Skip to content

Slacking with Shibboleth

Someone asked how to get Slack SAML SSO working with a Shibboleth IdP. It's pretty straightforward, despite the lack of SP metadata from Slack and the inability of Slack to import IdP metadata.

Slack will attempt an authentication when you save its SAML configuration, so you need to set up the IdP first.

Configuring your IdP

Slack Metadata

  • Download sample metadata and replace YOUR-WORKSPACE with the name of your Slack workspace.
  • Do whatever you need to do on your IdP to ensure Slack receives persistent NameIDs.
  • Ensure your resolver configuration has attribute definitions for User.Username, User.Email, first_name, and last_name. I've published sample definitions based on eduPerson attributes.
  • Create an attribute filter rule for https://slack.com - I've also published an example.

Configuring Slack

Enable SAML SSO in the Slack admin console using the following settings:

  • SAML 2.0 Endpoint (HTTP): https://idp.example.edu/idp/profile/SAML2/Redirect/SSO.
  • Identity Provider Issuer: your IdP's EntityId.
  • Public Certificate: your IdP's certificate, including the ----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
  • Under _Advanced Options`:
    • check Sign AuthnRequest. A certificate will appear; save it for later
    • select either the default, or Don't send this value for AuthnContextClassRef
    • leave Service Provider Issuer as the default (https://slackcom)
  • Choose how the SAML response from your IDP is signed: enable only Assertions Signed.
  • Under Settings:
    • check Update profile each time a user logs in
    • uncheck Allow users to change their email address
    • uncheck Allow users to choose their own display name
    • set Authentication for your workspace must be used by: to All workspace members, except guest accounts

Click the Save button, and Slack will try to authenticate you against the IdP you just configured. If you followed these instructions, it should just work™