Skip to content
Veraproof Veraproof Docs

Slack Enterprise Guests Integration

Slack Enterprise Guests Integration

Scimify enables SCIM provisioning for Slack Enterprise guest accounts so you can manage guest lifecycle from your identity provider (IdP), including create, update profile fields, deactivate, and reactivate.

Overview

Use this integration when you need to provision Slack guests (single-channel and multi-channel) from your IdP. Scimify accepts standard SCIM requests from your IdP and translates them to Slack Admin API calls for your target workspace.

This integration is user-only (no group provisioning).

For Enterprise Grid environments, use dedicated IdP apps for both SCIM and SSO flows:

  • App 1: Slack Enterprise Grid SCIM app for regular members
  • App 2: Scimify Slack Enterprise Guests SCIM app for guest users
  • App 3: Slack Guests SSO app dedicated to guest sign-in assignment

Keeping guest assignments in separate guest-specific apps helps prevent conflicts with your primary Slack member provisioning and SSO assignment flows.

Prerequisites

  • Slack Enterprise Grid
  • Slack org admin permissions to create and install an org-level Slack app
  • A Slack user OAuth token (xoxp-...) from a Slack admin account with appropriate admin scopes
  • Target workspace ID
  • At least one Slack channel ID to use as the default guest channel

Configuration Steps

1. Create and Install the Slack App

  1. In Slack app settings, open App Manifest and paste the manifest below.
  2. Save the manifest and install the app at the org level.
  3. Generate and copy an admin user OAuth token (xoxp-...).
{
  "display_information": {
    "name": "Scimify Slack Guests",
    "description": "SCIM guest user provisioning for Slack Enterprise",
    "background_color": "#1f2937",
    "long_description": "Scimify provisions and manages Slack Enterprise guest accounts from your identity provider. This app must be installed at the Slack Enterprise organization level, then configured in Scimify with the target workspace ID for guest provisioning. It supports single-channel guests, multi-channel guests, guest listing, deprovisioning, and profile updates.\nVisit https://veraproof.io/scimify for more information."
  },
  "oauth_config": {
    "scopes": {
      "user": [
        "admin.users:read",
        "admin.users:write",
        "users:read",
        "users:read.email",
        "users.profile:read",
        "users.profile:write"
      ],
      "bot": [
        "users:read"
      ]
    }
  },
  "settings": {
    "org_deploy_enabled": true,
    "socket_mode_enabled": false,
    "token_rotation_enabled": false
  },
  "_metadata": {
    "major_version": 2,
    "minor_version": 1
  }
}

Important: The Slack admin user who authorizes installation is shown by Slack as the inviter on guest invites. Use a dedicated Slack service account for app authorization so invite attribution is stable and auditable.

Token requirement: Use the user token (xoxp-...), not a bot token (xoxb-...). Slack admin permissions for guest provisioning are tied to Slack users, so Scimify must call Slack Admin APIs with an admin user’s token.

In Scimify, create a Slack Enterprise Guests integration and set:

  • OAuth Token: your admin Slack token
  • Target Workspace ID: workspace where guests should be provisioned
  • Default Channel ID: fallback channel used when SCIM payload does not include channel_ids
  • Custom Invite Message (optional): up to 500 characters

2. Get the Workspace ID (Slack Enterprise Org Console)

  1. Go to Workspaces -> All workspaces
  2. Open the 3-dots menu for the workspace
  3. Click Copy workspace ID

3. Get a Slack Channel ID (for default channel_id / SCIM channel_ids)

Use one of the methods below:

  • In Slack desktop/web, open the channel and copy the ID from the URL (.../archives/C0123456789)
  • Or open channel details / integrations tooling where channel IDs are shown

Set this value as the integration default channel ID in Scimify.
You can override per-user channels by sending SCIM custom attribute channel_ids.

4. Configure SCIM in Okta

Follow the standard Scimify SCIM app setup in Okta: Okta SCIM Configuration.

Then assign guest users to your Slack Guests app and configure custom attributes as described below.

Configure Custom Profile Attributes in Okta

The Slack Guests integration expects custom attributes in the SCIM user payload:

  • slack_guest_type (required): single-channel or multi-channel
  • channel_ids (optional): comma-separated channel IDs or an array of channel IDs

If channel_ids is omitted, Scimify uses the integration-level default channel ID.

Suggested Okta profile attributes

  • slack_guest_type
    • Type: string
    • External namespace: urn:ietf:params:scim:schemas:extension:custom:2.0:User
    • Allowed values: single-channel, multi-channel
    • Recommended: required in your app profile policy
  • channel_ids
    • Type: string
    • External namespace: urn:ietf:params:scim:schemas:extension:custom:2.0:User
    • Example value: C0123456789,C0222222222
    • Optional if you always want the configured default channel

Mapping guidance

  • Map your Okta app profile attributes so they are sent in the SCIM user payload.
  • Keep slack_guest_type tightly controlled (for example, enum values only) to avoid invalid requests.
  • Use a default value strategy for channel_ids only if you intentionally want IdP-driven overrides instead of integration default.

Limitations and Behavior Notes

  • Guest type and channel behavior on update: default channel and guest type are set during create/reactivation flows, but regular profile updates intentionally do not re-assign guest type/channels. This allows Slack admins to manage changes directly in Slack Admin Console without Scimify overwriting them on every update.
  • Reactivation behavior: reactivating a disabled guest can inherit existing Slack state. In some cases, resulting guest type may reflect prior Slack settings rather than current IdP profile attributes.
  • At least one channel is required by Slack: each guest invite/assignment must include a channel, either from SCIM channel_ids or integration default channel.
  • No group support: this connector does not create, sync, or manage groups.
  • User refresh and licensing: refreshing users in the Scimify console returns both active and disabled Slack guest users from the workspace. Only active users count toward Scimify licensing.

Troubleshooting

  • slack_guest_type is required
    • Ensure the Okta mapping sends slack_guest_type with single-channel or multi-channel.
  • channel_ids is required
    • Provide channel_ids in SCIM or set integration default channel ID.
  • Wrong workspace
    • Verify target workspace ID in integration configuration.

Need Help?

If you need help validating attribute mappings or Slack admin permissions, contact [email protected].