Slack offers both IdP-initiated SAML SSO (for SSO access through the Practice Protect user portal or Idaptive mobile applications) and SP-initiated SAML SSO (for SSO access directly through the Slack web application). You can configure Slack for either or both types of SSO. Enabling both methods ensures that users can log in to Slack in different situations such as clicking through a notification email. SP-initiated SSO for Slack is automatically enabled when the SAML feature is activated.
It can be useful to open the web application and Admin Portal simultaneously and have them both open, perhaps side by side. As part of the SSO configuration process, you’ll need to copy and paste settings between the two browser windows.
- Administrator Access in Practice Protect
- An active Slack account with administrator rights for your organization.
- A signed certificate. You can either download one from Admin Portal or use your organization’s trusted certificate.
- Slack Plus Plan (SSO SAML based is enabled only in this subscription)
- Slack login should have exact loginnames in
- If the user already has PPO login, ensure that the Slack login is exactly the same as the PPO loginname. Rename the dropbox login if necessary so it will be exactly the same as the PPO login
1. Login to Practice Protect and switch to Admin portal.
2. Go to Roles > Add Role > Under Description, enter the name of the Role on the Name field i.e. “Slack SAML Users”. You can also create roles according to the group membership in Slack (Marketing, Administrator, Design, etc.)
3. Click on Members > Click Add > Add the slack users and Click Save. If you have multiple Groups you may create these groups accordingly and repeat steps 2-3.
**Please ensure that the login name in PPO is exactly the same as their respective Slack login.
4. Go to Apps > Web Apps > Click on Add Web Apps > On the search field type “Slack” > Select Slack Web – SAML + Provisioning then click Add. On Add Web App window, Click Yes to add this application. Click Close.
5. Click on Trust > On Identity Provider Configuration select Manual Configuration > Click on Signing Certificate and click Download. This will download the certificate on your local PC which you will need on the succeeding instructions. Copy the Identity Provider Issuer and SAML 2.0 Endpoint (HTTP) on a notepad. You will also need this details on the succeeding instructions. On Service Provider Configuration, select Manual Configuration then click Save.
6. Click on Permissions > Click Add > Select the Role created on step 2 i.e. “Slack SAML Users”. Click Save.
7. The status of the application will change from Ready to Deploy into Deployed. This means that the newly added app will now appear on the user portal for all users that are members of the role (i.e. “Dropbox SAML Users”)
8. Login to Slack using the Administrator Account. Click on your company name (i.e. CBP Accountants) > Select Administration > Click on Workspace settings. This opens a new tab for Admin settings.
9. Click on Authentication > On Configure an authentication method select SAML authentication > Click Configure.
10. On Configure SAML Authentication select Required. This will enable users to sign-in using their PPO login to access Slack. On Identity provider sign-in URL and Identity provider sign-out URL (optional), add the Sign-in URL and Single Logout URL respectively from step 5. On Public Certificate, copy and paste your entire x.509 certificate that was downloaded from Step 5.
11. On Advanced Options click expand. Tick the box beside Sign AuthnRequest and copy the public key on the notepad (starts from —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—–) then save it as filename.cer i.e. SAML_Response_Assertion.cer. You will use this file later on the PPO Admin portal settings for Slack.
12. Scroll down and untick Assertions Signed. Leave Responses Signed ticked. On Service Provider Issuer, copy the value i.e. https://cbpaccountants.slack/sso/saml on a notepad. On Settings leave Update profile each time a user logs in the only option ticked. On Authentication for your workspace must be used, you can select any of this option. On this example we select It’s optional (this means that you will have two options to sign in. Its either through Practice Protect or Username and Password in Slack). If you select, All workspace members (this means that all logins will use PPO login). The other option, All workspace members, except guest accounts means that all members will require PPO login except guest accounts to access Slack. On Customized, Enter Practice Protect on Sign In Button Label field. Click Save Configuration.
13. Once saved, this will update the details in the Single sign-on settings.
14. Go back to the Admin Portal in Practice Protect. Go to Apps > Web Apps > Click on Add Web Apps >Select Slack Web – SAML + Provisioning > Trust > Scroll down to Service Provider Configuration > Select Manual Configuration. Enter the value of SP Entity ID / SP Issuer / Audience and Assertion Consumer Service (ACS) URL (These should be the same as the details you got from step 12 i.e. https://cbpaccountants.slack.com/sso/saml). On Recipient, tick the box beside Same as ACS URL. Tick the box beside Encrypt SAML Response Assertion then click Choose File then upload the certificate that you saved on step 11 (i.e. ). Click Save.
15. Single Sign-on is now enabled, the next step is to enable provisioning. This means that you can create users in PPO and will automatically provision users in Slack. Once auto provisioning is enabled you do not need to create the user in Slack manually as it will just sync the users attributes from PPO provided that you have enough license in slack.
16. (Optional) Go back to PPO admin portal.
17. Go to Apps > Web Apps > Click on Slack Web – SAML + Provisioning > Click on Provisioning > tick the box beside Enable provisioning for this application then click on Authorize.
18. This opens a new window where you need to login using an administrator account to authorize Idaptive to provision users. Enter your Workspace Name and click Continue. Then login as the Administrator in Slack.
19. Click Authorize when prompted.
20. Wait for a few minutes to complete the Authorization.
21. Close the window and Click Save. You may need logout and re-login on the admin portal.
22. Go to Apps > Web Apps > Click on Slack Web – SAML + Provisioning > Click on Provisioning > On Sync Options: Select Sync (overwrite) users to target application when existing users are found with the same principal name. Leave Do not de-provision (deactivate or delete) users in target application when the users are removed from mapped role ticked.
23. On Role Mappings, Click Add. Select the respective Role (i.e. Slack SAML users – this is the equivalent group in PPO), Destination Group (this specifies the equivalent group in Slack if there’s any). On this example, there is no existing destination group in Slack, so we just select Slack SAML users and this will sync to Slack users group. You may leave this blank or select from the drop down (if you have an existing group in slack). Click Done.
24. Click Save.
25. Go to Settings > Click Users > Click on Outbound Provisioning > Tick the box beside Run synchronization daily for all enabled applications > On Sync Start Time (UTC / local time), select the time to run the synchronization. The synchronization runs daily on the specified time.
26. Click Save.
27. This completes the setup of Slack SAML with provisioning in Practice Protect.
28. You can run a manual synchronization. Go to Provisioning Enabled Application > Select Slack, then Click on Start Sync.
29. You can view the real time status of synchronization by clicking on View Synchronization Job Status and Reports. Once the Synchronization completes any changes in Practice Protect Online will be reflected in the Slack Admin Console.
30. Test if it is working by logging into a User account at Slack Login. Select Sign in with Practice Protect.
31. You will be redirected to the Practice Protect login page. Enter your Practice Protect credentials.
32. Once authentication is successful, you should be able to access your Slack application.