Slack - SSO configuration
Please note that this application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk.
This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Slack using MPAS. SSO simplifies user authentication by allowing access to multiple applications with a single set of credentials. This integration enhances security and improves user experience across your organization
To set up Multi-Pass with Slack, ensure you meet the following requirements:
- Slack admin rights - Workspace Owners and Org Owners
Available on the Business+ and Enterprise plans
Available on the Free and Pro plans if you've connected a Salesforce org to Slack
- MPAS Admin rights
- Make sure that all users intended to use SSO in Slack are registered in your IdP and have the necessary permissions to access Slack.
Important: Custom elements in URLs (like realm names) are case sensitive. Make sure to match the exact casing from your environment.
Slack - SSO configuration
Step 1 - Prepare Slack for integration with MPAS
- Click your workspace name in the top-left corner.
- Hover over Tools & settings, then click Workspace settings.
- Under Administration in the left sidebar, click SSO & authentication.
- For Identity Provider or Custom SAML, click Configure SAML.
- Toggle Test mode ON.
- In SAML SSO URL, enter your SAML 2.0 Endpoint URL from Multi-Pass.
- In Identity Provider Issuer, enter your Multi-Pass Entity ID.
- Copy the entire X.509 Certificate from Multi-Pass and paste it into the Public Certificate field. (You can see where to find it in the next steps)
- Click Advanced Options to expand settings:
- Choose how the SAML response from your IdP is signed.
- If you need an end-to-end encryption key, check Sign AuthnRequest to display Slack’s public encryption key.
- Under Settings, choose whether members can edit their profile after SSO is enabled.
- Select whether SSO is required, partially required, or optional.
- Click Save Configuration.
Step 2 – Configure Multi-Pass with Slack input
- Select your tenant and on the left side click on "Integrations", then "Applications"
- Scroll to "custom integration" section and click on SAML.
- Fill in the fields of the form :
| Field | Value |
|---|---|
| Client ID (=Entity ID) | https://slack.com |
| Name | For example "Slack" |
Description | For example "SSO integration" |
| Assertion Consumer Service URL (=Valid Redirect URIs) | https://yourdomain.slack.com/sso/saml |
| NameID Policy Format | |
| Tenant certificate (x.509 Certificate) | Download (PEM format) and paste it into Slack. |
- Click on "Add integration"
- Now we need to make sure all the information are well completed :
- On the left side, click on "Advanced console"
- Click on client and use the search bar to find Slack
- Now make sure that the fields are completed as follow:
- When you are on the Settings tab, for general settings:
| Field | Value |
|---|---|
| Client ID | https://slack.com |
| Name | Slack |
| Description | SAML SSO integration |
| Always display in UI | On |
- Access settings :
| Field | Value |
|---|---|
| Home URL | https://ca.auth.kzero.com/realms/<TENANT_NAME>/protocol/saml/clients/slack |
| Valid Redirect URIs (ACS) | https://yourdomain.slack.com/sso/saml |
| Valid Post Logout Redirect URIs | (Not supported by Slack SLO – leave empty) |
| IDP‑Initiated SSO URL name | slack |
- SAML Capabilities :
| Field | Value |
|---|---|
| Name ID format | |
| Force name ID format | On |
| Force POST binding | On |
| Include AuthnStatement | On |
- Signature and Encryption :
| Field | Value |
|---|---|
| Sign Assertions | On |
| Sign Documents | Off |
- Click Save and move to the tab "Keys"
- Both parameters have to be switch to OFF
- Move to the tab "Advanced"
- Assertion Consumer Service POST Binding URL = Valid redirect URIs = https://yourdomain.slack.com/sso/saml
Slack does not support Single Logout (SLO) or session duration control from the IdP — configure session duration within Slack if needed.
Ensure the NameID remains consistent and unique for each user over time.
Use Sign AuthnRequest in Slack’s Advanced Options if you require Slack’s public encryption key.
Related Articles
Wrike - SSO configuration
This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Wrike using MPAS. SSO simplifies user authentication by allowing access to multiple ...SAML SSO Integration Guide
This guide provides an overview of how to configure SAML Single Sign-On (SSO) between Multi-Pass and a third-party Service Provider (SP). Multi-Pass acts as the Identity Provider (IdP) in this federation model. Multi-Pass is working on SCIM support ...Grafana - SSO configuration
Please note that this application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk. This documentation provides a ...Notion - SSO configuration
Please note that this application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk. This documentation provides a ...Addigy - SSO configuration
This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Addigy using MPAS. SSO simplifies user authentication by allowing access to multiple ...