Configure SAML for plan-level single sign-on to Smartsheet

This help article walks you through setting up SAML configuration at the plan level, accessible only to users within your plan. For a SAML setup that applies to all Smartsheet users within your domain, refer to the domain-level SAML configuration guide.
 

Who can use this?

Plans:

  • Smartsheet
  • Enterprise

Permissions:

  • System Admin 

Find out if this capability is included in Smartsheet Regions or Smartsheet Gov.

System Admins with an IT Administrator can set up SAML for SSO with Smartsheet.

As a heads-up

Starting February 5th, 2024, you can’t create new plan-level SAML configurations. However, for existing plan-level SAML configurations, you retain the ability to create, update, delete, or read plan-level SAML setups. Additionally, you now have the option to configure SAML at the domain level.

These are the steps you must complete

  1. Set up your organization’s Identity Provider (IdP) to communicate with Smartsheet. 

  2. Add a record to your organization’s public Domain Name System (DNS). You may need to loop in an internal technical resource for assistance with setup and maintenance of this feature.

    To successfully set up SAML SSO with Smartsheet for the US government, there are some requirements and settings you must apply.

Keep these things in mind

  • Smartsheet supports Service-Provider-initiated SSO. If you’re configuring an IdP-initiated SSO, work with your IdP.
  • You can use more than one SSO IdP at the same time.
  • If the System Admin of an Enterprise plan validates your domain and sets up a SAML configuration at the domain level, the domain-level SAML setup overrides any plan-level SAML configurations for users within that domain.

Prerequisites

Using the metadata provided, configure a Relying Party within your IdP. The process for configuring a Relying Party may vary for every IdP. Consult your IdP’s documentation for more information.

Due to its security vulnerabilities, the SHA1 certificate algorithm has been deprecated. You must ensure you’re not using an SSL certificate which is signed using SHA1.

SAML exchange process

Smartsheet requires the following attributes in the SAML exchange process:

 

The following attributes are recommended but optional:

 

Some SAML services may ask for additional information when you configure them with Smartsheet:

 

Notes on the exchange process

  • Enter email addresses in lowercase. Capital letters can prevent matching of emails between your SAML provider and Smartsheet.
  • The first assertion must have a Persistent ID that’s the same for each person whenever they sign in. Your email address can be a Persistent ID, but the Email address claim still needs to be passed in the assertion process. Email claims must be all lower case. For a sample assertion and a complete list of Smartsheet’s supported claim formats, see the SAML Assertion: Supported Claims Examples in Smartsheet article.
  • The Persistent ID can be defined in the NameID (subject) element of the assertion.
  • If the assertion doesn't have a NameID (subject) element, you can use one of the attributes defined in the Supported Claims article.
  • Ensure you remove the attribute claim http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Name from the prepopulated attributes in Azure.

Configure Smartsheet.com for use with your SAML IdP

You must meet the requirements before you continue with the SAML configuration. 

Open the SAML Administration form

To establish a connection between your IdP and Smartsheet:

  1. In Admin Center, select the Menu icon at the upper-left. 
  2. Navigate to Settings > Authentication.

  3. Select Manage federated SSO Options

    The Authentication form displays.

  4. Select not configured. After doing these steps, the SAML Administration form displays.

    Select not configured

If this is the first time you're setting up the SAML configuration in Smartsheet, the not configured button will take you to the domain-level SAML configuration page. If you still need to define plan-level SAML configuration, contact Smartsheet support.

Configure SSO with your IdP

Follow these steps to configure SAML with one or more IdPs:

  1. Select Add IdP.

    add IdP

  2. Enter a nickname for your IdP.

    Consult your IdP's documentation to determine how to obtain the IdP metadata.

  3. Obtain the IdP metadata and copy it.

  4. In the IdP Metadata textbox, paste the IdP metadata.

    add IdP metadata
  5. Copy the SSO URL and paste it in your IdP.
  6. Select Save. After saving the changes you made, Smartsheet validates the metadata.
    • If the validation is successful, the Edit IdP ​form displays.
    • If you receive an error, check out our SAML FAQs and common errors article.
    • You can add a CNAME that’ll direct people to a friendly URL when they sign in. See the Direct people to sign in at a friendly CNAME URL section below for more information.

  7. To enable the IdP for use with Smartsheet, select Activate. The IdP status changes from Inactive to Active, Default

    Select Activate to enable SAML

  8. To enable SAML for your plan, in the Authentication form, select SAML.

    There must be at least one active IdP before enabling SAML.

  9. Select Save.

    That’s it! Now people in your plan can use their company credentials to sign in to Smartsheet.

Configure additional IdPs

  • While most organizations only need a single active IdP, there’s no limit to the number of IdPs you can add.
  • To edit or add additional IdPs, next to the SAML checkbox, select edit configuration. The SAML Administration form appears for you to add additional IdPs or edit existing ones you’ve already set up.

  • If you have more than one active IdP, people signing in via SAML will authenticate against the default IdP. To make an IdP the default, in the Edit IdP ​form, select Make Default.

    Configure additional IdPs

Direct people to sign in at a friendly CNAME URL

Smartsheet provides the default SSO URL​ for your organization, which is a one-­step link to sign in to Smartsheet. You might want to add a CNAME with a friendly, more company-specific URL instead.

Don't type sso.smartsheet.com in the CNAME field of the Edit IdP form as that may cause login issues. Instead, use a CNAME created by your company and have it point to sso.smartsheet.com.

  1. In your domain, create a CNAME DNS record and point it at sso.smartsheet.com. For example, smartsheet.example.org IN CNAME sso.smartsheet.com.
  2. In the Edit IdP ​form, enter the CNAME

  3. Select Add​.

    Direct people to a friendly CNAME URL

Reminders

  • It may take up to one hour for your CNAME address to authenticate.​​​
  • You can't use HTTPS for your CNAME URL. Only HTTP is supported.
  • Removing a user’s SSO access alone isn’t enough to prevent them from accessing Smartsheet. To fully prevent a user from accessing Smartsheet, you must completely delete that user from your organization’s Smartsheet plan.

SAML configuration states

SAML will be in one of the following states:

  • Not configured​: There are no active IdPs. 
  • Disabled​: There’s at least one active IdP. Also, in the Authentication form, the SAML checkbox isn’t selected.
  • Enabled​: There’s at least one active IdP. Also, in the Authentication form, the SAML checkbox is selected. Your IdP will be in one of three states: 
    • Not configured​: Security certificate is expired 
    • Inactive​: Valid metadata, valid security certificate 
    • Active​: Valid metadata, valid security certificate, not sharing entity ID with another active IdP on your plan, and activated