Configuration Guides

Configuring SAML SSO with Slack and PingOne for Enterprise

Enable Slack sign-on from the PingOne for Enterprise console (IdP-initiated sign-on) and direct Slack sign-on using PingOne for Enterprise (SP-initiated sign-on) with JIT provisioning.

Before you begin

  • Link PingOne for Enterprise to an identity repository containing the users requiring application access.

  • You must have administrative access to PingOne for Enterprise and Slack.

Set up the Slack application in PingOne for Enterprise

  1. Sign on to PingOne for Enterprise and go to Applications → Application Catalog.

  2. Search for Slack.

    Screen capture showing a search for Slack in the application catalog. The search results list shows the results for Slack.

  3. Expand the Slack entry and click the Setup icon.

  4. Copy the Issuer and IdP ID values.

  5. Download the signing certificate.

    Screen capture showing how to download the signing certificate.

  6. Click Continue to Next Step.

  7. Set ACS URL to https://your-slack-domain.slack.com/sso/saml.

  8. Click Continue to Next Step.

  9. In the Attribute Mapping section, map the attributes to the corresponding attributes in your userstore.

    Screen capture showing how to map the application attributes to the corresponding attributes in your userstore.

  10. In the SAML_SUBJECT row, click Advanced.

  11. In the NameID Format to send to SP field, enter urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.

  12. Click Save.

    Screen capture showing the advanced attribute options and where to enter the Name ID Format to send to the SP.

  13. Click Continue to Next Step.

  14. Click Add for each user group that should have access to Slack.

    Screen capture showing how to add user groups that should have access to Slack.

  15. Click Continue to Next Step.

  16. Click Finish.

Add the PingOne for Enterprise IdP connection to Slack

  1. Sign on to your Slack Admin account as an administrator.

  2. Go to Settings & Administration → Workspace Settings.

    Screen capture showing how to select Workspace settings in the Settings and administration menu.

  3. Click the Authentication tab.

  4. In the Configure an authentication method section, on the SAML authentication line, click Configure.

    Screen capture showing where to click the Configure button to begin configuring the SAML authentication method.

  5. If prompted, enter your password to continue.

  6. In the SAML 2.0 Endpoint (HTTP) field, enter https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=PingOne-IdP-ID-value.

  7. In the Identity Provider Issuer field, enter PingOne-Issuer-value.

  8. In the Public Certificate field, paste in the contents of the PingOne for Enterprise signing certificate.

    Screen capture showing where to paste the SAML 2.0 Endpoint, the Identity Provider Issuer, and the PingOne for Enterprise signing certificate.

  9. Expand the Advanced Options section and clear the Responses Signed check box.

    Screen capture showing where to clear the Responses Signed check box in the Advanced Options section.

  10. In the Settings section, select the It’s optional check box for the authentication setting.

    You can change the authentication setting to your desired value after testing has been completed.
    Screen capture showing where to select It’s Optional in the authentication settings.

  11. Click Save Configuration.

    Screen capture of the Customize section. The Sign in Button Label and Button Preview are here to custmomize. The Save Configuration button is highlighted.

Test the PingOne for Enterprise IdP-initiated SSO integration

  1. Go to your Ping desktop as a user with Slack access.

    To find the Ping desktop URL in the Admin console, go to Setup → Dock → PingOne Dock URL.

  2. Complete the PingOne for Enterprise authentication.

    You’re redirected to your Slack domain.

    If the user doesn’t exist in Slack, you are prompted to accept the Slack terms.

Test the PingOne for Enterprise SP-initiated SSO integration

  1. Go to your Slack domain, https://your-domain.slack.com.

  2. Click Sign in with PingOne.

    Screen capture showing the Slack domain’s sign in screen with the Sign in with PingOne button.

  3. After you’re redirected to PingOne for Enterprise, enter your PingOne for Enterprise username and password.

    Screen capture showing the Ping Identity Sign On screen.

    After successful authentication, you’re redirected back to Slack.

    If the user doesn’t exist in Slack, you are prompted to accept the Slack terms.
    Screen capture showing the new Slack application.

Next steps

After successful testing, you can change the Slack It’s optional authentication setting as necessary.