Set Up SAML 2 for Single Sign-On to Smartsheet

If your organization uses the Security Assertion Markup Language (SAML) standard for login authentication, you can configure Smartsheet for signing in through a supported Single Sign-On (SSO) provider. After SSO is set up on an Enterprise-level account, everyone on the account can use the Your Company Account option to sign in with their company credentials.

If you’re looking to configure SAML 2 for SSO with the Smartsheet environment for the U.S. government, there are some different requirements and settings that you must apply to successfully set up SAML 2 SSO. Please keep the information in this help article in mind while configuring.

Who can use this capability?

role permissions A System Admin and an IT Administrator can set up SAML 2 for SSO with Smartsheet
plan type Enterprise and Premier Smartsheet accounts

This is a self-service guide to setting up SAML and the feature and setup steps discussed in this article require knowledge of both SAML 2 and SSO. You may need to consult a technical resource at your organization for assistance with setting this up.

Supported SSO Providers

Smartsheet currently supports the following SAML 2 compliant identity providers (IdP):

  • OneLogin
  • ADFS
  • Azure Active Directory
  • Shibboleth
  • PingIdentity
  • Okta
  • Smartsheet supports SP initiated SSO only; IdP initiated SSO isn’t supported.
  • You can use multiple SSO identity providers (IdP) concurrently.

What You Need to Set Up Smartsheet with Your Identity Provider

The Smartsheet Metadata, provided here: www.smartsheet.com/sites/default/files/smartsheet-saml2-sp-metadata.xml 

Using the metadata provided, configure a Relying Party within your Identity Provider. Details on how to do this are specific to your Identity Provider, consult your Identity Provider’s documentation for further details.

Due to its security vulnerabilities, the SHA1 certificate algorithm has been deprecated. You must ensure you are no longer using an SSL certificate which is signed using SHA1

Smartsheet requires that the following attributes are asserted during the SAML exchange process: 

  • Persistent ID:  urn:oasis:names:tc:SAML:2.0:nameid‑format:persistent 
  • Email Address: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  • The first assertion must contain a Persistent ID that is the same for each person whenever they sign in. Your email address can be a Persistent ID, but the Email Address claim still needs to be passed in the assertion process. For a sample assertion and a complete list of our supported claim formats, see the Configuration and Claims Examples for SAML in Smartsheet article.
  • The Persistent ID can be defined in the NameID (subject) element of the assertion (see Supported Claims).
  • If the assertion doesn't have a NameID (subject) element, you can use one of the attributes defined in the Supported Claims article.

The following attributes are recommended, but optional: 

  • Given Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname 
  • Surname: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname 

As their names indicate, the first attribute represents the first name for the person on the account, and the second represents their surname. 

Some SAML services may ask for additional information when you configure them with Smartsheet: 

  • Assertion Consumer Service (ACS) URL: https://sso.smartsheet.com/Shibboleth.sso/SAML2/POST 
  • Audience Restriction: https://sso.smartsheet.com/saml

Configure Smartsheet.com for Use with Your SAML Identity Provider (IdP)

Before proceeding, ensure that you meet the requirements to configure SAML-based SSO for your account.

Open the SAML Administration Form

Here’s how to establish a connection between your IdP and Smartsheet:

  1. Select Account > Account Admin > Security Controls​.
     
  2. In the Security Controls form, select Edit​ in the Authentication section.
    security-controls
     
  3. In the Authentication form, click not configured​ next to SAML.

    saml-not-configured

Once you’ve selected not configured, the SAML Administration form appears. In this form, you can configure SAML with one or more Identity Providers.

Configure SSO with Your Identity Provider

To configure SSO with your identity provider(IdP):

  1. Open the SAML Administration form and select Add IdP.

    add-idp
  2. Provide a nickname for your IdP. 
  3. Obtain the IdP metadata, then copy and paste it into the IdP Metadata text field. Consult your Identity Provider’s documentation to determine how to obtain this.
    idp-metadata
  4. Click Save​. Smartsheet will validate the metadata. 

    If the validation is successful, the Edit IdP ​form appears. If you receive an error, check out our SAML Frequently Asked Questions and Common Errors article.

    TIP: You can add a CNAME that will direct people to a friendly URL when the sign in. See the CNAME section below for more information.
     
  5. Click Activate ​to enable the IdP for use with Smartsheet. The IdP status will change from Inactive to Active, Default.
    activate-idp
  6. In the Authentication ​form, check the SAML ​box to enable SAML for your organization. Note that there must be at least one active IdP prior to enabling SAML.
    saml-enabled
  7. Click Save.

That’s it! Now people in your account can use their company credentials to sign in to Smartsheet.

Configure Additional IdPs

While most organizations only need a single active IdP, there is no limit to the number of IdPs you can add. 

To edit or add additional IdPs, click edit configuration ​next to the SAML checkbox. The SAML Administration form appears for you to add additional IdPs or edit existing ones that you’ve already set up.

If you have more than one active IdP, people signing in via SAML will authenticate against the Default IdP. To make an IdP the default, click Make Default in the Edit IdP ​form.

saml-admin-multiple-idps

Direct People to Sign in at a Friendly CNAME URL

Smartsheet provides the default SSO URL​ for your organization, which is a one ­step link to sign in to Smartsheet. You might want to add a CNAME with a friendly, more company specific URL instead.

Do not type sso.smartsheet.com in the CNAME field of the Edit IdP form, as this will cause log in issues. Instead, use a CNAME created by your company, and have that point at sso.smartsheet.com.

  1. Create a CNAME DNS record in your domain and point it at sso.smartsheet.com. For example, "smartsheet.example.org IN CNAME sso.smartsheet.com" 
  2. In the Edit IdP ​form, enter the CNAME and click Add​. 

    NOTE: It may take up to one hour for your CNAME address to authenticate.

    cname

To prevent a user in your organization from accessing Smartsheet, disabling their SSO access alone is not sufficient. To fully prevent a user from accessing Smartsheet, you must completely remove that user from your organization’s Smartsheet account. To do this, please see “Remove Users” in Manage Users in a Multi-User Plan.

Different SAML Configuration States 

SAML will be in one of the following states:

  • Not configured​—No active IdPs 
  • Disabled​—At least one active IdP, and SAML is not checked on the Authentication form 
  • Enabled​—At least one active IdP, and SAML is checked on the Authentication form. Your IdP will be in one of three states: 
    • Not configured​—Security certificate is expired 
    • Inactive​—Valid metadata, valid security certificate 
    • Active​—Valid metadata, valid security certificate, not sharing entity ID with another active IdP on your account, and activated
Was this article helpful?
YesNo