Configuring Slack to use Shibboleth

David Langenberg davel at
Fri Apr 29 12:34:55 EDT 2016

We have slack + shib working (IdPv3):


<bean id="slack" parent="RelyingPartyByName"
            <property name="profileConfigurations">
                    <bean id="b7" parent="SAML2.SSO"
                            p:postAuthenticationFlows="context-check" <!-- this is uchicago-specific nothing to do with slack ignore -->
                            p:signResponses="true" />


       <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
            p:attributeSourceIds="#{ { 'uid' } }" />

You need to create & release a User.Email attribute.

 <resolver:AttributeDefinition id="User.Email" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
        <resolver:Dependency ref="scriptedEmail"/>

        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                                   name="User.Email" friendlyName="mail"/>


<afp:AttributeFilterPolicy id="">
    <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="" />
    <afp:AttributeRule attributeID="User.Email">
        <afp:PermitValueRule xsi:type="basic:ANY" />
    <afp:AttributeRule attributeID="uid">
        <afp:PermitValueRule xsi:type="basic:ANY" />
    <afp:AttributeRule attributeID="givenName">
        <afp:PermitValueRule xsi:type="basic:ANY" />
    <afp:AttributeRule attributeID="sn">
        <afp:PermitValueRule xsi:type="basic:ANY" />
    <afp:AttributeRule attributeID="eduPersonTargetedId"> <!-- probably don't need this -->
        <afp:PermitValueRule xsi:type="basic:ANY" />

David Langenberg
Identity & Access Management Architect
University of Chicago

On April 29, 2016 at 10:15:01 AM, Matt Brennan (brennanma at<mailto:brennanma at>) wrote:

Did you guys get this to work? I'm trying to set it up, but every time I hit "Save" it authenticates me through the IdP and brings me back to the default chat room. I can't seem to find any log messages (on either side) that actually give a hint what's going on.


On Thu, Apr 14, 2016 at 5:37 PM, Nate Klingenstein <ndk at<mailto:ndk at>> wrote:
> They provide documentation for their custom SAML process here:

I was just reviewing this last night.  Beyond the typical custom implementation stuff, one thing that jumped out at me is the Required for both:

<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="<>" SPNameQualifier="">Your Unique Identifier</saml:NameID>


<saml:Attribute Name="User.Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
 <saml:AttributeValue xsi:type="xs:anyType">testuser at<mailto:testuser at>

I haven’t played with it to see what happens if one, the other, neither, both, or a changed value gets sent.  It’s my next step, so if anyone knows anything, it would be helpful.

My hope is that they just use the persistentId as an identifier and email as email.  I have lots of hope in life, though.
To unsubscribe from this list send an email to users-unsubscribe at<mailto:users-unsubscribe at>

To unsubscribe from this list send an email to users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list