USM Content
As you set up Security Assertion Markup Language (SAML) for your organization, you can use this as a resource if you have any configuration questions.
How do I test the SAML configuration without disrupting other people in my Smartsheet account?
While configuring SAML, you can leave the other authentication options enabled. After you've tested SAML, you can then restrict your plan's authentication options.
For instance, most users initially access Smartsheet using a direct email address created during the account setup process. This can remain unchanged while SAML is being configured and tested.
Learn more about how to manage authentication options as a System Admin.
How do I restrict SSO options?
You can select which authentication options are available to users on your plan. Learn more about managing authentication options as a System Admin.
What if I want to require my Smartsheet end-users to sign in with our SAML solution, but also want my other System Admins to have the option to sign in with Email + Password?
This is possible and recommended. When you disable the Email + Password option on your plan, Smartsheet prompts you with a Keep Email + Password for Sys Admins (fallback) option.
What if I restrict my Smartsheet plan to SAML, but some people in my account don't have sign-in credentials set up in my IdP?
If you limit your account to SAML only, users who aren't in your organization’s Identity Provider (IdP) can't sign in. You must configure each domain in the Smartsheet SAML setup window for those users to sign in when the account is restricted to the SAML-only sign-in option.
If you have people who don’t have sign-in credentials on your IdP, there are a few ways that you can still configure SAML for your organization and provide account access to these people:
- Enable an additional authentication option (Google, Microsoft, Email + Password) for those affected.
- Configure SAML for the domain they use for their Smartsheet account (if your company owns the domain).
- Partner with your IT team to create credentials in your IdP for the people who don't already have accounts.
If you need to create a new email address for someone, contact Smartsheet Support or your Account team directly for guidance on how to add the new email to their Smartsheet account so they can sign in with it.
In which section of the SAML token do customers need to pass the certificate?
Add the certificate to the <KeyInfo> section of your metadata
Code snippet
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://sso.smartsheet.com/saml" nighteye="disabled">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
<md:KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate> ***Certificate goes here*** </ds:X509Certificate>
</ds:X509Data>
Does Smartsheet use the nameid/subject section of the SAML response to authenticate the user? If so, what value would be used?
Yes. The Persistent Id / Name ID claim is required. The emailAddress is the most commonly used claim. You can find more information on this in the following Help Center articles:
Single logout (SLO) is a protocol that allows a user to terminate all server sessions established via SAML by initiating the logout process once. How does Smartsheet handle single logout (SLO) requests?
Smartsheet doesn't support single logout with respect to third-party IdPs. Even if SLO were to trigger logout at our SAML SP, it wouldn't invalidate the Smartsheet session.
Single logout support is only with respect to the Smartsheet ecosystem. When you sign out of an app within the Smartsheet ecosystem, you sign out of the rest of the Smartsheet ecosystem.
What binding method does Smartsheet use for SAML Setup?
The Smartsheet Service Provider supports both HTTP-POST and HTTP-Redirect binding methods. You can configure your IdP in any way you like.
Information on the difference between the two methods can be found at:
Does your application validate the signature in the SAML response with the certificate our organization provides?
Yes, as part of the SAML flow, the response signature is validated using the certificate.
If you support SP-initiated SSO, do you sign the AuthN request?
- The Smartsheet SAML sign-in flow is an SP-initiated SSO flow.
- The Smartsheet SP isn't configured to sign the AuthN request.
What sign-in options are available to Gov accounts?
System Admins are responsible for setting sign-in options for Gov organizations in Smartsheet. The available sign-in options are:
- Email + Password
- Microsoft Entra ID
- SAML
Apple is not an available sign-in option within Gov organizations.