Slack
Last reviewed: 5 months ago
This guide covers how to configure Slack ↗ as a SAML application in Cloudflare Zero Trust.
Prerequisites
- An identity provider configured in Cloudflare Zero Trust
- Admin access to a Slack Business+ or Enterprise Grid plan account
1. Add a SaaS application to Cloudflare Zero Trust
- In Zero Trust ↗, go to Access > Applications.
- Select Add an application > SaaS.
- For Application, select Slack.
- For the authentication protocol, select SAML.
- Select Add application.
- Fill in the following fields:
- Entity ID:
https://slack.com
- Assertion Consumer Service URL:
https://<YOUR_DOMAIN>.slack.com/sso/saml
- Name ID format: The format expected by Slack, usually Email
- Entity ID:
- Copy the SSO endpoint, Access Entity ID or Issuer, and Public key.
- Select Save configuration.
- Configure Access policies for the application.
- Select Done.
2. Create a x.509 certificate
- Paste the Public key in a text editor.
- Wrap the certificate in
-----BEGIN CERTIFICATE-----
and-----END CERTIFICATE-----
.
3. Add a SAML SSO provider to Slack
- In Slack, go to Settings & administrations > Workspace settings > Authentication.
- Select Configure.
- Turn on Test. Configuration changes will not apply until Configure is turned on.
- Fill in the following fields:
- Service Provider Issuer URL: Ensure set to
https://slack.com
. - SAML SSO URL: SSO endpoint from application configuration in Cloudflare Zero Trust.
- Identity Provider Issuer: Access Entity ID or Issuer from application configuration in Cloudflare Zero Trust.
- Public Certificate: Paste the entire x.509 certificate from step 2. Create a x.509 certificate.
- Service Provider Issuer URL: Ensure set to
- Under Advanced Options, select Expand.
- For AuthnContextClassRef, ensure urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport is selected.
- Ensure Sign the AuthnRequest is turned off.
- For SAML Response Signing, turn on Sign the Response and Sign the Assertion.
- In the main configuration page under Settings, choose whether SSO is required, partially required, or optional for workspace members.
- (Optional) Under Customize, enter a Sign in Button Label.
- Test your set-up. If all works well, turn Test to Configure.
- In Slack, go to Settings & administration > Organization settings > Security > SSO Settings.
- For SSO name, enter your desired name.
- Fill in the following fields:
- SAML 2.0 Endpoint URL: SSO endpoint from application configuration in Cloudflare Zero Trust.
- Identity Provider Issuer URL: Access Entity ID or Issuer from application configuration in Cloudflare Zero Trust.
- Service Provider Issuer URL: Ensure set to
https://slack.com
. - x.509 Certificate: Paste the entire x.509 certificate from step 2. Create a x.509 certificate.
- For AuthnContextClassRef, ensure urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport is selected.
- Ensure Sign the AuthnRequest is turned off.
- For SAML Response Signing, turn on Sign the Response and Sign the Assertion.
- Select Test Configuration.
- If all works well, select Turn on SSO or Add SSO.