Set Up SAML 2 for Single Sign-On to Smartsheet

Applies to

  • Enterprise


Who can use this capability

System Admins with an IT Administrator can set up SAML 2 for SSO with Smartsheet

If your organization uses the Security Assertion Markup Language (SAML) standard for login authentication, you can configure Smartsheet for signing in through a supported Single Sign-On (SSO) provider. After SSO is set up on an Enterprise-level account, everyone on the account can use the Your Company Account option to sign in with their company credentials.

If you’re looking to configure SAML 2 for SSO with the Smartsheet environment for the U.S. government, there are some different requirements and settings that you must apply to successfully set up SAML 2 SSO. Please keep the information in this help article in mind while configuring.

Supported SSO Providers

Smartsheet currently supports the following SAML 2 compliant identity providers (IdP):

  • OneLogin
  • ADFS
  • Azure Active Directory
  • Shibboleth
  • PingIdentity
  • Okta
  • Smartsheet supports SP-Initiated SSO. If you are configuring IdP-Initiated SSO, please work with your Identity Provider.
  • You can use multiple SSO identity providers (IdP) concurrently.

What You Need to Set Up Smartsheet with Your Identity Provider

The Smartsheet Metadata, provided here: 

Using the metadata provided, configure a Relying Party within your Identity Provider. Details on how to do this are specific to your Identity Provider, consult your Identity Provider’s documentation for further details.

Due to its security vulnerabilities, the SHA1 certificate algorithm has been deprecated. You must ensure you are no longer using an SSL certificate which is signed using SHA1

Smartsheet requires that the following attributes are asserted during the SAML exchange process: 

  • Persistent ID:  urn:oasis:names:tc:SAML:2.0:nameid‑format:persistent 
  • Email Address:
  • The first assertion must contain a Persistent ID that is the same for each person whenever they sign in. Your email address can be a Persistent ID, but the Email Address claim still needs to be passed in the assertion process. For a sample assertion and a complete list of our supported claim formats, see the Configuration and Claims Examples for SAML in Smartsheet article.
  • The Persistent ID can be defined in the NameID (subject) element of the assertion (see Supported Claims).
  • If the assertion doesn't have a NameID (subject) element, you can use one of the attributes defined in the Supported Claims article.

The following attributes are recommended, but optional: 

  • Given Name: 
  • Surname: 

As their names indicate, the first attribute represents the first name for the person on the account, and the second represents their surname. 

Some SAML services may ask for additional information when you configure them with Smartsheet: 

  • Assertion Consumer Service (ACS) URL: 
  • Audience Restriction:

Configure for Use with Your SAML Identity Provider (IdP)

Before proceeding, ensure that you meet the requirements to configure SAML-based SSO for your account.

Open the SAML Administration Form

Here’s how to establish a connection between your IdP and Smartsheet:

  1. Select Account > Plan & Billing Info > Security Controls​.
  2. In the Security Controls form, select Edit​ in the Authentication section.
  3. In the Authentication form, click not configured​ next to SAML.


Once you’ve selected not configured, the SAML Administration form appears. In this form, you can configure SAML with one or more Identity Providers.

Configure SSO with Your Identity Provider

To configure SSO with your identity provider(IdP):

  1. Open the SAML Administration form and select Add IdP.

  2. Provide a nickname for your IdP. 
  3. Obtain the IdP metadata, then copy and paste it into the IdP Metadata text field. Consult your Identity Provider’s documentation to determine how to obtain this.
  4. Click Save​. Smartsheet will validate the metadata. 

    If the validation is successful, the Edit IdP ​form appears. If you receive an error, check out our SAML Frequently Asked Questions and Common Errors article.

    TIP: You can add a CNAME that will direct people to a friendly URL when the sign in. See the CNAME section below for more information.
  5. Click Activate ​to enable the IdP for use with Smartsheet. The IdP status will change from Inactive to Active, Default.
  6. In the Authentication ​form, check the SAML ​box to enable SAML for your organization. Note that there must be at least one active IdP prior to enabling SAML.
  7. Click Save.

That’s it! Now people in your account can use their company credentials to sign in to Smartsheet.

Configure Additional IdPs

While most organizations only need a single active IdP, there is no limit to the number of IdPs you can add. 

To edit or add additional IdPs, click edit configuration ​next to the SAML checkbox. The SAML Administration form appears for you to add additional IdPs or edit existing ones that you’ve already set up.

If you have more than one active IdP, people signing in via SAML will authenticate against the Default IdP. To make an IdP the default, click Make Default in the Edit IdP ​form.


Direct People to Sign in at a Friendly CNAME URL

Smartsheet provides the default SSO URL​ for your organization, which is a one ­step link to sign in to Smartsheet. You might want to add a CNAME with a friendly, more company specific URL instead.

Do not type in the CNAME field of the Edit IdP form, as this will cause log in issues. Instead, use a CNAME created by your company, and have that point at

  1. Create a CNAME DNS record in your domain and point it at For example, " IN CNAME" 
  2. In the Edit IdP ​form, enter the CNAME and click Add​. 

    NOTE: It may take up to one hour for your CNAME address to authenticate.


To prevent a user in your organization from accessing Smartsheet, disabling their SSO access alone is not sufficient. To fully prevent a user from accessing Smartsheet, you must completely remove that user from your organization’s Smartsheet account. To do this, please see Manage Users in an Enterprise or Business Plan.

Different SAML Configuration States 

SAML will be in one of the following states:

  • Not configured​—No active IdPs 
  • Disabled​—At least one active IdP, and SAML is not checked on the Authentication form 
  • Enabled​—At least one active IdP, and SAML is checked on the Authentication form. Your IdP will be in one of three states: 
    • Not configured​—Security certificate is expired 
    • Inactive​—Valid metadata, valid security certificate 
    • Active​—Valid metadata, valid security certificate, not sharing entity ID with another active IdP on your account, and activated