Set up Slack as the SP and EAA as the IdP

This procedure describes how to set up Slack as a service provider (SP) and EAA as the identity provider (IdP).

Complete the following steps to configure Slack as the SP and EAA as the IdP.

How to

  1. Access Slack and click Get Started to create a Slack workspace and a Plus plan account. You must have a Plus account to complete the procedure.
    1. Click Getting Started for workspace creators and follow the steps to create a workspace.
    2. After you register, check your mail for a confirmation code.
    3. Follow the steps to set up a profile and manage your workspace.
  2. Configure EAA as the IdP for a custom SaaS application for Slack but do not deploy the application at this stage.
  3. Configure Slack as the SP.
    1. After you log in to your workspace, click on your workspace name in the top left of the page.
    2. On the menu under name, click Administration>Workplace settings>Authentication.
    3. Click Configure next to SAML authentication and choose your SAML provider.
    4. Click Configure again and fill in the SAML fields using the prepopulated information from the EAA IDP info section under the SAML SETTINGS tab as follows:
      • Enter the SSO URL in the SAML 2.0 Endpoint (HTTP) field
      • Enter the Entity ID in the Identity Provider Issuer field
      • Copy the Signing certificate text and past it into the Public Certificate field.

      Slack SAML fields
    5. Click Expand next to Advanced Options.
      Choose how the SAML response from your IDP is signed. You need an end-to-end encryption key so check the box next to Sign AuthnRequest to show the certificate. You must copy the certificate to complete the EAA IdP configuration.
    6. Check the following: Responses signed, Assertions signed and select the default option password protected transport for AuthnContextClassRef.
    7. Enter https://slack.com as the Service Provider Issuer.
    8. Under the Settings tab, decide if members can edit their profile information (like their email or display name) after SSO is enabled. You can also choose whether SSO is required, partially required* or optional.
    9. Under Customize, enter a Sign In Button label. For example:

      Slack sign-in button
    10. Click Save Configuration to finish.
  4. Go back to the EAA application you started earlier.
    1. In the SAML Settings section under the SAML SETTINGS tab, fill in the following fields:
      • Entity ID
      • SSO (ACS) URL
      • NameID: set to persistent
      • NameID attribute: set to user.email
      • Click the Signed Request checkbox and paste in the Slack certificate from Step 3e into the Request signing certificate field
      • Response Signature Algorithm: set to SHA1.
      • Single Log Out Binding: set to Post
      Here is a sample of the completed SAML Settings configuration:
      Slack EAA SAML settings area
    2. In the Attribute statements section under the SAML SETTINGS tab, add an attribute statement. See Create user attributes in EAA for more information.
    3. Click Save and go to Deployment.
    4. On the DEPLOYMENT tab, click Deploy application.
  5. To verify the IdP initiated setup:
    1. Access the Identity Portal URL and log in using your AD credentials.
    2. Click on the icon for the Slack application. It should open a new tab and provide a user session without requesting login credentials.
    3. When a user logs out of the Identity Portal, the session with the Slack application will expire.
  6. To verify the SP initiated setup:
    1. Access the Slack portal using your domain such as https://eaatalk.slack.com.
    2. Click on the label button instead of entering your username and password. This will open the EAA login portal and you can sign in there.

      Slack EAA sign in