SAML Auth Issue with Slack

Moisty Charlie VI · 2025-09-13T20:55:28.622Z

nidoes anyone know how to connect zitadel to slack? like use zitadel as the idp for slack to enable sso

A

Ask Inkeep•9/13/25, 8:55 PM

Hi @Moisty Charlie VI, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.

A

Ask Inkeep•9/13/25, 8:55 PM

Answer

I wasn't able to find a direct answer, here are some relevant sources:

Authenticate users with SAML : This provides comprehensive information about SAML authentication with ZITADEL, including common terms, workflow, and implementation best practices.
SAML Endpoints in ZITADEL : Details the specific SAML endpoints available in ZITADEL for integration.

A

Ask Inkeep•9/13/25, 8:55 PM

A

Ask Inkeep•9/13/25, 8:55 PM

Feel free to tag @Ask Inkeep with additional questions.

M

Moisty Charlie VIOP•9/13/25, 8:58 PM

i followed this guide https://www.youtube.com/watch?v=brbQuq4nmaA&ab_channel=AuthnIdentity

YouTubeAuthnIdentity

How to Integrate Slack SSO with AuthnIdentity IdP (Step-by-Step Guide)

Learn how to integrate Slack with AuthnIdentity as your SAML Identity Provider (IdP)

In this step-by-step video, you’ll see exactly how to:

Set up a Slack SAML application in AuthnIdentity

Configure SAML settings, including ACS URL, Entity ID, and certificates

Connect Slack with your IdP

Test and verify the SSO ...

AAsk Inkeep Empty message

A

Ask InkeepAPP•9/13/25, 8:58 PM

Got it. Tagging @Rajat for additional help.

M

Moisty Charlie VIOP•9/13/25, 8:58 PM

but i see this when i try to log in

M

Moisty Charlie VIOP•9/13/25, 8:58 PM

https://media.discordapp.net/attachments/1019901852235616316/1416503040483266611/Screenshot_2025-09-13_at_4.17.09_PM.png?ex=68c714c2&is=68c5c342&hm=b9d606d203344fc08c76f6f6e9bfcc7c57cefad0d4e78032d9ebb23b67fc1bdb&=&format=webp&quality=lossless&width=3360&height=786

M

Moisty Charlie VIOP•9/13/25, 8:58 PM

heres my xml document

M

Moisty Charlie VIOP•9/13/25, 8:59 PM

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://slack.com">
    <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
        
        <!-- Specify the supported NameID format -->
        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
        
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://[YOUR-WORKSPACE].slack.com/sso/saml" index="0"/>
        
        <!-- Attribute Consuming Service to specify required and optional attributes -->
        <md:AttributeConsumingService index="0" isDefault="true">
            <md:ServiceName xml:lang="en">Slack SSO Service</md:ServiceName>
            
            <!-- Required Email Attribute -->
            <md:RequestedAttribute Name="User.Email" 
                                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" 
                                 isRequired="true" />
            
            <!-- Optional Username Attribute -->
            <md:RequestedAttribute Name="User.Username" 
                                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" 
                                 isRequired="false" />
            
            <!-- Optional First Name Attribute -->
            <md:RequestedAttribute Name="first_name" 
                                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" 
                                 isRequired="false" />

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://slack.com">
    <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
        
        <!-- Specify the supported NameID format -->
        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
        
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://[YOUR-WORKSPACE].slack.com/sso/saml" index="0"/>
        
        <!-- Attribute Consuming Service to specify required and optional attributes -->
        <md:AttributeConsumingService index="0" isDefault="true">
            <md:ServiceName xml:lang="en">Slack SSO Service</md:ServiceName>
            
            <!-- Required Email Attribute -->
            <md:RequestedAttribute Name="User.Email" 
                                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" 
                                 isRequired="true" />
            
            <!-- Optional Username Attribute -->
            <md:RequestedAttribute Name="User.Username" 
                                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" 
                                 isRequired="false" />
            
            <!-- Optional First Name Attribute -->
            <md:RequestedAttribute Name="first_name" 
                                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" 
                                 isRequired="false" />

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://slack.com">
    <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
        
        <!-- Specify the supported NameID format -->
        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
        
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://[YOUR-WORKSPACE].slack.com/sso/saml" index="0"/>
        
        <!-- Attribute Consuming Service to specify required and optional attributes -->
        <md:AttributeConsumingService index="0" isDefault="true">
            <md:ServiceName xml:lang="en">Slack SSO Service</md:ServiceName>
            
            <!-- Required Email Attribute -->
            <md:RequestedAttribute Name="User.Email" 
                                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" 
                                 isRequired="true" />
            
            <!-- Optional Username Attribute -->
            <md:RequestedAttribute Name="User.Username" 
                                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" 
                                 isRequired="false" />
            
            <!-- Optional First Name Attribute -->
            <md:RequestedAttribute Name="first_name" 
                                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" 
                                 isRequired="false" />

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://slack.com">
    <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
        
        <!-- Specify the supported NameID format -->
        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
        
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://[YOUR-WORKSPACE].slack.com/sso/saml" index="0"/>
        
        <!-- Attribute Consuming Service to specify required and optional attributes -->
        <md:AttributeConsumingService index="0" isDefault="true">
            <md:ServiceName xml:lang="en">Slack SSO Service</md:ServiceName>
            
            <!-- Required Email Attribute -->
            <md:RequestedAttribute Name="User.Email" 
                                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" 
                                 isRequired="true" />
            
            <!-- Optional Username Attribute -->
            <md:RequestedAttribute Name="User.Username" 
                                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" 
                                 isRequired="false" />
            
            <!-- Optional First Name Attribute -->
            <md:RequestedAttribute Name="first_name" 
                                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" 
                                 isRequired="false" />

M

Moisty Charlie VIOP•9/13/25, 8:59 PM

            <!-- Optional Last Name Attribute -->
            <md:RequestedAttribute Name="last_name" 
                                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" 
                                 isRequired="false" />
            
        </md:AttributeConsumingService>
        
    </md:SPSSODescriptor>
</md:EntityDescriptor>

            <!-- Optional Last Name Attribute -->
            <md:RequestedAttribute Name="last_name" 
                                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" 
                                 isRequired="false" />
            
        </md:AttributeConsumingService>
        
    </md:SPSSODescriptor>
</md:EntityDescriptor>

            <!-- Optional Last Name Attribute -->
            <md:RequestedAttribute Name="last_name" 
                                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" 
                                 isRequired="false" />
            
        </md:AttributeConsumingService>
        
    </md:SPSSODescriptor>
</md:EntityDescriptor>

            <!-- Optional Last Name Attribute -->
            <md:RequestedAttribute Name="last_name" 
                                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" 
                                 isRequired="false" />
            
        </md:AttributeConsumingService>
        
    </md:SPSSODescriptor>
</md:EntityDescriptor>

M

Moisty Charlie VIOP•9/13/25, 9:32 PM

MMoisty Charlie VI https://media.discordapp.net/attachments/1019901852235616316/1416503040483266611...

M

Moisty Charlie VIOP•9/15/25, 1:47 AM

@Rajat any idea what would be happening wit the authorization issues?

R

Rajat•9/15/25, 10:08 AM

hey @Moisty Charlie VI I have to check w/ my team about it, thanks for your question, I will get back to you

RRajat hey @Moisty Charlie VI I have to check w/ my team about it, thanks for your ques...

M

Moisty Charlie VIOP•9/15/25, 4:34 PM

I just fixed it with a quick chat with Slack support

M

Moisty Charlie VIOP•9/15/25, 4:34 PM

the main issues were ''Either the SAML assertion or the response has to be signed. The error came up because the "Sign the response" checkbox in your Slack configuration is checked despite the response not being signed.Is the assertion signed? If so you should be able to uncheck "Sign the response" and keep "Sign the assertion" checked"

M

Moisty Charlie VIOP•9/15/25, 4:36 PM

(9:25:09 AM) Support Agent: Based on the logs, I can see that we're receiving an 'idp_config_not_found' error. Still digging into this but it may be related to the IdP side of things.  

(9:25:56 AM) Support Agent: Can you update the Identity Provider Issuer URL in Slack to match the one from your IdP and test the configuration?  

(9:27:08 AM) Support Agent: Try entering this URL in your Slack configuration and test again: https://login.****.***/saml/v2/metadata  

(9:28:17 AM) User: Would this be the provider issuer URL? https://login.****.***/saml/v2/metadata  

(9:28:33 AM) Support Agent: Yes, that’s correct.

(9:25:09 AM) Support Agent: Based on the logs, I can see that we're receiving an 'idp_config_not_found' error. Still digging into this but it may be related to the IdP side of things.  

(9:25:56 AM) Support Agent: Can you update the Identity Provider Issuer URL in Slack to match the one from your IdP and test the configuration?  

(9:27:08 AM) Support Agent: Try entering this URL in your Slack configuration and test again: https://login.****.***/saml/v2/metadata  

(9:28:17 AM) User: Would this be the provider issuer URL? https://login.****.***/saml/v2/metadata  

(9:28:33 AM) Support Agent: Yes, that’s correct.

(9:25:09 AM) Support Agent: Based on the logs, I can see that we're receiving an 'idp_config_not_found' error. Still digging into this but it may be related to the IdP side of things.  

(9:25:56 AM) Support Agent: Can you update the Identity Provider Issuer URL in Slack to match the one from your IdP and test the configuration?  

(9:27:08 AM) Support Agent: Try entering this URL in your Slack configuration and test again: https://login.****.***/saml/v2/metadata  

(9:28:17 AM) User: Would this be the provider issuer URL? https://login.****.***/saml/v2/metadata  

(9:28:33 AM) Support Agent: Yes, that’s correct.

(9:25:09 AM) Support Agent: Based on the logs, I can see that we're receiving an 'idp_config_not_found' error. Still digging into this but it may be related to the IdP side of things.  

(9:25:56 AM) Support Agent: Can you update the Identity Provider Issuer URL in Slack to match the one from your IdP and test the configuration?  

(9:27:08 AM) Support Agent: Try entering this URL in your Slack configuration and test again: https://login.****.***/saml/v2/metadata  

(9:28:17 AM) User: Would this be the provider issuer URL? https://login.****.***/saml/v2/metadata  

(9:28:33 AM) Support Agent: Yes, that’s correct.

G

Gigi the Giraffe (Zitadel)•9/15/25, 8:34 PM

Looks like you just helped out another community member! Thanks for being so helpful @1042554653423964300! You're now one step closer to leveling up—keep up the amazing peer support!

G

Gigi the Giraffe (Zitadel)•9/15/25, 10:31 PM

@Moisty Charlie VI, you cannot mark your own questions as solved.

G

Gigi the Giraffe (Zitadel)•9/15/25, 10:31 PM

@Moisty Charlie VI, you cannot mark your own questions as solved.