• Configure PingFederate to authenticate against an IdP or datastore containing the users that require application access.
  • You must have administrative access to PingFederate and Slack.
  1. Create a PingFederate SP connection for Slack:
    1. Sign on to the PingFederate administration console.
    2. Create an service provider (SP) connection for Slack in PingFederate:
      1. Configure using Browser SSO profile SAML 2.0.
      2. Set Partner’s Entity ID to https://slack.com.
      3. Enable the following SAML Profiles:
        • IdP-Initiated SSO
        • SP-Initiated SSO
      4. In Assertion Creation > Attribute Contract, extend the contract with the following attributes:
        • SAML_NAME_FORMAT
        • User.Email
        • User.Username
        • first_name
        • last_name
        Use the following attribute name format:
        urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
      5. In Assertion Creation > Authentication Source Mapping > Attribute Contract Fulfillment:
        1. Map SAML_SUBJECT, User.Email, User.Username, first_name, and last_name.
        2. Map SAML_NAME_FORMAT to a text value of urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
    3. In Protocol Settings > Assertion Consumer Service URL:
      1. Set Binding to POST.
      2. Set Endpoint URL to https://<Your slack domain>.slack.com/sso/saml.
    4. In Protocol Settings > Allowable SAML Bindings, enable POST and REDIRECT.
    5. In Protocol Settings > Signature Policy, select Always Sign Assertion.
    6. In Credentials > Digital Signature Settings, select the PingFederate Signing Certificate.
    7. Save the configuration.
    8. Export the signing certificate.
    9. Export the metadata file, open it in a text editor, and copy:
      • The entityID
      • The Location entry, https://<your value>/idp/SSO.saml2
  2. Add the PingFederate connection to Slack.
    • For Slack Standard or Plus, do the following:
      1. Sign on to your Slack Workspace as an administrator.
      2. Go to Settings & Administration > Workspace Settings.

        Screen capture showing how to select Workspace settings in the Settings and administration menu.
      3. Click the Authentication tab.
      4. In the Configure an authentication method section, on the SAML authentication line, click Configure.

        Screen capture of the Authentication tab, in the Configure an authentication method section. There are options for Google Apps authentication and SAML authentication. Each authentication option has a Configure button.
      5. If prompted, enter your password to continue.
      6. In the SAML 2.0 Endpoint (HTTP) field, enter the PingFederate Location value.
      7. In the Identity Provider Issuer field, enter the PingFederate entityID value.
      8. In the Public Certificate field, paste in the contents of the PingFederate signing certificate.

        Screen capture showing the SAML configuration with the Identity Provider Issuer, PingOne signing certificate, and Public Certificate fields where you paste the contents as described in the steps.
      9. Expand the Advanced Options section, and clear the Assertions Signed check box.

        Screen capture of the expanded Advanced Options section. There are fields for AuthnContextClassRef anf Service Provider Issuer. There are a Responses Signed checkbox, which is Selected, and a Assertions Signed checkbox which is cleared.
      10. In the Settings section, select the It’s optional radio button for the authentication setting.
        Note:

        You can change the authentication setting to your desired value after you have completed testing.


        Screen capture of the authentication settings section. The It's optional radio button is clicked and highlighted.
      11. Click Save Configuration.

        Screen capture of the Customize section. The Sign in Button Label and Button Preview are here to custmomize. The Save Configuration button is highlighted.
      12. When you're redirected to PingFederate, authenticate with PingFederate.

        Result: Your selection is confirmed against PingFederate and saved if successful.

    • For Slack Enterprise Grid, do the following:
      1. Sign on to your Slack Organization (not Workspace) as an administrator.
      2. Go to Manage Organization > Security > SSO Settings > Configure SSO.