Enable SSO for Slack

Purpose

Slack offers single sign-on via SAML integration with Practice Protect. This provides a seamless login experience to the Slack platform using IdP-initiated SAML.

It can be helpful to have both the Slack web application and the Admin Portal open at the same time – ideally side by side. During the SSO configuration process, you’ll need to copy and paste settings between these two browser windows.

Practice Protect will configure this on your behalf. Please send us an email at support@practiceprotect.com

Prerequisites

• Administrator Access in Practice Protect
• Active Slack account with workspace owner rights. (Note: this can be your account so you don’t have to pay and create for another license account) 
• Must be on either Slack Business+ (Plus) or Enterprise  Subscription only
• Slack username for staff should match the login usernames in Practice Protect. 

Instruction

1.  Login to Practice Protect and switch to Admin portal.
2. On Core Services, Click on Roles > Add Roles. Create a role and set the name field to Slack SSO Users. Then Save.
   
   

   Note: You can also create roles based on group memberships in Slack (e.g., Marketing, Administrator, Design, etc.), but this is only applicable if you map groups during the setup.

3. With the created role, click on Members > Add. Add each member that will be part of the SSO. Then Save.
   
   
   Note: If you have multiple Groups you may create these groups accordingly and repeat steps 2-3.
4. From the Apps & Widgets, go to Web Apps section. Then, choose Add Web Apps on the top right corner.
   
   
   On the app catalog, search for Slack and Add the app  Slack (SAML + Provisioning). Hit Yes to add the application.  Click Close.
   
   
5. The application that you just added opens to the Settings page. Set the Name of the app to Slack then click Save. Note: You can customize the name, category, or logo according to your preference.
   
   
6. Go to the Trust page. In the Identity Provider Configuration select Manual Configuration. Then, click on Signing Certificate and click Download.
   
   
   This will download the certificate to your local PC, which you’ll need for the next steps.
7. In the same page, copy the Identity Provider Issuer and SAML 2.0 Endpoint (HTTP) on a notepad. You will also need this details on the succeeding instructions. 
   
   
8. Click Save. 
9. On the Permissions page, click Add, select the role created in Step 2 (e.g., Slack SSO Users), and click Save.
   
   
10. The status of the application will change from Ready to Deploy to Deployed. This means the app will now appear on the user portal. Note: The app won’t be ready to use until Slack SSO is enabled.
    
    

11. Login to Slack using your dedicated workspace URL (e.g., https://mydomain.slack.com) and sign in with your admin or owner account.

    On the left-hand menu, click Admin, then select Workspace Settings.

    
    
    
12. Under Administration, click SSO & Authentication.
13. Choose an authentication method, then click Configure SAML under An Identity Provider or custom SAML.
    
    

14. On the Configure SSO form, paste the SAML 2.0 Endpoint (HTTP) and Identity Provider Issuer into their respective fields. Use the values you copied from Step 7.

15. In the Service Provider Issuer URL field, enter your Slack workspace URL (e.g., https://mydomain.slack.com). Remember this value, as you’ll need it later when setting up Practice Protect.
    
    

16. Open the signing certificate file you downloaded in Step 6 using Notepad. Copy all the text inside the file, then paste it into the Public (X.509) Certificate field.
    
    
    

17. For AuthnContextClassRef, leave to it’s default settings

18. In SAML Request Signing, tick the box for Sign AuthnRequest. This will generate a certificate. Copy the entire certificate, paste it into Notepad, and save the file as slacksso.cer.

19. In SAML Response Signing, tick the box for Sign the Response only
    
    

20. On another tab, go back to the Slack app in Practice Protect and navigate to Trust > Service Provider.

21. Under Service Provider Configuration, select Manual Configuration and apply the following settings.

    1. SP Entity ID / SP Issuer / Audience: https://SLACK-DOMAIN.slack.com
       
       Note: Replace SLACK-DOMAIN with your actual Slack workspace domain.

    2. Assertion Consumer Service (ACS) URL: https://SLACK-DOMAIN.slack.com/sso/saml
       
       Note: Replace SLACK-DOMAIN with your actual Slack workspace domain.

    3. Recipient: Tick the box for Same as ACS URL

    4. Tick the box beside Encrypt SAML Response Assertion, then click Choose File and upload the certificate you saved in Step 18 (i.e., slacksso.cer).

22. Click Save.
    

23. Return to Slack Configure SSO form and click Test Configuration
    
    
    

24. This will redirect you to the Practice Protect login page to test the SSO and verify the configuration by signing in using your Practice Protect credentials.
    
    

25. Once the test is successful, you’ll see a confirmation message indicating that everything looks good.
    
    

26. Review the SSO and click on Continue to Options
    
    
    

27. In the SSO Options screen, you can choose who must use SSO to log in (Everyone, Regular members only, or No one). Since the SSO setup has already been tested, select Everyone under Require SSO authentication for to enforce it for all users.
    
    Note that you can change this setting later if needed.

28. Leave the Profile settings section as it is. Note that you can change these settings later if needed.

29. Click Add SSO to save your configuration.
    
    

30. Setup SSO name and sign in button by clicking on Edit.  
    
    
31. Enter Practice Protect as the SSO name and Save.
    
    

32. SSO is now enforced and enabled. To sign in, go to your Slack workspace URL and click Sign in with Practice Protect. You’ll be redirected to the Practice Protect login page, where you can enter your credentials to authenticate. Once signed in, you’ll be automatically logged in to Slack.

    You can also access Slack directly from your Practice Protect portal by clicking the Slack tile, which will sign you in automatically without needing to re-enter your credentials.

    .

Enable Provisioning (Optional)

Enabling provisioning means that you can create users in Practice Protect and will automatically provision users in Slack. Once auto provisioning is enabled you do not need to create the user in Slack manually as it will just sync the users attributes from the platform.

1. Go to Slack API and click on Create New App
   
   
2. On the form, choose “From Scratch“. 
   
   
3. Enter App Name (e.g. PracticeProtectApp) and select your organization’s workspace. 
4. Click, Create App. 
   
   
5. Go to OAuth & Permissions and click Add New Redirect URL from Redirect URL’s section
6. Add this URL: https://pod0.idaptive.app/UserProvOAuth2/AuthzCodecb 
7. Once added, click Save URL’s
   
   
8. Return to the Slack SSO App Settings in the Practice Protect Admin Portal. 
9. Click on Provisioning. Tick the box beside Enable provisioning for this application then click on Authorize.
   
   
   If you encounter an error with “Redirect_uri did not match any configured URIs.“, Please reach out to our support team.
10. This opens a new window where you need to login using an administrator account to authorize Idaptive to provision users. Enter your Workspace Name and click Continue. Then login as the Administrator in Slack.
    
    
    
    
11. Click Authorize when prompted.
    
    
12. Wait for a few minutes to complete the Authorization.
    
13. Close the window and Click Save. You may need refresh or reload rights of the current admin portal page. 
14. Go to Apps > Web Apps > Click on Slack Web – SAML + Provisioning > Click on Provisioning > On Sync Options: Select Sync (overwrite) users to target application when existing users are found with the same principal name. Leave Do not de-provision (deactivate or delete) users in target application when the users are removed from mapped role ticked.
    
    
    
    
15. On Role Mappings, Click Add. Select the respective Role (i.e. Slack SSO users – this is the equivalent group in Practice Protect)
    
    Destination Group (this specifies the equivalent group in Slack if there’s any). On this example, there is no existing destination group in Slack, so we just select Slack SSO Users and this will sync to Slack users group. You may leave this blank or select from the drop down (if you have any existing group in Slack). 
    
    
16. Click Done and Save.
17. (Optional) Go to Settings > Click Users > Click on Outbound Provisioning > Tick the box beside Run synchronization daily for all enabled applications > On Sync Start Time (UTC / local time), select the time to run the synchronization. The synchronization runs daily on the specified time.
    
    
    
    
18. Click Save. This completes the setup of Slack SSO with provisioning in Practice Protect.
19. Run a manual synchronization. Go to Provisioning Enabled Application > Select Slack, then Click on Start Sync.
20. You can view the real time status of synchronization by clicking on View Synchronization Job Status and Reports. Once the Synchronization completes any changes in Practice Protect will be reflected in the Slack Admin Console.