1Kosmos integrates with Slack as a SAML 2.0 identity provider, replacing password-based workspace login with biometric authentication on Business+ and Enterprise Grid plans.
Integration type
SSO
Updated
Overview
1Kosmos integrates with Slack as a SAML 2.0 identity provider, enabling workspace members to authenticate biometrically through the 1Kosmos mobile app when signing in to Slack. SAML SSO in Slack is available on Business+, Pro (optional), and Enterprise Grid plans. For Enterprise Grid, SSO is the default authentication method.
Slack's SAML SSO is configured in the workspace or organization settings under Authentication → SAML. The configuration requires the 1Kosmos SSO endpoint URL, IdP Entity ID, and X.509 certificate. Slack's fixed SP values are Entity ID https://slack.com and ACS URL https://[domain].slack.com/sso/saml. Slack uses HTTP POST binding and requires the SAML response to be signed.
Slack also supports Test Mode, which allows both SSO and password-based login simultaneously during the configuration and testing period. Test Mode should be used until SSO is fully validated before switching to a required SSO configuration.
Prerequisites
Active 1Kosmos tenant: Administrator access to the AdminX portal. Contact 1kosmos.com/contact if not yet provisioned.
Slack Business+ or Enterprise Grid plan: Workspace Owner or Organization Owner access to configure SAML SSO. SAML is not available on the Free plan.
Matching user email addresses: All Slack workspace members must have email addresses in Slack that match their 1Kosmos directory records. Slack uses email to identify users during SAML authentication.
1Kosmos mobile app installed: Users must have the app on iOS or Android with biometrics enrolled before testing.
Configuration values
Values to collect from 1Kosmos AdminX (IdP) for Slack:
Field | Where to find it |
|---|---|
SAML 2.0 Endpoint URL (SSO Login URL) | AdminX → Settings → IdP Configuration → Single SignOn Service URL |
Identity Provider Issuer (IdP Entity ID) | AdminX → Settings → IdP Configuration → Core Configuration |
Public Certificate (X.509) | AdminX → Settings → IdP Configuration → View Certificate → Public Key |
Fixed Slack SP values to enter in AdminX:
Field | Value |
|---|---|
SP Entity ID | https://slack.com (or https://[domain].slack.com for multiple Slack instances) |
ACS URL | https://[domain].slack.com/sso/saml |
NameID Format | urn:oasis:names:tc:SAML:2.0:nameid-format:persistent (recommended) |
Integration steps
Step 1: Add Slack as a SAML application in AdminX
Log in to the AdminX portal and navigate to Applications → Add Application.
Select SAML 2.0 Generic and click Add integration. Enter "Slack" as the Application Name and https://[domain].slack.com as the Application Access URL.
Set NameID Format to
urn:oasis:names:tc:SAML:2.0:nameid-format:persistentand NameID Value to a persistent unique user identifier. Add claims for email. Enable Assertion signing (Slack requires the response or assertion to be signed).Enter
https://slack.comas the SP Entity ID andhttps://[domain].slack.com/sso/samlas the ACS URL. Click Save.
Step 2: Configure SAML SSO in Slack workspace settings
Log in to Slack as a Workspace Owner. Click on your workspace name in the top left, then go to Settings and administration → Workspace settings.
Select the Authentication tab and click Configure next to SAML authentication.
In the top right, toggle Test mode on (keep SSO optional during testing).
In the SAML SSO URL field, paste the 1Kosmos SSO Login URL.
In the Identity Provider Issuer field, paste the 1Kosmos IdP Entity ID.
In the Public Certificate field, paste the full contents of the 1Kosmos X.509 certificate including the BEGIN and END CERTIFICATE lines.
Click Test Configuration to validate the setup, then click Turn on SSO or Save.
Step 3: Test the integration
Open a browser and navigate to https://[domain].slack.com. Click Sign in with SSO.
Enter your email address. Slack detects the SSO configuration and redirects to 1Kosmos.
Authenticate biometrically using the 1Kosmos mobile app. Confirm you are returned to Slack as an authenticated member.
After successful testing, disable Test Mode in the Authentication settings and set SSO to Required if needed.
Attribute mappings
Source (1Kosmos) | Target (Slack) | Description |
|---|---|---|
user.id (persistent) | NameID (persistent) | Persistent identifier for stable Slack account linkage |
user.email | email attribute | Used for display and account matching |
Integration notes
Slack uses HTTP POST binding exclusively for SAML. HTTP Redirect binding is not supported.
If your AdminX SAML application is configured with Redirect binding, change it to POST before testing. Slack does not support Single Logout (SLO) or session duration values sent by the identity provider.
If SSO is set to Required, Slack guests who are not members of the workspace will still need to sign in using their email and password since the SAML enforcement applies to workspace members only.
For Enterprise Grid, SSO is configured at the organization level and applies to all workspaces in the Grid.
