Skip to main content

How to secure Slack

License requirements

To configure Slack with XFA you need the Business+ or Enterprise license that includes the SAML-based single sign-on (SSO) feature. You can find more information about the different licenses here.

Slack' SSO feature uses SAMLv2 which can be used to chain XFA with your identity provider to check device security before allowing a user to login. This guide will describe all steps needed to link Slack to your identity provider with XFA.

Note: This article assumes that you have an account set up with XFA for your organization and your are an admin for that organization. If you do not have an account, you can create one at https://dashboard.xfa.tech/signup.

Configure Slack in your identity provider

Use our specific identity provider guides to learn how to setup an application with the provided settings.

SAML Application Settings in IDP

Entity ID: https://slack.com
ACS URL / Redirect URL: https://device-api.xfa.tech/saml2/consume
Signed Response: false

warning

The ACS URL / Redirect URL is different than the standard Slack configuration

Creating an application in XFA

A guide on how to create an application in XFA can be found here.

Settings to use in XFA

Assertion Consumer Service URL: https://<your-slack-domain>.slack.com/sso/saml
SSO URL: (provided by identity provider)
Entity ID: (provided by identity provider)
Certificate: (provided by identity provider)\

Configure Slack with XFA

1. Login to your Slack Workspace Admin portal

Click on (your workspace) > Tools & Settings > Workspace settings.

warning

Make sure you are on the right workspace and have the necessary permissions to configure SSO.

2. Go Settings & Permissions > Authentication > SAML Authentication > Configure

3. Switch into 'Test' mode

Next to "Configure SAML Authentication", click on the "Configure" switch to enable test mode. This will allow you to test the configuration before activating it.

4. Configure SAML settings

warning

Make sure to select 'SAML Authentication'

Use the following settings to configure Slack with XFA.

Settings to use in Monday.com

SAML 2.0 Endpoint (HTTP): (SSO URL from XFA application)
Identity Provider Issuer: (Issuer from XFA application)
Public certificate: (Certificate from XFA application)\

Advanced Settings: Sign AuthnRequest: false Responses Signed: false Assertions Signed: true

warning

Make sure to only select 'Assertions Signed' and not 'Responses Signed'

5. Test configuration

Click on Test Configuration to test the configuration. You should be redirected to your identity provider to login, after which your device security will be checked by XFA before coming back to Slack.

6. Turn off test mode

Once the test is successful, turn off test mode by clicking on the "Configure" switch again. This will activate the configuration and your users will now be asked to verify their device security with XFA in addition to their identity before they can login to Slack.

7. Configure onboarding experience

You can start by making the SSO login optional by specifying "It's optional" under "Authentication for your workspace must be used by:". This will allow you to test the configuration with a few users before making it mandatory for everyone. You can switch to "All workspace members, except guest accounts" once you are confident that the configuration is working as expected.

info

You can also configure a "Custom Label" under "Customize" to make it clear to your users that they need to verify their device security with XFA before they can login. We recommend using "(your SSO + XFA)" as the custom label.

8. Activate the configuration

Click on "Save Configuration" to save the configuration. Your users will now be asked to verify their device security with XFA in addition to their identity before they can login to Slack.

info

You might want to also configure a "Session Duration" under Settings & Permissions > Authentication to control how often your users need to verify their device security with XFA. Note that to enforce a session duration on mobile devices, currently the Enterprise or Enterprise Grid plan is required.

For users that are on the Business+ plan, the session duration will only be enforced on desktop devices (web and desktop app), we currently recommend to regularly remind your users to verify their device security with XFA on mobile devices or to regularly 'Force logout' all users from the admin panel to enforce the session duration.