As you set up SAML for your organization, you can use this as a resource if you have any configuration questions.
How do I test the SAML configuration without disrupting other people in my Smartsheet account?
While configuring SAML, you can leave the other authentication options enabled. After you have tested SAML, you can then restrict your plan’s authentication options.
For example, by default most users access Smartsheet with a direct email address set up upon account creation. This can remain in place while SAML is configured and tested.
More on how to manage authentication options as a System Admin can be found in this help article.
How do I restrict SSO options?
Under Manage Authentication Options (more on that here) you can elect which authentication options are available to users on your plan.
What if I want to require my Smartsheet end-users to sign in with our SAML solution, but also want my other System Admins to have the option to sign in with “Email + Password”?
This is possible and recommended. When you disable the “Email + Password” option on your plan, Smartsheet will prompt you with a “Keep Email + Password for Sys Admins (fallback)” option.
What if I restrict my Smartsheet plan to SAML, but some people in my account do not have login credentials setup in my IdP?
If you restrict your account to SAML only, people who are in your account (listed in the User Management window), but who are not in your organization’s IdP, will not be able to sign in. Each domain will need to be configured in the Smartsheet SAML setup window (see Set Up SAML 2 for SSO) for those users to sign in when the account is restricted to the SAML only sign in option.
If you have people who don’t have login credentials on your IdP, there are a few ways that you can still configure SAML for your organization and grant these people access to their accounts:
- Enable another authentication option (Google, Microsoft, Email + Password) that will work for the affected people.
- Configure SAML for the domain they use for their Smartsheet account (if your company owns the domain).
- Partner with your IT team to create credentials in your IdP for the people who do not already have accounts.
NOTE: if you need to create new credentials for someone in your IdP, make sure to use the same email address they are currently using to sign in to their account. If you needed to create an entire new email address for them, you will want to reach out to Smartsheet Support or your Account team directly for guidance for the best way to add that new email address to their Smartsheet account for them to sign in with it.