Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Setup SAML SSO with ADFS and Slack via Proxy

Use the following procedure to configure Single Sign-On using ADFS for Slack and Skyhigh CASB via SAML proxy connection. 

Slack provides an Assertion Consumer Services (ACS) in the SAML request to identify the provider with a SAML proxy for both the SAML request from Slack and the SAML assertion from ADFS.

Prerequisites

Make sure you have the following before setup with ADFS and Slack:

  • Access to Slack Enterprise account.
  • Access to Skyhigh CASB
  • Enable Skyhigh CASB proxy for Slack service.
  • Functioning ADFS server to reach over the Internet with a valid SSL certificate and DNS resolvable hostname.
  • Single Sign-On working setup without Skyhigh CASB proxy (Slack and ADFS direct SSO).

Step 1: Configure Slack Proxy in Skyhigh CASB

NOTE: Slack doesn't require the SP certificate, so you can fake the SP certificate using the IDP certificate.

  1. Login to Skyhigh CASB.
  2. Go to Settings > Service Management.
  3. Click Add Service Instance
  4. Click Slack, and enter an Instance Name.
  5. Click Done
  6. Select your Slack instance from the Services list. (If no services are listed, contact Skyhigh Security Support for help.)
  7. Click the Setup tab, and under Proxy, click Get Started
  8. Under Configure Proxy, click Configure
  9. For Select Proxy Location, select Skyhigh CASB. Click Next
  10. Configure the proxy domain as shown:
    • Host Name: Enter a name and make sure to use the enterprise domain.
    • Proxy Domain: Select the required option.
      clipboard_e1df4b50506274643837935af5383f178.png
  11. Click Done.
  12. Under Setup SAML, click Configure.
  13. Upload the IDP Certificate in both the IdP and SP Certificate fields and save SAML Settings.
    clipboard_ee7b960c0dad4b18e741bfa11b6eb41f5.png
  14. Export the proxy certificate to use in the Slack enterprise account.
    clipboard_e9a6e0a2d66ee9a28e5b7ad82bb6dd925.png
  15. Add the proxy property skip.saml.redirect.sig.qs.param to true.
    clipboard_e4ccc13ba4c94664719ac8d36981e78dc.png

Step 2: Configure ADFS

  1. Open the relying party trust properties configured for Slack.
  2. Replace the actual endpoint URL with modified proxy URL:
  3. Replace actual identifier value with the modified proxy URL:

Step 3: Configure Slack SSO for Skyhigh CASB SAML Proxy

  1. Login to your Slack Enterprise account and select Manage Organization Setting.
  2. Go to Security > SSO Configuration and you are redirected to Change SSO Configuration page.
  3. Replace the ADFS signing certificate with an Skyhigh CASB proxy certificate. Replace as follows:
  4. Click Test Configuration to authenticate the ADFS.
    clipboard_eb4d7e20155219ab4efaac46d35b53432.png
  5. Once the test mode is successfully updated, click Confirm Update.
    clipboard_eb36fab189a60376b992ccdb7bc946bd0.png

NOTE:  When you logged into Slack Service, if you see a blank page instead of Slack Home page then you need to configure the following on Slack SSO:

  • Under SAML Response Signing, select the Assertion Signed.
    clipboard_e3b58ececb45d205637c3007992dd6150.png
  • Save your configuration.
  • Was this article helpful?