Considerations and best practices for integrating Slack and Microsoft Teams
Integrating Access Requests with Slack and Microsoft Teams helps you streamline request management and boosts user productivity.
If you've enabled the Identity Governance - Slack notifications feature for your org, you can also use Slack to notify access certification campaign reviewers and admins.
However, keep the following considerations and best practices in mind before you integrate Slack or Microsoft Teams with your Okta org.
Considerations
-
Requests and approvals in Slack and Microsoft Teams use the chat app session, not the Okta session. Chat apps often have relaxed authentication policies, which means the level of assurance for that action might not meet your org's security standards. A compromised chat session could allow a bad actor to make requests without re-authenticating with Okta.
-
The integration matches chat app users to Okta users by email address. If these attributes aren't strictly managed (that is, they can be edited by users or aren't sourced from a trusted system), users might impersonate others to gain unauthorized access.
-
Users can't approve their own requests unless they're the individually assigned approver. This helps prevent a compromised identity from being used to both submit and approve their own access request and self-escalate.
-
Requests for Okta admin roles can't be submitted or approved from chat apps. Requesters must request admin role access from the Okta End-User Dashboard and approvers must approve admin role access in the Okta Access Requests app. This approach enforces the requirement for a valid Okta session for both actions and applies your strongest authentication policies to sensitive actions.
Best practices
-
Enforce strong authentication and session policies
The security of Access Requests in Slack and Microsoft Teams depends on the security of the chat app. Configure app authentication policies for Slack and Teams to enforce frequent re-authentication. This helps mitigate the risk of compromised, long-lived sessions. For critical apps, require frequent re-authentication and strong factors, such as phishing-resistant MFA. This helps ensure that even if unauthorized access is approved through Access Requests, the user must meet high assurance levels to use that access.
-
Enable Universal Logout
Universal Logout terminates sessions immediately when a risk is detected. It's currently supported for Slack Enterprise and you can configure it to invoke session termination upon risk detection. See Third-party apps that support Universal Logout for a complete list of supported apps.
-
Centralize your data source
Sync critical user attributes, such as email addresses, from a single authoritative source like a Human Resources Information System (HRIS) or Active Directory. Configure chat app settings to prevent users from editing their own email addresses. This helps prevent attackers from impersonating other users to bypass approval workflows.
-
Enable the Unified Requester Experience feature
When you enable the Unified Requester Experience feature, all users are redirected to the web for request submission, requiring a valid Okta session. Although approvals can still occur in Slack, this eliminates high-risk vectors for unauthorized access. Unified Requester Experience ensures that an Okta session is required to obtain access, reinforcing your security posture.