Frequently asked questions when setting up SAML

While configuring SAML, you can leave the other authentication options enabled. After you have tested SAML, you can then restrict your plan’s authentication options.

For instance, most users initially access Smartsheet using a direct email address created during the account setup process. This can remain unchanged while SAML is being configured and tested.

More on how to manage authentication options as a System Admin can be found in this help article.

Under Manage Authentication Options (more on that here) you can elect which authentication options are available to users on your plan.

This is possible and recommended. When you disable the Email + Password option on your plan, Smartsheet will prompt you with a Keep Email + Password for Sys Admins (fallback) option.

If you limit your account to SAML only, users in your account who are not in your organization’s IdP will be unable to sign in. Each domain will need to be configured in the Smartsheet SAML setup window (see Set Up SAML 2 for SSO) for those users to sign in when the account is restricted  to the SAML only sign in option.

If you have people who don’t have login credentials on your IdP, there are a few ways that you can still configure SAML for your organization and provide account access to these people:

• Enable an additional authentication option (Google, Microsoft, Email + Password) for those affected.
• Configure SAML for the domain they use for their Smartsheet account (if your company owns the domain).
• Partner with your IT team to create credentials in your IdP for the people who do not already have accounts. 
  
   

If you need to create a new email address for someone, please contact Smartsheet Support or your Account team directly for guidance on the best way to add the new email address to their Smartsheet account so they can sign in with it.

Add the certificate to the <KeyInfo> section of your metadata

Code Snippet

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://sso.smartsheet.com/saml" nighteye="disabled">

<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">

<md:KeyDescriptor>

<ds:KeyInfo>

<ds:X509Data>

<ds:X509Certificate> ***Certificate goes here*** </ds:X509Certificate>

</ds:X509Data>

Yes. The Persistent Id / Name ID claim is required. The emailAddress is the most commonly used claim. More information on this can be seen in the following Help Center articles.

Set up SAML 2 for single sign-on to Smartsheet - See the Keep these things in mind block. This section also links you to more details within the SAML Assertion: Supported Claims Examples in Smartsheet article.

Smartsheet does not support single log out with respect to third party IdPs. Even if SLO were to trigger logout at our SAML SP, it would not invalidate the Smartsheet session. 

Single log-out support is only with respect to the Smartsheet ecosystem. When you sign out from an app within the Smartsheet ecosystem, you signed out from the rest of the Smartsheet ecosystem.

The Smartsheet Service Provider supports both HTTP-POST and HTTP-Redirect binding methods. You can configure your IdP in any way you like.

Information on the difference between the two methods can be found at:

• https://en.wikipedia.org/wiki/SAML_2.0#HTTP_Redirect_Binding
• https://en.wikipedia.org/wiki/SAML_2.0#HTTP_POST_Binding

Yes, as part of the SAML flow, the response signature is validated using the certificate.

• The Smartsheet SAML login flow is an SP-initiated SSO flow.
• The Smartsheet SP is not configured to sign the AuthN request.

Login options for .GOV organizations in Smartsheet are set by the SysAdmin. The available login options are:

• Email+Password
• Google
• Microsoft Azure AD
• SAML

Apple is NOT an available login option within Gov. organizations.