--- title: Configuring Browser SSO description: Use the following details for the Browser SSO part of your single sign-on (SSO) connection to Slack. component: slack page_id: slack:setup:pf_slack_connector_configuring_browser_sso canonical_url: https://docs.pingidentity.com/integrations/slack/setup/pf_slack_connector_configuring_browser_sso.html revdate: July 8, 2024 section_ids: about-this-task: About this task steps: Steps --- # Configuring Browser SSO Use the following details for the **Browser SSO** part of your single sign-on (SSO) connection to Slack. ## About this task | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For all other settings, you can use the default or customize the configuration for your needs. For help, see [Configuring IdP Browser SSO](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_spconnectionconfigtasklet_spbrowserssostate.html) in the PingFederate documentation. | For more context on subject format requirements, see [SAML NameID Format urn:oasis:names:tc:SAML:2.0:nameid-format:persistent](https://support.pingidentity.com/s/article/SAML-Name-ID-urn-oasis-names-tc-SAML-2-0-nameid-format-persistent) in the Ping Identity Knowledge Center. ## Steps 1. On the **Browser SSO** tab, click **Configure Browser SSO**. 2. On the **Browser SSO > SAML Profiles** tab, select only **IDP-Initiated SSO** and **SP-Initiated SSO**. Click **Next**. 3. On the **Assertion Lifetime** tab, click **Next**. 4. On the **Assertion Creation** tab, configure the assertion. The following steps only cover the critical settings for the Slack connection. For a complete guide, see [Managing authentication source mappings](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_assertioncreationtasklet_idpadaptermappingstate.html) in the PingFederate documentation. 1. Click **Configure Assertion Creation**. 2. On the **Attribute Contract** tab, set the following name format. | Attribute Contract | Subject Name Format | | ------------------ | ------------------------------------------------------- | | SAML\_SUBJECT | `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified` | 3. In the **Extended the Contract** section, add the following attributes, and then click **Next**. **Extend the Contract Mappings** | Extend the Contract | Attribute name Format | | ------------------- | --------------------------------------------------------- | | SAML\_NAME\_FORMAT | `urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified` | | User.Email | `urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified` | 4. On the **Authentication Source Mapping** tab, select or create your authentication source. For help, see [Managing authentication source mappings](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_assertioncreationtasklet_idpadaptermappingstate.html) in the PingFederate documentation. 5. On your authentication source **Mapping Method**tab, select **Retrieve additional attributes from a data store**. 6. On your authentication source **Attribute Sources & User Lookup**tab, select or create your LDAP datastore. 7. On your authentication source **Attribute Sources & User Lookup**tab, select or create your LDAP datastore. On the **LDAP Directory Search** tab, use the following configuration. For more information, see [Specifying directory properties and attributes](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_specify_directory_properties_and_attributes.html) in the PingFederate documentation. ![A screenshot that shows the LDAP Directory Search tab](_images/ljw1563995734086.png) 8. On the **Browser SSO > Assertion Creation > IdP Adapter Mapping > Attribute Contract Fulfillment** tab, map the attributes as follows. Click **Next**. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | This allows the connection to provide Slack with the required `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent` name format, which PingFederate does not provide as a default option. | | Attribute Contract | Source | Value | | ------------------ | ----------- | ------------------------------------------------------ | | SAML\_NAME\_FORMAT | **text** | `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent` | | SAML\_SUBJECT | **Adapter** | `username` | | User.Email | **LDAP** | `mail` | ![A screenshot that shows the Attribute Contract Fulfillment tab with the attributes mapped.](_images/vku1563995733409.png) 5. On the **Browser SSO > Protocol Settings > Signature Policy** tab, clear the **Require authn requests…​** and **Always sign assertion** check boxes. Click **Next**. 6. On the **Encryption Policy** tab, select **None**. Click **Next**. 7. On the **Browser SSO > Protocol Settings** tab, click **Next**. 8. On the **Summary** tab, click **Done**. 9. On the **SP Connection > Browser SSO** tab, click **Next**.