Using SAML to add abraham.lincoln@whitehouse.gov to my Slack workspace

submited by
Style Pass
2025-01-20 18:30:06

Note: I use Slack as a funny example in this article, but Slack is not vulnerable to the SAML attacks I describe (they implement option (2) at the end of this post).

This screenshot is not doctored. There really is an abraham.licoln@whitehouse.gov in SSOReady’s Slack workspace. They’re a regular Slack user.

Sadly for historians, but luckily for B2B SaaS software engineers, the answer is behind door number 2. The trick is to abuse Slack’s SAML integration.

You can just do this. Okta doesn’t verify email addresses. In fact, it usually works the other way around; at many companies, you can’t log into your email unless you can log into Okta first.

The rest of this article explains that this isn’t some bug in SAML. It’s how SAML is meant to work. And then I’ll explain how software that integrates with SAML – your software – should deal with it.

Up until step (6), there is nothing you can possibly do about this. Maybe setting up a SAML connection in step (5) requires business tier, like Slack does. Whatever. That’s hardly a security posture.

Leave a Comment