Configuring SAML SSO with Slack and PingFederate

Page created: 22 Apr 2021 |

Page updated: 15 Dec 2022

| 5 min read

Configuration User task Single Sign-on (SSO) Capability

Enable Slack sign on from a PingFederate URL (IdP-initiated sign on) and direct Slack sign on using PingFederate (SP-initiated sign on) with JIT provisioning.

Configure PingFederate to authenticate against an IdP or datastore containing the users that require application access.
You must have administrative access to PingFederate and Slack.

Create a PingFederate SP connection for Slack:
1. Sign on to the PingFederate administration console.
2. Create an service provider (SP) connection for Slack in PingFederate:
  1. Configure using Browser SSO profile SAML 2.0.
  2. Set Partner’s Entity ID to https://slack.com.
  3. Enable the following SAML Profiles:
    - IdP-Initiated SSO
    - SP-Initiated SSO
  4. In Assertion Creation > Attribute Contract, extend the contract with the following attributes:
    - SAML_NAME_FORMAT
    - User.Email
    - User.Username
    - first_name
    - last_name
    Use the following attribute name format:
    urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
  5. In Assertion Creation > Authentication Source Mapping > Attribute Contract Fulfillment:
    1. Map SAML_SUBJECT, User.Email, User.Username, first_name, and last_name.
    2. Map SAML_NAME_FORMAT to a text value of urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
3. In Protocol Settings > Assertion Consumer Service URL:
  1. Set Binding to POST.
  2. Set Endpoint URL to https://<Your slack domain>.slack.com/sso/saml.
4. In Protocol Settings > Allowable SAML Bindings, enable POST and REDIRECT.
5. In Protocol Settings > Signature Policy, select Always Sign Assertion.
6. In Credentials > Digital Signature Settings, select the PingFederate Signing Certificate.
7. Save the configuration.
8. Export the signing certificate.
9. Export the metadata file, open it in a text editor, and copy:
  - The entityID
  - The Location entry, https://<your value>/idp/SSO.saml2
Add the PingFederate connection to Slack.
- For Slack Standard or Plus, do the following:
  1. Sign on to your Slack Workspace as an administrator.
  2. Go to Settings & Administration > Workspace Settings.
  3. Click the Authentication tab.
  4. In the Configure an authentication method section, on the SAML authentication line, click Configure.
  5. If prompted, enter your password to continue.
  6. In the SAML 2.0 Endpoint (HTTP) field, enter the PingFederate Location value.
  7. In the Identity Provider Issuer field, enter the PingFederate entityID value.
  8. In the Public Certificate field, paste in the contents of the PingFederate signing certificate.
  9. Expand the Advanced Options section, and clear the Assertions Signed check box.
  10. In the Settings section, select the It’s optional radio button for the authentication setting.
    Note:
    You can change the authentication setting to your desired value after you have completed testing.
  11. Click Save Configuration.
  12. When you're redirected to PingFederate, authenticate with PingFederate.
    Result: Your selection is confirmed against PingFederate and saved if successful.
- For Slack Enterprise Grid, do the following:
  1. Sign on to your Slack Organization (not Workspace) as an administrator.
  2. Go to Manage Organization > Security > SSO Settings > Configure SSO.