Okta Slack

admin



To reconfigure any of the General Settings or Sign-On Options, uncheck the Enable provisioning features box, and use the Previous and Next buttons to navigate through the configuration screens.

This guide provides the steps required to configure Provisioning for Slack.

Notes:

If you added the Slack app previously, on the OktaAdmin Console click Applications and select Slack in the list of applications. Click the Provisioning tab, click Configure API Integration, and select the Enable API Integration check box. Click Authenticate with Slack. The Slack application opens in a new window. Select a Slack group by ID and add users to it. Field Definition Type Required; Add to Group: Group ID: Unique alpha-numeric identifier of the group.

  • If you are enabling provisioning after already having users assigned to Slack SSO, be sure to run a full import to link the existing assigned user to the Slack user.

  • Make sure that your Slack organization has a Plus Plan subscription. It is required for Slack to get you access to Slack SCIM API.

  • Slack provisioning requires you to be using the Slack Plus edition.

  • Schema Discovery is now supported. Existing Slack app instances need to re-authenticate to enable this feature. New Slack app instances will get this feature by default.

  • Profile Mapping Template Updated. Existing Slack app instances need to contact Okta Support to update to the latest profile mappings template or can use Schema Discovery to map new attributes. New Slack instances will get the latest template by default.

  • If you're using Group Push Enhancements for the Slack app and see that updates are not pushed to Slack side, you need to do perform a Push Now for your group mapping. It force sync group memberships from Okta to Slack, so those users who are assigned to a group on Slack side but not assigned in Okta, may be removed.

Contents

Features

Slack

The following provisioning features are supported:

  • Push New Users

    New users created through OKTA will also be created in the third party application.

  • Push User Deactivation

    Deactivating the user through OKTA will remove the user from the organization and all teams in the third party application.

  • Push Profile Updates

    Updates made to the user's profile through OKTA will be pushed to the third party application.

  • Import New Users

    New users created in the third party application will be downloaded and turned in to new AppUser objects, for matching against existing OKTA users.

  • Import Profile Updates

    Updates made to a user's profile in the third party application will be downloaded and applies to the profile fields stored locally in OKTA. If the app is the system of record for the user, changes made to core profile fields (email, first name, last name, etc) will be applied to the Okta user profile. If the app is NOT the system of record for the user, only changes made to app-specific fields will be applied to the local user profile.

  • Group Push

    Groups and their members can be pushed to remote systems.

  • Reactivate Users

    Reactivating the user through Okta will reactivate the user in the 3rd party application.

  • Import User Schema

    Import additional user attributes from Slack. Also known as Schema Discovery

Configuration Steps

Configure your Provisioning settings for Slack as follows:

  1. Check the Enable API Integration box.

  2. Click the Authenticate with Slack button:

  3. You will be redirected to Slack's page, where you are prompted to enter your Slack subdomain:

  4. Sign into Slack, and authorize the Okta connector:

  5. You are redirected back to Okta to continue application configuration. You should see a message confirming the integration was authenticated successfully:

  6. Select To App in the left panel, then select the Provisioning Features you want to enable:

  7. Click Save.

  8. You can now assign people to the app, if needed.

Schema Discovery

The following attributes are currently supported:

    core10profileUrl
    core10preferredLanguage
    core10locale
    core10timezone
    core10userType (Slack account type)
    enterprise10employeeNumber
    enterprise10costCenter
    enterprise10organization
    enterprise10division
    enterprise10department

Okta Slack

Note: The above list is dynamic (downloaded from Slack), for up-to-date information, see https://api.slack.com/scim#user-attributes.

Okta Slack

Troubleshooting Tips

  • If you see any provisioning errors, please make sure you verified the following:

    • Make sure that your Slack organization has Plus Plan subscription.

    • Note that Slack API doesn't support special characters in username (for example: '+' char, as in john+doe@email.com); avoid such characters if possible.

  • To update user displayName on Slack side, go to https://my.slack.com/admin/auth/saml and uncheck Allow users to choose their own display name and save. After this change, you should be able to change display names.