Implement the Right Authentication Process

Learning Objectives

After completing this unit, you’ll be able to:

Identify the best authentication strategy by Slack plan type.
Explain key configurations for setting up SAML-based SSO.

Explore Authentication Options for Slack

Enterprise-grade security is built into every aspect of how users access and work in Slack. There are two authentication options available to help your users get secure access.

Authenticate with Slack. By default, organizations on the Pro and Business+ plans will have users log in directly to Slack using their email and password.

Authenticate with SSO. Many Workspace Owners on the Pro and Business+ plans choose to set up single sign-on (SSO) authentication rather than Slack stored credentials for an extra layer of security.

By default, organizations on the Enterprise Grid plan authenticate users via SSO.

Get to Know SSO

SSO enables users to securely authenticate (sign in) with multiple applications, websites and services, through one login and one set of credentials. With SSO, the application or website that the user is trying to access relies on a trusted third party to verify that users are who they say they are.

What Is SAML 2.0?

SAML 2.0 is the acronym for Security Assertion Markup Language. SSO uses SAML 2.0, which enables identity providers (IdPs) to pass authorization credentials securely to service providers (like Slack).

It’s an XML-based message-exchange framework enabling the secure transmission of authentication tokens and other user attributes. It simplifies authentication and authorization processes for users.

An identity provider (IdP) is a trusted third party that creates, maintains, and manages identity information (user records) and authenticates users to the benefit of service providers. Popular IdPs that customers use to connect to their Slack instance include Okta, Google SAML, LastPass, and many more.

If these concepts are new to you, that’s OK. We dive deeper into how they work below and later in this module. For now, the critical thing to know is that Slack and IdPs share user information using SAML 2.0. Think of the process like a gatekeeper (Slack), and a guide (IdP) who ushers people to the gate. The gatekeeper and guide speak the same language (SAML 2.0) and only the right people get past the gates.

Get to Know SSO Options by Slack Plan

Each Slack plan has unique authentication options and default settings tied to them.

Pro
Workspaces on the Pro plan can use Google Auth to enable members to sign in using their existing Google accounts. Google Auth will sync email addresses and display names from Google into Slack, whereas Google SAML can also sync first names and last names. Google SAML also enables you to assign specific users, or groups of users, in your IdP permission to access Slack—also known as rule-based access.

Note that Google Auth is the only SSO option available for Pro plan workspaces.

Business+
Workspaces on the Business+ plan can choose to have members authenticate via Google Auth. They can also take things a step further and configure SAML single sign-on. SAML-based single sign-on (SSO) gives members access to Slack through an identity provider (IdP) of your choice.

Note that SAML SSO is configured on the workspace level.

Enterprise Grid
Organizations on the Enterprise Grid plan will configure SAML-based SSO for all workspaces at the org level.

Configure SAML-Based SSO for Enterprise Grid

SAML-based single sign-on (SSO) is a feature available only to Slack’s Business+ or Enterprise Grid plans. With Enterprise Grid, you can sync groups from your identity provider (IdP) to workspaces and channels within your Slack instance, making it easier to manage Slack at scale.

When configuring SSO, both the Slack and identity provider administrators must coordinate in setting up Slack and the identity provider and maintain access controls going forward.

User Guides to Integrate IdP with Slack

Many of the common identity providers such as Okta, Ping, and Azure have built-in SAML connectors to Slack. We recommend using the documentation outlined by these providers when setting up your IdP with Slack.

If you’re using an identity provider that does not have a SAML connector with Slack, you can build a custom SAML connector.

Know the Configuration Requirements

The following needs to be configured in Slack and your identity provider.

Where	Key-Value Configuration	Description
Slack	SAML 2.0 Endpoint URL (also called the sign-on URL or login URL)	This is the IdP hosted URL that Slack sends the authentication request to when a user attempts to log into Slack.
	Identity provider issuer URL (also called the identity provider entity ID)	This is a unique identifier for the IdP and is formatted as a URL. Slack will validate that SAML responses from the IdP contained in this entity ID.
	Service provider issuer URL (also called the service provider entity ID)	This is a unique identifier for Slack, the service provider, and is formatted as a URL. It will be sent in SAML requests for the IdP to validate.
	IdPs Public Certificate	This is the public key used to verify the IdP’s signed certificate which the IdP includes in the SAML responses. Your Slack tenant uses this to verify responses coming from your IdP.
Identity Provider (IdP)	Service provider entity ID	This is a unique identifier for Slack and is formatted as a URL. The IdP will validate that SAML requests from Slack include this entity ID. If you integrate the same IdP with both a sandbox and production Slack grid, each must have a unique entity ID.
	Reply URL (also called the ACS URL)	This is the Slack hosted URL that the IdP sends SAML responses to.
	Attribute mapping	Certain user account attributes must be included in the SAML response. Each attribute value is mapped to a user account attribute in the IdP. The required attributes are NameID and email. While first name, last name, and username are optional, we highly recommend including these attributes as well.