How do I integrate Slack via custom SAML SSO?

Purpose

Your users can use SAML single sign-on (SSO) to sign in to C2 Identity-integrated apps without having to enter their credentials again.

This article will guide you through the setup of SAML SSO for Slack.¹

Notes:

Some instructions are based on those provided by Slack. The actual steps may vary.

Make sure your version of Slack is the Business+ or Enterprise Grid plan. Free editions of Slack cannot be integrated with C2 Identity via SAML SSO.
Get an administrator account (i.e., a workspace owner) for configurations in Slack.

In the C2 Identity admin portal, go to the Application page.
Click Add (or Add Application) > Custom SAML App.
Under Identity provider (IdP) information, select Copy IdP Metadata.
Copy the following information. You will have to enter them in Slack later.
- IdP single sign-on URL: The SAML 2.0 Endpoint (HTTP) in Slack.
- IdP entity ID: The IdP Provider Issuer in Slack.
- X.509 certificate: The Public Certificate in Slack.

Important: Do not close the wizard. You will continue the setup later.

In a separate browser tab, sign in to Slack with an administrator account.
Click on your workspace name in the upper-left corner.
Go to Settings & administration > Workplace settings.
On the Authentication tab, click Configure next to SAML authentication.
Enter the following:
- SAML 2.0 Endpoint (HTTP): The IdP single sign-on URL in C2 Identity.
- IdP Provider Issuer: The IdP entity ID in C2 Identity.
- Public Certificate: The X.509 certificate in C2 Identity. You might need to change the file extension to ".txt" so that you can open the file with a text editor.
Under Advanced Options, configure the following:
- Service Provider Issuer: The SP entity ID in C2 Identity. You will need to enter this information in C2 Identity later.
- Responses Signed: Choose whether or not SAML responses are signed by C2 Identity. A digital signature ensures that responses are not altered in transit.
- Assertions Signed: Choose whether or not SAML assertions are signed by C2 Identity. A digital signature ensures that assertions are not altered in transit.
Click Save Configuration.

Under Service provider (SP) information, configure the following options and click Next:

Option	Action
SP entity ID	Enter the Service Provider Issuer you copied from Slack. The default value is "https://slack.com".
Single sign-on URL	Enter "https://`your_slack_domain`.slack.com/sso/saml".
Name ID format	Select Persistent.
Default name ID	Select Primary email.
SAML response	This option must be configured in the same way as that in Slack. For instance, select Enable if you ticked Responses Signed in Slack.
SAML assertion	This option must be configured in the same way as that in Slack. For instance, select Enable if you ticked Assertions Signed in Slack.

Under User Attribute, add an attribute to link C2 Identity users and Slack users.

Grant a C2 Identity user access to Slack.
Open a private browser window.
Go to Slack and sign in via SAML SSO. You will be redirected to the C2 Identity login page.
Enter the user credentials of the C2 Identity user account.² If the configured SAML SSO works, you will be signed in to Slack.

Notes:

User provisioning is currently unavailable for custom SAML SSO apps.
Instead of your Synology Account, this should be a user account added in C2 Identity.
If you have added an app profile but forgot to configure its settings in Slack, you can still access it at Application > your Slack profile > Configure SP.