This guide provides the steps required to configure Provisioning for Slack.
Notes:
If you are enabling provisioning after already having users assigned to Slack SSO, be sure to run a full import to link the existing assigned user to the Slack user.
Make sure that your Slack organization has a Plus Plan subscription. It is required for Slack to get you access to Slack SCIM API.
Slack provisioning requires you to be using the Slack Plus edition.
Schema Discovery is now supported. Existing Slack app instances need to re-authenticate to enable this feature. New Slack app instances will get this feature by default.
Profile Mapping Template Updated. Existing Slack app instances need to contact Okta Support to update to the latest profile mappings template or can use Schema Discovery to map new attributes. New Slack instances will get the latest template by default.
If you're using Group Push Enhancements for the Slack app and see that updates are not pushed to Slack side, you need to do perform a Push Now for your group mapping. It force sync group memberships from Okta to Slack, so those users who are assigned to a group on Slack side but not assigned in Okta, may be removed.
The following provisioning features are supported:
Push New Users
New users created through OKTA will also be created in the third party application.
Push User Deactivation
Deactivating the user through OKTA will remove the user from the organization and all teams in the third party application.
Push Profile Updates
Updates made to the user's profile through OKTA will be pushed to the third party application.
Import New Users
New users created in the third party application will be downloaded and turned in to new AppUser objects, for matching against existing OKTA users.
Import Profile Updates
Updates made to a user's profile in the third party application will be downloaded and applies to the profile fields stored locally in OKTA. If the app is the system of record for the user, changes made to core profile fields (email, first name, last name, etc) will be applied to the Okta user profile. If the app is NOT the system of record for the user, only changes made to app-specific fields will be applied to the local user profile.
Group Push
Groups and their members can be pushed to remote systems.
Reactivate Users
Reactivating the user through Okta will reactivate the user in the 3rd party application.
Import User Schema
Import additional user attributes from Slack. Also known as Schema Discovery
Configure your Provisioning settings for Slack as follows:
Check the Enable API Integration box.
Click the Authenticate with Slack button:
You will be redirected to Slack's page, where you are prompted to enter your Slack subdomain:
Sign into Slack, and authorize the Okta connector:
You are redirected back to Okta to continue application configuration. You should see a message confirming the integration was authenticated successfully:
Select To App in the left panel, then select the Provisioning Features you want to enable:
Click Save.
You can now assign people to the app, if needed.
The following attributes are currently supported:
| core10 | profileUrl |
| core10 | preferredLanguage |
| core10 | locale |
| core10 | timezone |
| core10 | userType (Slack account type) |
| enterprise10 | employeeNumber |
| enterprise10 | costCenter |
| enterprise10 | organization |
| enterprise10 | division |
| enterprise10 | department |
Note: The above list is dynamic (downloaded from Slack), for up-to-date information, see https://api.slack.com/scim#user-attributes .
If you see any provisioning errors, please make sure you verified the following:
Make sure that your Slack organization has Plus Plan subscription.
Note that Slack API doesn't support special characters in username (for example: "+" char, as in john+doe@email.com); avoid such characters if possible.
To update user displayName on Slack side, go to https://my.slack.com/admin/auth/saml and uncheck Allow users to choose their own display name and save. After this change, you should be able to change display names.
