Set Up SAML 2 for Single Sign-On to Smartsheet

Applies to

Smartsheet
  • Enterprise

Capabilities

Who can use this capability

System Admins with an IT Administrator can set up SAML 2 for SSO with Smartsheet
 

If your organization uses the Security Assertion Markup Language (SAML) standard for login authentication, you can configure Smartsheet for signing in through a supported Single Sign-On (SSO) provider. 

To successfully set up SAML 2 SSO with Smartsheet for the US government, there are some requirements and settings you must apply.

Keep these things in mind

  • Smartsheet supports SP-initiated SSO. If you’re configuring an IdP-initiated SSO, work with your IdP.
  • You can use multiple SSO IdP at the same time.

What you need to set up Smartsheet with your IdP

You’ll need the Smartsheet metadata provided here:  www.smartsheet.com/sites/default/files/smartsheet-saml2-sp-metadata.xml 

Using the metadata provided, configure a Relying Party within your IdP.  The process for configuring a Relying Party may vary for every IdP.  Consult your IdP’s documentation for more information.

Due to its security vulnerabilities, the SHA1 certificate algorithm has been deprecated. You must ensure you’re not using an SSL certificate which is signed using SHA1.

SAML exchange process 

Smartsheet requires the following attributes in the SAML exchange process:

  • Persistent ID:  urn:oasis:names:tc:SAML:2.0:nameid‑format:persistent 
  • Email address: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Keep these things in mind

  • The first assertion must have a Persistent ID that’s the same for each person whenever they sign in. Your email address can be a Persistent ID, but the Email address claim still needs to be passed in the assertion process. For a sample assertion and a complete list of Smartsheet’s supported claim formats, see the SAML Assertion: Supported Claims Examples in Smartsheet article.
  • The Persistent ID can be defined in the NameID (subject) element of the assertion.
  • If the assertion doesn't have a NameID (subject) element, you can use one of the attributes defined in the Supported Claims article.

The following attributes are recommended but optional: 

  • Given Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname 
    • This represents the user's first name
  • Surname: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname 
    • This represents the user's last name

Some SAML services may ask for additional information when you configure them with Smartsheet: 

  • Assertion Consumer Service (ACS) URL: https://sso.smartsheet.com/Shibboleth.sso/SAML2/POST 
  • Audience Restriction: https://sso.smartsheet.com/saml

Enter email addresses in lowercase. Capital letters can prevent matching of emails between your SAML provider and Smartsheet.

Configure Smartsheet.com for use with your SAML IdP

Before proceeding, ensure you meet the requirements to configure SAML-based SSO for your account.

Open the SAML Administration form

Here’s how to establish a connection between your IdP and Smartsheet:

  1. In the lower-left area of the Smartsheet app, select Account > Plan & Billing Info.
  2. In the Account Administration form, select Security Controls
  3. In the Authentication section, select Edit.
    security-controls
  4. Select not configured.
    saml-not-configured

Once you’ve selected not configured, the SAML Administration form appears.

Configure SSO with your IdP

Follow these steps to configure SAML with one or more IdPs:

  1. Select Add IdP.

    add-idp
  2. Enter a nickname for your IdP. 
  3. Obtain the IdP metadata; then, copy and paste it into the IdP Metadata text box. 
    Consult your IdP’s documentation to determine how to obtain the IdP metadata.

    idp-metadata
  4. Copy the SSO URL; then, paste it in your IdP.
  5. Select Save​.
    • After saving the changes you made, Smartsheet will validate the metadata.
      If the validation is successful, the Edit IdP ​form appears. If you receive an error, check out our SAML Frequently Asked Questions and Common Errors article. 
      You can add a CNAME that’ll direct people to a friendly URL when they sign in. See the Direct people to sign in at a friendly CNAME URL section below for more information.
  6. To enable the IdP for use with Smartsheet, select Activate. The IdP status will change from Inactive to Active, Default.
  7. To enable SAML for your organization, in the Authentication ​form, select SAML
    There must be at least one active IdP prior to enabling SAML
    activate-idp
  8. Select Save.

That’s it! Now people in your account can use their company credentials to sign in to Smartsheet.

Configure additional IdPs

While most organizations only need a single active IdP, there’s no limit to the number of IdPs you can add.

To edit or add additional IdPs, next to the SAML checkbox, select edit configuration. The SAML Administration form appears for you to add additional IdPs or edit existing ones you’ve already set up.

If you have more than one active IdP, people signing in via SAML will authenticate against the default IdP. To make an IdP the default, in the Edit IdP ​form, select Make Default.

saml-admin-multiple-idps

Direct people to sign in at a friendly CNAME URL

Smartsheet provides the default SSO URL​ for your organization, which is a one ­step link to sign in to Smartsheet. You might want to add a CNAME with a friendly, more company specific URL instead.

Don’t type sso.smartsheet.com in the CNAME field of the Edit IdP form, because that’ll cause login issues. Instead, use a CNAME created by your company and have that point at sso.smartsheet.com.

  1. In your domain, create a CNAME DNS record and point it at sso.smartsheet.com. For example, smartsheet.example.org IN CNAME sso.smartsheet.com.
  2. In the Edit IdP ​form, enter the CNAME
  3. Select Add​. 
    It may take up to one hour for your CNAME address to authenticate​​​

    cname

Removing a user’s SSO access alone isn’t enough to prevent them from accessing Smartsheet. To fully prevent a user from accessing Smartsheet, you must completely delete that user from your organization’s Smartsheet account.

Different SAML configuration states 

SAML will be in one of the following states:

  • Not configured​ - No active IdPs 
  • Disabled​ - At least one active IdP, and SAML is not checked on the Authentication form 
  • Enabled​ - At least one active IdP, and SAML is checked on the Authentication form. Your IdP will be in one of three states: 
    • Not configured​ - Security certificate is expired 
    • Inactive​ - Valid metadata, valid security certificate 
    • Active​ - Valid metadata, valid security certificate, not sharing entity ID with another active IdP on your account, and activated