How to secure Slack
To configure Slack with XFA you need the Business+ or Enterprise license that includes the SAML-based single sign-on (SSO) feature. You can find more information about the different licenses here.
Slack' SSO feature uses SAMLv2 which can be used to chain XFA with your identity provider to check device security before allowing a user to login. This guide will describe all steps needed to link Slack to your identity provider with XFA.
Note: This article assumes that you have an account set up with XFA for your organization and your are an admin for that organization. If you do not have an account, you can create one at https://dashboard.xfa.tech/signup.
Configure Slack in your identity provider
Use our specific identity provider guides to learn how to setup an application with the provided settings.
Entity ID: https://slack.com
ACS URL / Redirect URL: https://device-api.xfa.tech/saml2/consume
Signed Response: false
The ACS URL / Redirect URL is different than the standard Slack configuration
Creating an application in XFA
A guide on how to create an application in XFA can be found here.
Assertion Consumer Service URL: https://<your-slack-domain>.slack.com/sso/saml
SSO URL: (provided by identity provider)
Entity ID: (provided by identity provider)
Certificate: (provided by identity provider)\
Configure Slack with XFA
1. Login to your Slack Workspace Admin portal
Click on (your workspace) > Tools & Settings > Workspace settings.
Make sure you are on the right workspace and have the necessary permissions to configure SSO.
2. Go Settings & Permissions > Authentication > SAML Authentication > Configure
3. Switch into 'Test' mode
Next to "Configure SAML Authentication", click on the "Configure" switch to enable test mode. This will allow you to test the configuration before activating it.
4. Configure SAML settings
Make sure to select 'SAML Authentication'
Use the following settings to configure Slack with XFA.
SAML 2.0 Endpoint (HTTP): (SSO URL from XFA application)
Identity Provider Issuer: (Issuer from XFA application)
Public certificate: (Certificate from XFA application)\
Advanced Settings:
Sign AuthnRequest: false
Responses Signed: false
Assertions Signed: true
Make sure to only select 'Assertions Signed' and not 'Responses Signed'
5. Test configuration
Click on Test Configuration to test the configuration. You should be redirected to your identity provider to login, after which your device security will be checked by XFA before coming back to Slack.
6. Turn off test mode
Once the test is successful, turn off test mode by clicking on the "Configure" switch again. This will activate the configuration and your users will now be asked to verify their device security with XFA in addition to their identity before they can login to Slack.
7. Configure onboarding experience
You can start by making the SSO login optional by specifying "It's optional" under "Authentication for your workspace must be used by:". This will allow you to test the configuration with a few users before making it mandatory for everyone. You can switch to "All workspace members, except guest accounts" once you are confident that the configuration is working as expected.
You can also configure a "Custom Label" under "Customize" to make it clear to your users that they need to verify their device security with XFA before they can login. We recommend using "(your SSO + XFA)" as the custom label.
8. Activate the configuration
Click on "Save Configuration" to save the configuration. Your users will now be asked to verify their device security with XFA in addition to their identity before they can login to Slack.
You might want to also configure a "Session Duration" under Settings & Permissions > Authentication to control how often your users need to verify their device security with XFA. Note that to enforce a session duration on mobile devices, currently the Enterprise or Enterprise Grid plan is required.
For users that are on the Business+ plan, the session duration will only be enforced on desktop devices (web and desktop app), we currently recommend to regularly remind your users to verify their device security with XFA on mobile devices or to regularly 'Force logout' all users from the admin panel to enforce the session duration.