can context-check-intercept access the ACS URL ? how?

Losen, Stephen C. (scl) scl at
Wed Mar 28 07:41:10 EDT 2018

Hi folks,

I am setting up SAML SSO for slack.  All slack instances have the same entityID: "".  However we have multiple instances whose URLs are (for example) and

If you login to slack with SAML SSO and your account does not exist, then slack invites you to self-create it. Slack support says this feature cannot be turned off.

We have learned that if the IDP returns ANY response to slack, even if it is empty, then slack assumes a successful SSO login.  The user is invited to self-create a slack instance account. So the IDP cannot simply withhold attributes in the attribute-filter, because the IDP still sends a response. If the response has no attributes, then the slack account creation form simply has no fields pre-filled.

We are using group membership (LDAP attr "isMemberOf") to control access. I wrote a context check intercept so that the IDP aborts the login if the user is accessing entityID and is not a member of the authorized group.  This works fine for one instance, but we are planning on multiple instances, each with its own authorized group in LDAP.  At this point I have a poor solution.  If you are a member of ANY authorized group, then you can login to ANY slack instance (and self-create your account if it doesn't exist yet).

Can anyone think of how I can improve my context check intercept?  I can't distinguish slack instances based on entityID, but the ACS URLs are all different.  Is the ACS URL somehow available to the intercept?  Any other ideas?

Yes, slack should fix their SP, but they don't seem to give a rip.

Stephen C. Losen
ITS - Systems and Storage
University of Virginia
scl at    434-924-0640

More information about the users mailing list