The goal of this guide will be to go through the process of creating an SSO connection between Azure and a Slack Workspace. Before going through this guide there are a number of prerequisites:
– You must have created your own Slack environment
– You are using business+ tier with Slack, this is needed for SAML-based SSO
– You already have your own tenant set up in Azure.
1. Be sure to confirm your workspace has the correct tier by going into your slack settings and permissions and going into the Authentication tab
2. Log into Azure and navigate to Azure AD and select Enterprise Apps. Add a new application here via New application.
3. You will now search for Slack as an application, once found select it. Once you’ve selected the app be sure to name it appropriately.
4. Go back into Enterprise apps and select your new app
5. Once selected click onto “Single sign-on”
6. Click on the basic SAML config
7. Enter your specific domain into Entry ID, Reply URL and Sign on URL. Your address will look similar to https://yourslackinstance.slack.com. IMPORTANT be sure to delete https://Slack.com before saving the changes or you will run into issues.
8. Next select edit attributes and click onto User.Email you will need to change this value to User.principalname, once you have hit save.
9. Next we will click onto edit on the SAML cert, we will need to generate a new SAML assertion SHA-256 certificate and save this.
10. We will now need to create a group that will be automatically provisioned and deprovisioned. To do this go into Users and groups from the left hand slide. Then click onto Provisioning. You should switch this from manual to Automatic and save.
11. Now we will need to Authorize, after you save you should have a pop up, be sure to approve this. Once you have be sure to test this connection and save it.
12. Once the connection is successful and saved we will need to toggle provisioning status to on, you will find this in the Provisioning section you were in earlier. If this doesn’t work after your first try do not be too concerned, this can take a few attempts to complete correctly, the first sync can take up to 30 minutes to run too.
13. We will then need to go back into Azure AD and then select App Registrations. Select the app you have been working on. Go to API permissions and add a permission.
14. Under API’s select the 3rd option and select the API for your instance, once selected hit save
15. We will then need to add 1 more permission. Go to Add another permission, go with Microsoft Graph and select delegated permission. We will then choose openID and user.read.
16. You will then need to grant consent with the tenant admin account, similar to the imagine in step 13.
17. Now we must return back to the app. Go to Azure AD, select Enterprise Apps and find the app. From here select Single Sign on where you will need to download the Base64 Cert as well as copying the Login URL and Azure AD Identifier URL.
18. Now it’s time to set up settings on the slack side. First go to your Slack instance and go into Settings and Permissions and be sure to navigate to the Authentication tab.
19. Click on the change settings button next to SAML authentication settings, you will see a menu which asks for SAML SSO URL, Identity Provider Issuer etc. You should now put the Login URL into SAML SSO URL and Azure AD ID into Identity Provider:
20. After you’ve completed this expand advance options, confirm that your FQDN Slack name is in the “Service Provider Issuer Field.
21 (optional). Now under settings tab select “it’s optional” under Authentication for your workspace must be used by:” otherwise change to fit your needs.
22 (optional). Customise your sign in button and save.
Note when this is published, Microsoft are known for updating and making changes to their UI.
Leave a Reply