Single Sign On (SSO) for 10000ft

Applies to

10,000ft

Use Single Sign On (SSO) for password management and user provisioning to increase company control of access to 10,000ft and ensure the right people are securely logging in to your account.

10,000ft provides SSO using the SAML 2.0 protocol, which works with all major providers, including but not limited to ADFS, Azure AD, OKTA, and Google. 10,000ft currently only supports the Web Browser SSO profile. IdP Initiated Sign On is not supported.

https://en.wikipedia.org/wiki/SAML_2.0

Before you begin

Before setting up 10,000ft with SSO, create or designate a user account that will access the account with a username and password exclusively—that is, designate a user who will not log in with SSO.

This designated user provides you with a backup strategy in the event that changes are made to your SSO configuration and SSO enabled users are no longer able to log in. 

Failure to establish a backup user account may result in an inability to log in to your account should SSO fail for some reason.

Set up SSO for your account

For customers migrating their SSO identity provider to https://rm.smartsheet.com

To ensure your team can access your account, make sure an Administrator confirms these changes on the Account Settings > SSO configuration page immediately after you updated the identity provider.

  1. In your SSO identity provider (IdP) set up 10,000ft as an app (relying party) using the relevant SSO configuration values from https://rm.smartsheet.com/saml/metadata.

    ACS URL: https://rm.smartsheet.com/saml/acs
    EntityID (audience): https://rm.smartsheet.com/saml/metadata
    NameID: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
     
  2. Log in to https://rm.smartsheet.com as an administrator. Navigate to https://rm.smartsheet.com/settings and click the SSO section. If SSO has not yet been enabled, click Setup SSO, otherwise, click Edit.

Setup SSO

  1. Choose one of the two available configuration modes: Automatic or Manual.

    Automatic configuration is easier to configure than manual and does not require extracting and uploading a certificate. Automatic Configuration is recommended. 
    • Automatic Configuration: Enter your IdP supplied metadata URL. IdP supplied metadata will provide the Single Sign On URL, the Entity ID and the x.509 certificate file required by 10,000ft.

      NOTE: The Automatic Configuration SSO mode in 10,000ft will dynamically fetch the latest certificates and Sign On URLs when users log in to 10,000ft. This mode also supports scenarios where you have multiple certificates associated with your SSO application (i.e. rotating certificates gracefully). Your identity provider must supply a publicly available metadata URL as XML.
       
    • Manual Configuration: Enter your SAML 2.0 signing certificate and URLs.

      Use this option if your IdP does not supply a publicly available metadata URL, metadata XML is incomplete/malformed, and/or the organization is not in favor of mutable settings.

      NOTE: You’ll need to obtain the x.509 certificate, SSO Sign in target URL and Logout target URL from your IdP. If you're unsure what URLs are needed, reach out to your IT department or IdP admin for assistance.

      IMPORTANT: To successfully upload your SAML 2.0 signing certificate, it must be PEM encoded. DER encoding is not supported.
      Automatic Configuration
  2. Select the Auto-provision authenticated users not in account option if you want to allow users to bypass the invitation process.

    When this check box is selected, new users do not need to accept an invitation to join the application. They simply need to visit the sign-on page, enter their email address, and they will be recognized as a user in the system and given the option to sign into your company account.

    NOTE: This auto-provision check box does not automatically provision new user accounts. New user accounts must be created through the application. 
  3. Click Save.

Required Attributes

For successful sign-in authentication, a NameID claim with the format of email address must be passed to 10,000ft. The required name identifier format supplied by the identity provider is:

  1. urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

After Setup

Once a user has logged In with SSO, they will no longer be allowed to log in with a username and password, and their profile email address will be locked in the application. In order to update their login email, please contact us for assistance.

If your SSO in 10,000ft is set to Manual Configuration mode and you need to make any changes to your SSO settings in the application, then we recommend switching to Automatic Configuration first (see step-by-step guide above). Once SSO is set to Automatic, 10,000ft will detect changes to your IdP SSO configuration, automatically. If you would like to continue using Manual Configuration mode and make changes to your SSO configuration, then do so with caution. Before making any changes to your active SSO configuration ensure that you have at least one administrative user within your organization that has not logged In with SSO and still has a username/password login. This will allow you to log in with that profile should you need to revert any changes. 

Once SSO is enabled for your organization, in order to log in with username and password, click on the link labeled Sign in using your 10,000ft password.

 Sign in

If you are encountering issues, contact support here.

Common Terminology

Term

Definition

EntityID

The identifier for the Service Provider. In some IdPs this is referred to as the Audience. This is supplied in the SP metadata.

Identity Provider (IdP)

The authority that verifies and asserts a user's identity and access to a requested resource (the "Service Provider")

Service Provider (SP)

The 10,000ft service that users intend to access

Metadata

A set of information supplied by the IdP to the SP, and/or vice versa, in xml format

IdP Metadata

Provides the Single Sign On URL, the Entity ID and the x.509 certificate file required by the SP to decrypt the assertion. Input the URL to this file to automatically configure SSO in 10,000ft

SP Metadata

Supplied by 10,000ft at
https://rm.smartsheet.com/saml/metadata and contains the ACS URL, the Audience Restriction (aka EntityID), the NameID format, and an x.509 certificate if the assertion needs to be encrypted

NameID

An attribute within the assertion that is used to specify the user’s email address. 10,000ft SSO requires NameID format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Assertion Consumer Service (ACS) URL

The SP endpoint that is dedicated to handling SAML transactions.  In some IdPs this is referred to as the Single Sign On URL (SSO URL)