SAML Auth Issue with Slack

nidoes anyone know how to connect zitadel to slack? like use zitadel as the idp for slack to enable sso

12 Replies

Hi @Moisty Charlie VI, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question. Answer I wasn't able to find a direct answer, here are some relevant sources: 1. Authenticate users with SAML : This provides comprehensive information about SAML authentication with ZITADEL, including common terms, workflow, and implementation best practices. 2. SAML Endpoints in ZITADEL : Details the specific SAML endpoints available in ZITADEL for integration. Feel free to tag @Ask Inkeep with additional questions.

Moisty Charlie VIOP•2mo ago

i followed this guide https://www.youtube.com/watch?v=brbQuq4nmaA&ab_channel=AuthnIdentity

AuthnIdentity

YouTube

How to Integrate Slack SSO with AuthnIdentity IdP (Step-by-Step Guide)

🚀 Learn how to integrate Slack with AuthnIdentity as your SAML Identity Provider (IdP) In this step-by-step video, you’ll see exactly how to: ✅ Set up a Slack SAML application in AuthnIdentity
✅ Configure SAML settings, including ACS URL, Entity ID, and certificates
✅ Connect Slack with your IdP
✅ Test and verify the SSO ...

Ask Inkeep•2mo ago

Got it. Tagging @Rajat for additional help.

Moisty Charlie VIOP•2mo ago

but i see this when i try to log in

Moisty Charlie VIOP•2mo ago

https://media.discordapp.net/attachments/1019901852235616316/1416503040483266611/Screenshot_2025-09-13_at_4.17.09_PM.png?ex=68c714c2&is=68c5c342&hm=b9d606d203344fc08c76f6f6e9bfcc7c57cefad0d4e78032d9ebb23b67fc1bdb&=&format=webp&quality=lossless&width=3360&height=786

Moisty Charlie VIOP•2mo ago

heres my xml document

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://slack.com">
    <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
        
        <!-- Specify the supported NameID format -->
        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
        
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://[YOUR-WORKSPACE].slack.com/sso/saml" index="0"/>
        
        <!-- Attribute Consuming Service to specify required and optional attributes -->
        <md:AttributeConsumingService index="0" isDefault="true">
            <md:ServiceName xml:lang="en">Slack SSO Service</md:ServiceName>
            
            <!-- Required Email Attribute -->
            <md:RequestedAttribute Name="User.Email" 
                                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" 
                                 isRequired="true" />
            
            <!-- Optional Username Attribute -->
            <md:RequestedAttribute Name="User.Username" 
                                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" 
                                 isRequired="false" />
            
            <!-- Optional First Name Attribute -->
            <md:RequestedAttribute Name="first_name" 
                                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" 
                                 isRequired="false" />

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://slack.com">
    <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
        
        <!-- Specify the supported NameID format -->
        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
        
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://[YOUR-WORKSPACE].slack.com/sso/saml" index="0"/>
        
        <!-- Attribute Consuming Service to specify required and optional attributes -->
        <md:AttributeConsumingService index="0" isDefault="true">
            <md:ServiceName xml:lang="en">Slack SSO Service</md:ServiceName>
            
            <!-- Required Email Attribute -->
            <md:RequestedAttribute Name="User.Email" 
                                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" 
                                 isRequired="true" />
            
            <!-- Optional Username Attribute -->
            <md:RequestedAttribute Name="User.Username" 
                                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" 
                                 isRequired="false" />
            
            <!-- Optional First Name Attribute -->
            <md:RequestedAttribute Name="first_name" 
                                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" 
                                 isRequired="false" />

            <!-- Optional Last Name Attribute -->
            <md:RequestedAttribute Name="last_name" 
                                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" 
                                 isRequired="false" />
            
        </md:AttributeConsumingService>
        
    </md:SPSSODescriptor>
</md:EntityDescriptor>

            <!-- Optional Last Name Attribute -->
            <md:RequestedAttribute Name="last_name" 
                                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" 
                                 isRequired="false" />
            
        </md:AttributeConsumingService>
        
    </md:SPSSODescriptor>
</md:EntityDescriptor>

Moisty Charlie VIOP•2mo ago

Moisty Charlie VIOP•2mo ago

@Rajat any idea what would be happening wit the authorization issues?

Rajat•2mo ago

hey @Moisty Charlie VI I have to check w/ my team about it, thanks for your question, I will get back to you

Moisty Charlie VIOP•2mo ago

I just fixed it with a quick chat with Slack support the main issues were ''Either the SAML assertion or the response has to be signed. The error came up because the "Sign the response" checkbox in your Slack configuration is checked despite the response not being signed.Is the assertion signed? If so you should be able to uncheck "Sign the response" and keep "Sign the assertion" checked"

(9:25:09 AM) Support Agent: Based on the logs, I can see that we're receiving an 'idp_config_not_found' error. Still digging into this but it may be related to the IdP side of things.  

(9:25:56 AM) Support Agent: Can you update the Identity Provider Issuer URL in Slack to match the one from your IdP and test the configuration?  

(9:27:08 AM) Support Agent: Try entering this URL in your Slack configuration and test again: https://login.****.***/saml/v2/metadata  

(9:28:17 AM) User: Would this be the provider issuer URL? https://login.****.***/saml/v2/metadata  

(9:28:33 AM) Support Agent: Yes, that’s correct.

(9:25:09 AM) Support Agent: Based on the logs, I can see that we're receiving an 'idp_config_not_found' error. Still digging into this but it may be related to the IdP side of things.  

(9:25:56 AM) Support Agent: Can you update the Identity Provider Issuer URL in Slack to match the one from your IdP and test the configuration?  

(9:27:08 AM) Support Agent: Try entering this URL in your Slack configuration and test again: https://login.****.***/saml/v2/metadata  

(9:28:17 AM) User: Would this be the provider issuer URL? https://login.****.***/saml/v2/metadata  

(9:28:33 AM) Support Agent: Yes, that’s correct.

Gigi the Giraffe (Zitadel)•2mo ago

🎉 Looks like you just helped out another community member! Thanks for being so helpful <@1042554653423964300>! You're now one step closer to leveling up—keep up the amazing peer support! 🚀

Gigi the Giraffe (Zitadel)•2mo ago

@Moisty Charlie VI, you cannot mark your own questions as solved. @Moisty Charlie VI, you cannot mark your own questions as solved.

SAML Auth Issue with Slack

Did you find this page helpful?