Frequently Asked Questions When Setting Up SAML
As you set up SAML for your organization, you can use this as a resource if you have any configuration questions.
How do I test the SAML configuration without disrupting other people in my Smartsheet account?
While configuring SAML, you can leave the other authentication options enabled. After you have tested SAML, you can then restrict your plan’s authentication options.
For example, by default most users access Smartsheet with a direct email address set up upon account creation. This can remain in place while SAML is configured and tested.
More on how to manage authentication options as a System Admin can be found in this help article.
How do I restrict SSO options?
Under Manage Authentication Options (more on that here) you can elect which authentication options are available to users on your plan.
What if I want to require my Smartsheet end-users to sign in with our SAML solution, but also want my other System Admins to have the option to sign in with “Email + Password”?
This is possible and recommended. When you disable the “Email + Password” option on your plan, Smartsheet will prompt you with a “Keep Email + Password for Sys Admins (fallback)” option.
What if I restrict my Smartsheet plan to SAML, but some people in my account do not have login credentials setup in my IdP?
If you restrict your account to SAML only, people who are in your account (listed in the User Management window), but who are not in your organization’s IdP, will not be able to sign in. Each domain will need to be configured in the Smartsheet SAML setup window (see Set Up SAML 2 for SSO) for those users to sign in when the account is restricted to the SAML only sign in option.
If you have people who don’t have login credentials on your IdP, there are a few ways that you can still configure SAML for your organization and grant these people access to their accounts:
- Enable another authentication option (Google, Microsoft, Email + Password) that will work for the affected people.
- Configure SAML for the domain they use for their Smartsheet account (if your company owns the domain).
- Partner with your IT team to create credentials in your IdP for the people who do not already have accounts.
If you need to create new credentials for someone in your IdP, make sure to use the same email address they are currently using to sign in to their account. If you needed to create an entire new email address for them, you will want to reach out to Smartsheet Support or your Account team directly for guidance for the best way to add that new email address to their Smartsheet account for them to sign in with it.
In which section of the SAML token do customers need to pass the certificate?
Add the certificate to the <KeyInfo> section of your metadata
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://sso.smartsheet.com/saml" nighteye="disabled">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
<ds:X509Certificate> ***Certificate goes here*** </ds:X509Certificate>
Does Smartsheet use the nameid/subject section of the SAML response to authenticate the user? If so what value would be used?
Yes. The Persistent Id / Name ID claim is required. The emailAddress is the most commonly used claim. More information on this can be seen in the following Help Center articles.
Set up SAML 2 for single sign-on to Smartsheet - See the "Keep these things in mind" block. This section also links you to more details within the SAML Assertion: Supported Claims Examples in Smartsheet article.
Single Log Out (SLO) is a protocol that allows a user to terminate all server sessions established via SAML by initiating the logout process once. How does Smartsheet handle Single Log Out (SLO) requests?
Smartsheet does not support single log out with respect to third party IdPs. Even if SLO were to trigger logout at our SAML SP, it would not invalidate the Smartsheet session.
Single log-out support is only with respect to the Smartsheet ecosystem. When you sign out from an app within the Smartsheet ecosystem, you signed out from the rest of the Smartsheet ecosystem.
What binding method does Smartsheet use for SAML Setup?
The Smartsheet Service Provider is supporting both HTTP-POST and HTTP-Redirect binding methods. It is up to you how you configure your IdP.
Information on the difference between the two methods can be found at:
Does your application validate the signature in the SAML response with the certificate our organization will provide?
Yes, as part of the SAML flow the response signature is validated using the certificate.
If you support SP-initiated SSO do you sign the AuthN request?
The Smartsheet SAML login flow is an SP-initiated SSO flow.
The Smartsheet SP is not configured to sign the AuthN request
What login options are available to .GOV accounts?
Login options for .GOV organizations in Smartsheet are set by the SysAdmin. The available login options are:
- Microsoft Azure AD
Apple is NOT an available login option within Gov. organizations.