SURFconext cannot verify the configuration steps below as we are not a customer of this service provider. We have collected the information below from a onetime connection. Sometimes procedures change; we depend on someone notifying us. Sorry if the below info does not work for you. If you have remarks or tips you want to share, please send them to support@surfconext.nl.


This document describes how to connect your Slack workspace at SURFconext and is based on a one time connection with a private Slack https://braindrops-nl.slck.com/. Replace links with "braindrops-nl" as shown by what you have configured in your Slack workspace. After following the steps below the users of your IdP should be able to connect to your own Slack workspace.

Since every institution gets their own instance of Slack for which a connection needs to be configured, institutions need to sign in with the account that comes with their Slack workspace. SURF does not have that information, so institutions need to configure part of the connection. After the institution has taken some steps, SURF also needs to take some steps to finish setting up the connection.


After reading this page you will know about:

Step by step

The best way to connect your Slack workspace at SURFconext is:

  1. Register your Slack workspace at SURFconext
  2. Configure the SSO option at your Slack workspace for SURFconext
  3. Test the SSO option at SURFconext
  4. Enable the SSO feature for your Slack workspace

Configuration at SURFconext

Before configuring the SSO option at your Slack workspace it should be registered at SURFconext.

At this point there are three options for you to proceed:

  • If you are familiar with SURFconext you can make use of the Service Provider Dashboard and define the service using the created and downloaded metadata as shown above. If you want us to create a new instance to your dashboard for this, send us an email at support@surfconext.nl and mention who needs access at your institution. This is the preferred way of managing entities in SURFconext.
  • If you are new to the SP Dashboard or SURFconext and can't wait to get started with the SP dashboard, send us a mail at support@surfconext.nl and we will help you get started.
  • If you are not familiar with SURFconext and do not intend to create instances in the SP Dashboard in the future, you can send us a mail at support@surfconext.nl. We will use the generated metadata to configure the entity in SURFconext for you.

SURFconext basics

There are two SURFconext environments:

  • The "production environment of SURFconext" dedicated for production services
  • The "test environment of SURFconext" as a playground for connecting new services

Both environments have their own metadata.
The following data must be used to connect a service to the test environment of SURFconext:

The following data must be used to connect a service to the production environment of SURFconext:

More information regarding the different environments of SURFconext is available at SURFconext environments: test and production.


Basic SAML configuration

The next fields must be entered in the SP Dashboard for the registration of your Slack workspace at SURFconext:

Note: Replace links with "braindrops-nl" as shown by what you have configured in your Slack workspace.

Attribute Manipulation

Slack does not use standard attribute names. As a result, SURFconext will have to make adjustments to make this work. Send a mail to support@surfconext.nl and ask to enable attribute manipulation for the entity of the following attributes :

  • The NameIDFormat of the entity needs to be set to "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
  • The e-mail address of the user needs to be mapped to the Subject, the NameID
  • urn:mace:dir:attribute-def:givenName (urn:oid:2.5.4.42) to be sent as first_name
  • urn:mace:dir:attribute-def:sn (urn:oid:2.5.4.4) to be sent as last_name
  • urn:mace:dir:attribute-def:mail (urn:oid:0.9.2342.19200300.100.1.3)  to be sent as User.Email


The code of the attribute manipulation will be similar to what you see below.

Attribute Manipulation
# Required attributes for account creation Slack
$attr_gn       = 'urn:mace:dir:attribute-def:givenName';
$attr_sn       = 'urn:mace:dir:attribute-def:sn';
$attr_mail     = 'urn:mace:dir:attribute-def:mail';

# attributes to let through (ARP)
$requiredAttributes = array(
  'first_name',
  'last_name',
  'User.Email'
);

if (isset($attributes) and ($attributes !== FALSE)) {
    if (!empty($attributes[$attr_mail][0])) {
        $subjectId = $attributes[$attr_mail][0];
        $attributes['User.Email'] = $attributes[$attr_mail];
    }
    if (!empty($attributes[$attr_gn])) {
        $attributes['first_name'] = $attributes[$attr_gn];
    }
    if (!empty($attributes[$attr_sn])) {
        $attributes['last_name'] = $attributes[$attr_sn];
    }
}

# Remove all unrequested attributes
foreach ($attributes as $k => $v) {
  if (!in_array($k, $requiredAttributes)) {
    unset($attributes[$k]);
  }
}

Configuration at Slack

For the SSO option at Slack the 'Plus' plan or the 'Enterprise Grid' plan [https://my.slack.com/plans] is required. Please note that only workspace owners can configure the SSO option.
The general information to enable the SSO option for Slack is available at https://slack.com/intl/en-nl/help/articles/203772216-SAML-single-sign-on

We assume the Slack workspace will be connected to the test environment of SURFconext. Please use the corresponding SAML metadata if the Slack workspace will be connected to the production environment of SURFconext.

  1. Navigate to the "Settings & Administration" ==> "Workspace settings" option ==> https://braindrops-nl.slack.com/admin/settings and click at the "Authentication" tab
  2. Click at the "SAML authentication" option and enter your space admin password
  3. Enable the "test"-mode by clicking at the option "Configure" to flip to "Test" 
  4. In the block "Configure SAML Authentication" enter the next SAML information for the test environment of SURFconext: 
    1. At the field "SAML 2.0 Endpoint (HTTP)" enter the URL of the SSO location of SURFconext: https://engine.test.surfconext.nl/authentication/idp/single-sign-on/key:20190208
    2. At the field "Identity Provider Issuer" enter the entityID of the IdP end-point of the test environment of SURFconext: https://engine.test.surfconext.nl/authentication/idp/metadata
    3. At the field "Public Certificate" enter the assertion signing certificate of the test environment of SURFconext which is available at https://engine.test.surfconext.nl/authentication/idp/certificate/key:20190208
  5. Expand the "Advanced Options"
    1. Unselect (if not already unselected) the option "Sign AuthnRequest"
    2. Leave the "AuthnContextClassRef" option at "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
    3. At the field "Service Provider Issuer" enter the entityID of your Slack workspace: https://braindrops-nl.slack.com
    4. Unselect the option "Responses Signed" and select (if not already selected) the option "Assertions Signed"
  6. At the Settings block select the preferred options:
    1. Select: Update profile each time a user logs in
    2. Select: Allow users to choose their own display name
    3. UnSelect: Allow users to change their email address
    4. At "Authentication for your workspace must be used by" select "All workspace members"
  7. At the field "Customize - Sign In Button Label" enter the preferred tekst for the SSO buttons e.g.: SURFconext
  8. Click at "Test Configuration"
    1. If the WAYF page is shown, select your IdP and enter your credentials at your institution and you will be logged on to your Slack workspace through SURFconext
  9. If the login was successful, click at "Save Configuration" to enable the SSO option for your Slack workspace

Note: When enabling the SSO option, an email will be sent to all workspace members who have not set up SSO for their Slack accounts.


The Settings & Permissions page


The SSO feature page



The Advanced SSO option page


The test option block

How to log on to the service as an and user

When you have configured the service you can logon to the service through SURFconext as follows.

  • If the WAYF page is shown, select your IdP and enter your credentials at your institution and you will be logged on to your Slack workspace through SURFconext


The finishing touch

For the connection of your Slack workspace at SURFconext there are serveral options:

  • Consent screen
    The SSO connection of the Slack workspace requires a number of non-standard attributes for which an attribute mapping must be made to the attributes provided by the IdP. Due to the use of this non-standard attributes, the standard attribute filter on SURFconext (with the default consent screen) cannot be used and the filtering will be done in the attribute manipulation script. Consequence of this is that at the consent screen too many attributes will be shown.  To compensate, serveral options are available for the SURFconext representative of your institution:

    1. Let it be as it is
    2. To turn off the consent screen for this service
    3. To use a "custom consent message" (in Dutch and in English) for the service on the IdP and to include e.g. the following text:
      "For the service a number of non-standardized attributes (first_name, last_name + User.Email) are used with a custom attributes filter so the standard consent page cannot be used.
      Only these three attributes will be forwarded to Slack."
  • Controlled access
    To restrict access to your Slack workspace you might use the SURFconext Authorisation Rules [Autorisatieregels]. This feature can be configured for the registration of your Slack workspace at the prouction environment of SURFconext by the SURFconext representative of your institution using the IdP Dashboard of SURFconext