Slack cloud application

You must be signed in as a super administrator for this task.

With Security Assertion Markup Language (SAML), your users can sign in to enterprise cloud applications with their Google Cloud credentials.

Set up SSO via SAML for Slack

Step 1: Set up Google as a SAML identity provider (IdP)
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps and then SAML Apps.

    To see Apps on the Home page, you might have to click More controls at the bottom. 

  3. Click Add Add at the bottom right.
  4. Locate and click Slack in the application list.
  5. On the Google IDP Information page, download the IDP metadata and copy the SSO URL and EntityID.
  6. Click Next.

    The Basic information window shows the Application name and Description seen by users.

  7. Click Next.
  8. On the Service Provider Details page, enter the following:
    • ACS URL: https://your-team-name.slack.com/sso/saml
    • Entity ID: https://slack.com
    • Start URL: Leave empty 

      Note: The same Entity ID can't be used by more than one SAML app. So, if the Entity ID https://slack.com has already been used by another Slack SAML app, set the Entity ID to https://your-team-name.slack.com instead.
  9. Check the Signed Response box.
  10. (Optional) Change the default Name ID as needed. You can use user schema custom attributes after creating them via Google Admin SDK APIs, but you have to create custom attributes before setting up the Slack SAML app. Name ID can have one value.
  11. Set Name ID Format to Persistent.
  12. Click Next.
  13. On the Attribute Mapping page, set the User.Email category to Basic Information and the user field to Primary Email.
  14. (Optional) Add name attributes. Google can use name attributes to pass information to the Slack app during user authentication.
    1. In both cases, set the category to Basic Information.
    2. For the first name, set the user field to First Name.
    3. For the last name, set the user field to Last Name
  15. Click Finish.
  16. In the Setting up SSO for Slack window, click OK. You need to set up SSO before setting up user provisioning.

Step 2: Enable the Slack SAML app

It can take up to 24 hours for this change to propagate to all users.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps and then SAML Apps.

    To see Apps on the Home page, you might have to click More controls at the bottom. 

  3. Select Slack.
  4. At the top right of the gray box, click Edit Service Compose.
    At the left, the top-level organization and any organizational units appear.

  5. To apply settings to all organizations, click On for everyone or Off for everyone, and then click Save

  6. To apply settings to individual organizational units, do the following: 

    • At the left, select the organizational unit that contains the users whose settings you want to change.
    • Select On or Off  to change the setting.
    • Click Override to keep the setting the same, even if the parent setting changes.
    • If the organization's status is already Overridden, choose an option:
      Inherit—Reverts to the same setting as its parent.
      Save—Saves your new setting (even if the parent setting changes).

    Learn more about the organizational structure.

  7. Ensure that your Slack user account email IDs match those in your Google domain.

Step 3: Set up Slack as a SAML 2.0 service provider (SP)

  1. Sign in to Slack at https://your-team-name.slack.com/home with your organization's slack team owner or administrator account.
  2. Click Settings & Permissions.
  3. Click the Authentication tab.
  4. Next to SAML authentication, click Configure.
  5. Confirm your password.
  6. In the Choose your SAML provider window, select Custom SAML 2.0 and then click Configure.
  7. In the SAML 2.0 Endpoint (HTTP) field, paste the the SSO URL you copied in step 1.
  8. In the Identity Provider Issuer field, paste the the Entity ID you copied in step 1.
  9. In the Public Certificate field, paste the entire contents of the file you downloaded in step 1. This is an X.509 Certificate that’s required for SSO setup. You might need to rename the file extension to “.txt” so you can open the file with a text editor.
  10. If you set the Entity ID in your Slack SAML app to something other than https://slack.com, click Advanced Options and paste the Entity ID value into the Service Provider Issuer field.
  11. Under Settings, indicate how authentication should be applied to your team.
  12. Click Save Configuration.

Step 4: Verify that the SSO is working

  1. Close all browser windows.
  2. Open http://your-team-name.slack.com and attempt to sign in with SAML. You should be redirected to the Google sign-in page.
  3. Enter your user name and password.

After your credentials are authenticated, you are redirected back to Slack.

Step 5: Set up user provisioning

As a super administrator, you can automatically provision users in the Slack application.

Was this article helpful?
How can we improve it?