Users can login to Slack using Teamstack via SAML. Your users will use their Teamstack credentials when logging into Slack.
Slack also support Just In Time (JIT) provisioning, which means that users who have never signed into Slack will have their account created automatically during first login.
Additionally, you can setup provisioning. Which will automatically create and deactivate your users in Slack, depending of their status in Teamstack. Check out the the separate article for "Setup provisioning for Slack"
- Slack (SP) initiated Single Sign On
- Teamstack (IdP) initiated Single Sign On
- JIT (Just In Time) Provisioning
- Plan: Slack Plus or Enterprise Grid
Set up SSO via SAML for Slack
To set up SSO you first need to create a Slack app in Teamstack, assign it to yourself and then configure Slack SSO with the SAML settings from Teamstack.
Step 1: Create Slack app in Teamstack
- Go to your Applications in Teamstack.
- Click "Add Application" in the top right corner.
- Search for "Slack" and click "Add".
- Select this app to be a "SAML" app and enter your Slack workspace (like "myCompanyName" ) and leave the "Relay State" input empty.
- On your applications overview, click on the newly created Slack app. You will see all details about this app.
- Click on "Users" and assign this app to yourself. You will need this to test that SAML is working during setup in Slack.
- Click on the "SAML Configurations" tab. Keep this page open, you will need these values once you configure the SAML settings in Slack.
Step 2: Set up SAML in Slack
When you enable SSO in Slack, you can decide if SAML login is required or optional. After you have tested your SAML configuration, you can require SAML login for all your users. Slack will send an email to everyone in your workspace to inform users about the change.
- Log in to Slack with your administrator account
- Click on your workspace name on the left and select "Administration" -> "Workspace Settings" to go to the admin settings.
- Click on "Authentication", switch to the "Authentication" tab and click on "SAML authentication"
4. Copy the "Sign-in page URL" value from Teamstack (step 1.7) to the "SAML 2.0 Endpoint" input in Slack and the "Issuer" value in Teamstack into the "Identity Provider Issuer" input in Slack.
5. Copy and paste the "Identity provider certificate" from Teamstack into the "Public Certificate" input in Slack.
6. To show the advanced options, click on the "expand" button and uncheck the "Responses Signed" checkbox.
7. Under "Settings", check the following checkboxes:
- "Update profile each time a user logs in"
- "Allow users to change their email address"
- "Allow users to choose their own display name"
8. For testing, you can select "It's optional" under "Authentication for your workspace must be used by". Later, when everything is working, you can require SSO for every user in your workspace.
9. Click on "Save Configuration". You will be redirected to Teamstack and redirected back to Slack. You should see a success message of "Your new authentication settings have been verified and enabled" at the top of the screen. You can now require SSO login for all of your users.
If you see an error, check to make sure that you have assigned the app to yourself in Teamstack and the the SAML setting "Responses Signed" in Slack is unchecked.
If you now assign the Slack app to a user or group in Teamstack, a new Slack account will be created upon a user's first login to Slack.
If you want to automatically create and deactivate users in Slack depending on their status in Teamstack, you can setup Provisioning.
- Slack users can generally not be deleted, only deactivated. This might lead to conflicts if you want to use the same email address for a different user in the future. A workaround is to manually change the email address of the deactivated user in Slack to be able to create a new Slack account with the same email.