I was working on an Identity Service setup for an upcoming event and was attempting to set up Slack via our SAML Template (not the form fill option).
I had gotten it to work back in November 2016 for CA World, with a custom SAML configuration, with some duct tape behind the scenes, was needed to make it work. There were no pre-defined connectors at that time.
It appears that Slack made some changes to their SAML infrastructure and the manual method that worked for CA World was no longer working, and neither was the current template.
CA also came out with a SAML connector to make the setup much easier.
Despite the new connector, I still ran into some trouble after following the steps provided in DocOps. I'm providing the steps here that work as of today (2017-05-12) so that others who may need it can have it for reference as the steps in DocOps are not quite right.
Note: Slack (and many other web services) only provide a SAML SSO option for paid accounts. If you don't have a paid account, the process will not work for you.
Thanks to chomu03 for helping flesh out the details with me. He was a huge help. He's alsready documented what needs to be updated in the DocOps Slack configuration guide. A Rally ticket has already been created with details to update the DocOps site (https://rally1.rallydev.com/#/44814455427d/detail/defect/117181427912?fdp=true).
For Slack, you don't need the CA IS metadata file. This isn't obvious at first because the CA IS workflow takes you to the metadata download page right after you start configuring the SAML app for Slack. I also learned that the Slack required attributes of NameID and User.Email aren't in the metadata file anyway. They are provided by CA IS in the SAML assertion generated by our SaaS IDP. Slack doesn't provide a way to upload the CA IS metadata file anyway.
So how do you configure Slack to work with CA IS? Let's find out!
1. If you are logged into Slack, log out, clear your browser history and cache, quit the browser, then re-open it. This will prevent unneccessary errors and prevent you from going down rabbit holes that have nothing to do with CA IS or Slack configurations.
2. In a separate browser, or in the same browser but in a private session, log into the CA ID Service tenant with a user that has rights to add applications and go through the SAML app onboarding flow for Slack (Apps>Add App>Slack). We don't need to do anything on the Slack side yet.
3. In CA IS, enter your Slack team name and the email domain used by your users, then click the Save button.
Note: the Team entry on the on ID Service App Connection Settings should just be the Slack team name, without the, ".slack.com," domain at the end.
Example: "ca_rocks" vs. "ca_rocks.slack.com"
If you type in the full team name, Slack may return an error message saying like this:
"SSO has not been enabled. The SAML Response does not contain the correct Audience. Please check that the Service Provider URL in your Identity Provider settings matches the Service Provider Issuer in Advanced Options below."
This is because, underneath the covers, the ID Service is appending, ".slack.com," to the Slack team name for you. If you enter the full team name, the ID Service will end up sending, "ca_rocks..slack.com.slack.com," to the Slack Service Provider, which results in the different audience error.
4. Once the Slack SAML app is saved, go back to add a rule to the ID Service Slack App to the user you're logged in as (Apps > Slack App Name > Rules).
In the screen shot below, my account already was provisioned with Slack access when the screenshot was taken, this is why it says, "Shawn Hank's existing account will remain unchanged."
If you test with an account that previously didn't have access to an app, the message will indicate that access to the app will be granted.
Question: Why do we have to do it in this order?
Because Omi said so! Just kidding.
The reason comes down to a simple order of operations. Slack doesn't let you save a SAML configuration until it receives a successful test from the upstream Identity Provider, in this case, CA IS. And CA IS will not issue a SAML assertion to Slack for the logged in CA IS user if he/she doesn't have access to the CA IS app. The only way to give the user access to the CA IS Slack App is by creating the rule first.
5. Once the Slack rule is created for your logged in CA IS users, go back to the CA IS Slack App configuration (Apps > Slack [or whatever label you've given it] > Configure).
6. Click on IDP Information under Single Sign-On on the left-hand side of the UI.
7. Click the "Enter Metadata Manually," radio button, and a hidden set of options are exposed.
8. If you are not logged into Slack in a different browser or a private session in the same browser, do so now. Be sure you are logged in with an account that has admin rights to change the authentication method in the Slack back end.
Note: You must be on a paid tier to use SAML with Slack.
9. Once logged into Slack, Be sure to navigate to the Options menu by clicking on your username in the upper left corner. Then click on Team Settings.
10. Now you are on the Settings and Permissions page. Click on the Authentication Tab.
11. Click the Green Configure button to the far right of the SAML Authentication option.
12. Optional, you can click on the green Configure Slider to put the Slack SAML configuration into Test mode. Test Mode will not allow you to save the settings, but you can continually adjust settings until Slack tests SAML successfully.
13. Back in the CA IS UI, copy the IDP Login URL from the CA IS Manual Metadata entry and paste it into the "SAML 2.0 Endpoint (HTTP)" in the Slack UI.
14. While still in the Slack UI, on the Configure SAML Authentication page, enter "https://security.com" as the Identity Provider Issuer in Slack.
15. In the CA IS UI, while still on the Manual Metadata page, click on the green button to download the certificate that will be used to sign the assertion.
16. Open the certificate file in a text editor. You want Notepad, NotePad++, Sublime Text, not Word or similar word processor.
17. Select all using CTRL+A or CMD+A, and copy (CTRL or CMD+C) the contents of the CA IS Certificate.
18. Go back to the Slack UI and paste the contents of your clipboard containing the CA IS certificate into the Public Certificate text box.
19. While still in Slack, click the Expand button in the Advanced options section.
Note that I've selected to have Assertions signed with the pasted certificate contents. You can also choose Responses signed or select both options as well.
20. While still in Slack, enter your full Slack team URL into the Service Provider Issuer field (e.g. https://ca-rocks.slack.com)
21. Optionally, in the Customize Section of Slack, you can modify the content of the Slack Sign in button when you attempt to perform an SP-intiated login from your slack home page.
The resultant Slack Team login page will look similar like this:
Note: The Slack security settings can be configured to only allow login via SAML, or have SAML be an option along with Email and Password. 2FA can also be configured if using Email and password option.
22. If you opted to use the Slack Test mode in Step 8, above, the Save Configuration option will be disabled. Click the Test Configuration button to test the SAML settings you've just configured.
23. If you've followed all these steps, you should get a message that looks similar to this:
24. Slide the SAML Authentication Slider (in the upper right corner) from Test to Configure and save the working configuration.
25. The Test Configuration option disappears at the bottom of the page, leaving only the Save Configuraiton option.
26. Press the, "Save Configuration," button.
27. Slack will attempt to connect to the CA IS service. You may the page load the CA IS login page for your tenant. Log in with your CA IS credentials, and let Slack finish testing.
Note: If you are using the same browser to configure Slack and the CA IS Service, your CA IS Service credentials may be cached and you will not see a CA IS login window.
28. When it works, you will see a, "Your new authentication settings have been verified and enabled," banner at the top of the Slack UI, just below the Settings & Permissions header.
29. Slack & CA IS SAML configuration is complete, and you can now perform SP or IDP initiated logins to Slack.
Remember that SAML SSO is a paid option and that this configuration is only available to those with paid accounts.
It also goes without saying that these settings are subject to change at any time. This post documents what works as of today, 2017-05-12.
Let us know via the Reply option below how this works for you.