Slack cloud application
Using Security Assertion Markup Language (SAML), your users can use their Google Cloud credentials to sign in to enterprise cloud applications.
You must be signed in as a super administrator for this task.
Set up SSO via SAML for Slack
As an administrator, here's how to set up single-sign on (SSO) via SAML for the Slack® application.Step 1: Set up Google as a SAML identity provider (IdP)
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
From the Admin console dashboard, go to Apps SAML Apps.
To see Apps on the dashboard, you might have to click More controls at the bottom.
- Select the Add a service/App to your domain link or click the plus (+) icon in the bottom corner.
- Select Slack from the list and then click Next. The values on the Google IDP Information page automatically populate.
- In the Basic application information window, the Application name and Description values automatically populate. You can edit them.
- (Optional) Click Choose file next to the Upload Logo field to upload a PNG or GIF file to serve as an icon. The file size should be 256 pixels square.
- Click Next.
- In the Service Provider Details window, enter these URLs:
- ACS URL: https://your-team-name.slack.com/sso/saml
- Entity ID: https://slack.com
- Start URL: Leave empty
- Check the Signed Response box
- (Optional) Change the default Name ID as needed. You can use user schema custom attributes after creating them via Google Admin SDK APIs, but you have to create custom attributes before setting up the Slack SAML app. Name ID can have one value.
- Set Name ID Format to Persistent.
- Click Next.
- In the Attribute Mapping window, set the User.Email category to Basic Information and the user field to Primary Email.
- (Optional) Add name attributes. Google can use name attributes to pass information to the Slack app during user authentication.
- In both cases, set the category to Basic Information.
- For the first name, set the user field to First Name.
- For the last name, set the user field to Last Name.
- Click Finish.
- In the Setting up SSO for Slack window, click OK. You need to set up SSO before setting up user provisioning.
It can take up to 24 hours for this change to propagate to all users.
- From the Google Admin console dashboard, go to Apps > SAML apps.
- Select Slack.
At the top of the gray box, click More and choose:
- On for everyone to turn on the service for all users (click again to confirm).
- Off to turn off the service for all users (click again to confirm).
- On for some organizations to change the setting only for some users.
- Verify that your Slack user account email IDs match those in your Google domain.
- Sign in to Slack at https://your-team-name.slack.com/home. You’ll need to sign in as a Team owner or Admin to update your Slack authentication settings.
- Click Settings & Permissions.
- In the Settings & Permissions window, click the Authentication tab.
- Next to SAML authentication, click Configure.
- Confirm your password.
- In the Choose your SAML provider window, select Custom SAML 2.0 and then click Configure.
- From the Google Admin console dashboard, go to Security > Set up single sign-on (SSO).
- In the Set up single sign-on (SSO) window, copy the SSO URL and then paste it into the SAML 2.0 Endpoint (HTTP) box in Slack.
- Copy the Entity ID and then paste it into the Identity Provider Issuer box in Slack.
- Next to Certificate, click Download.
- Copy and paste the entire contents of the downloaded file into the Public Certificate box in Slack. This is an X.509 Certificate that’s required for SSO setup. You might need to rename the file extension to “.txt” so you can open the file with a text editor.
- Under Settings, indicate how authentication should be applied to your team.
- Click Save Configuration.
As a super administrator, you can automatically provision users in the Slack application.