Configuring Slack SSO in Forcepoint ONE SSE

Setting up SSO for Slack starts with enabling Web SSO for the Slack application in Forcepoint ONE SSE. As always start on the Protect > Policies page and select Slack from your applications (or click the green plus icon to add the application if you haven't already).

1. On the Slack settings page, select your App Instance to open the Slack Instance dialog. In the dialog scroll to the bottom and select the checkbox Enable to enable SAML SSO. Click Ok at the bottom and then click Save in the top right corner of the settings page to save your changes.
   
   
   
   
   
2. The App SSO settings in Forcepoint ONE SSE will already be configured for you, however you will be able to make adjustments if your setup is customized (for example, sending a different NameID for authentication or sending different or other attributes during the SAML Request).
   
   
   
   
   
3. Back on the Slack settings page select Setup Web SSO and then on the top drop-down select your particular domain you are setting Slack up for. You will now see the SSO setting information you will need to input into Slack. Keep this page open since you will need this information for the next steps.
   
   
   
   
   
4. Open up a new window and login to your Slack administrator console. Once logged in click Manage Organization in the top right corner. On the Manage Organization click Security in the left column tab and you will notice that SSO Configuration is the first option and already selected. On the right in the main Window select Change Configuration from the top right.
   
   
   
   
   
5. In the Change SSO Configuration page, copy over the information from the Forcepoint ONE SSE Web SSO Setup page we opened up in Step 3.
   
   
   

   • For the Assertion Signing Certificate you will need to download the certificate from Forcepoint ONE SSE, open the certificate and then copy/paste the contents into the Public (X.509) Certificate field.
   • For the AuthnContextClassRef leave as the top default option.
     
     
     
   • Check off Sign the Response and Sign the Assertion. Once you are done click Test Configuration and you will be redirected to enter your SSO authentication credentials to validate the setup.
     
     
     
6. Once you are done with the setup navigate back to Forcepoint ONE SSE and to the Protect > Policies page and scroll down to the setup Slack application. Before setting up a policy line to send users through Secure App Access (reverse proxy) you will need to setup one policy line for Direct App Access and have an admin or a user login directly once to validate the SAML SSO setup. Once done you can then adjust your policies to start sending people through the Forcepoint ONE SSE proxy.
   Note: For Upload DLP, Forcepoint ONE SSE does not support watermarking for all the actions.

   After this step is done you can then test to make sure users are being redirected through the proxy by having them login while matching a policy set to Secure App Access and verifying the URL is rewritten.