
Profile Syncing* | ✓ | ✓ |
Just-in-Time Provisioning | ✓ | ✓ |
Authentication with multiple email domains** | ✓ | ✓ |
Pre-provisioning | ✓ | |
Custom SCIM profile fields | ✓ | |
Automatic user deactivation | ✓ | |
Rule-based access in your identity provider | ✓ | |
Enterprise Grid compatible | ✓ |
* Google Auth only syncs email addresses and display names. Google SAML syncs email addresses, display names, and first and last names.
** Additional domains need to be manually added when using Google Auth. This process is automatic with Google SAML.
Set up Google Auth
Pro and Business+ plans
Enterprise Grid plan
Workspace Owners can access and configure Google Auth SSO settings. Here's how:
- From your desktop, click your workspace name in the sidebar.
- Select Tools & settings from the menu, then click Workspace settings.
- Click the Authentication tab.
- Next to Google Apps authentication, click Configure.
- Choose your authentication Settings. Visit Guide to single sign-on settings for more.
- Click Save Configuration.
- You will be asked to authenticate with your Google account.
Google Auth isn't available on the Enterprise Grid plan.
Tip: To approve additional domains for members to create accounts, send us a note. We can help add new domains, or remove others if you need to.
Set up Google SAML
Business+ plan
Enterprise Grid plan
Step 1: Configure an identity provider
- Workspace Owners need to configure an identity provider by enabling the Slack SAML app with a Google Workspace Admin account.
- Members will need to have accounts already set up in your workspace to sign in with their Google accounts.
Step 2: Set up SSO for your workspace
- From your desktop, click your workspace name in the sidebar.
- Select Tools & settings from the menu, then click Workspace settings.
- Next to SAML authentication, click Configure.
Step 1: Configure an identity provider
- Org Owners and Admins need to configure an identity provider by enabling the Slack SAML app with a Google Workspace Admin account.
- Members will need to have accounts already set up in your Enterprise Grid org to sign in with their Google accounts.
Note: When asked for ACS URL, enter your Enterprise Grid org's URL (e.g., https://domain.enterprise.slack.com/sso/saml).
Step 2: Set up SSO for your organization
- From your desktop, click your workspace name in the sidebar.
- Select Tools & settings from the menu, then click Organization settings.
- In the left sidebar, click Security, then select SSO Settings.
Note: Enabling SSO disables all other workspace signup settings. Any members already signed in when SSO is enabled will remain signed in, and can use SSO to sign in to Slack in the future.
After Google Workspace SSO is enabled
Members can continue to go to your workspace’s URL to sign in after Google Workspace SSO is enabled. Here’s what they can expect:
-
New members
New members can create an account for your workspace if they use an email address from an approved domain. To get started, they can click Create account.
-
Existing members
Existing members will receive an SSO binding email to authenticate their accounts. Once binding is complete, they can sign in to your workspace using their Google Workspace credentials.
💡 To learn more, visit Connect your SSO account with Slack.
Manage Google Workspace single sign-on
Switch Google Workspace domains
Whether your email domain is changing or you're switching from one instance of Google Workspace to another, you can update your Google Workspace domain using the steps below.
Pro and Business+ plans
Enterprise Grid plan
- From your desktop, click your workspace name in the sidebar.
- Select Tools & settings from the menu, then click Workspace settings.
- Click the Authentication tab.
- Select Change Settings. You may be asked to sign in with your Google account.
- Select Switch Domains.
- You’ll be redirected to Google’s sign-in page where you can sign in with your new Google domain.
- All members of your workspace will be sent a binding email to authenticate their accounts.
Org Owners and Admins can change their Google Workspace domain through their identity provider using a Google Admin account.
Trouble switching domains? You may have multiple approved domains. Contact us and we'll remove the ones you no longer need.
Change email addresses
Workspace Owners and Org Owners can edit and manage members' email addresses. First, they’ll need to adjust their workspace settings to allow this.
Pro and Business+ plans
Enterprise Grid plan
- From your desktop, click your workspace name in the sidebar.
- Select Tools & settings from the menu, then click Workspace settings.
- Click the Authentication tab.
- Beside Google Authentication Settings, click Change Settings.
- To the right of Settings, click Expand.
- Turn on Allow user to change their email address.
- Click Save Configuration.
You can now update email addresses from the Members page.
- From your desktop, click your workspace name in the sidebar.
- Select Tools & settings from the menu, then click Organization settings.
- From the left sidebar, click Security, then SSO Settings.
- Next to Allow user to change their email address, click Enable.
- Click Enable again to confirm.
You can now update email addresses from the Members page.
Tip: To make bulk changes to email addresses, please reach out to us. We'd be happy to help!
Provisioning and deprovisioning
Google Workspace Admins using SAML-based SSO can control member provisioning from the Slack SAML app. This can be found under Apps in their Google Admin console.
-
Provisioning
Slack supports Just-in-Time Provisioning. This lets members create new accounts the first time they sign in to Slack using Google Workspace authentication. -
Deprovisioning
If someone leaves your workspace or org, their account will be automatically deactivated. Workspace Owners can also manually deactivate accounts from the Members page.
- Workspace Owners and Org Owners
- Available on paid plans