Single Sign On (SSO) for Resource Management

Applies to

Resource Management

Use Single Sign On (SSO) for password management and user provisioning to increase company control of access to Resource Management and ensure the right people are securely logging in to your account.

Resource Management provides SSO using the SAML 2.0 protocol, which works with all major providers, including but not limited to ADFS, Azure AD, OKTA, and Google. Resource Management currently only supports the Web Browser SSO profile. IdP Initiated Sign On is not supported.

https://en.wikipedia.org/wiki/SAML_2.0

Before you begin

Before setting up Resource Management with SSO, create or designate a user account that will access the account with a username and password exclusively—that is, designate a user who will not log in with SSO.

This designated user provides you with a backup strategy in the event that changes are made to your SSO configuration and SSO enabled users are no longer able to log in. 

Failure to establish a backup user account may result in an inability to log in to your account should SSO fail for some reason.

Set up SSO for your account

For customers migrating their SSO identity provider to https://rm.smartsheet.com

To ensure your team can access your account, make sure an Administrator confirms these changes on the Account Settings > SSO configuration page immediately after you updated the identity provider.

  1. In your SSO identity provider (IdP) set up Resource Management as an app (relying party) using the relevant SSO configuration values from https://rm.smartsheet.com/saml/metadata.

    ACS URL: https://rm.smartsheet.com/saml/acs
    EntityID (audience): https://rm.smartsheet.com/saml/metadata
    NameID: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  2. Log in to https://rm.smartsheet.com as an administrator. Navigate to https://rm.smartsheet.com/settings and click the SSO section. If SSO has not yet been enabled, click Setup SSO, otherwise, click Edit.

 

  1. Choose one of the two available configuration modes: Automatic or Manual.

    Automatic configuration is easier to configure than manual and does not require extracting and uploading a certificate. Automatic Configuration is recommended. 
    • Automatic Configuration: Enter your IdP supplied metadata URL. IdP supplied metadata will provide the Single Sign On URL, the Entity ID and the x.509 certificate file required by Resource Management.

      NOTE: The Automatic Configuration SSO mode in Resource Management will dynamically fetch the latest certificates and Sign On URLs when users log in to Resource Management. This mode also supports scenarios where you have multiple certificates associated with your SSO application (i.e. rotating certificates gracefully). Your identity provider must supply a publicly available metadata URL as XML.
    • Manual Configuration: Enter your SAML 2.0 signing certificate and URLs.

      Use this option if your IdP does not supply a publicly available metadata URL, metadata XML is incomplete/malformed, and/or the organization is not in favor of mutable settings.

      NOTE: You’ll need to obtain the x.509 certificate, SSO Sign in target URL and Logout target URL from your IdP. If you're unsure what URLs are needed, reach out to your IT department or IdP admin for assistance.

      IMPORTANT: To successfully upload your SAML 2.0 signing certificate, it must be PEM encoded. DER encoding is not supported.
      Automatic Configuration
  2. Select the Auto-provision authenticated users not in account option if you want to allow users to bypass the invitation process.

    When this check box is selected, new users do not need to accept an invitation to join the application. They simply need to visit the sign-on page, enter their email address, and they will be recognized as a user in the system and given the option to sign into your company account.

    NOTE: This auto-provision check box does not automatically provision new user accounts. New user accounts must be created through the application. 
  3. Click Save.

Required Attributes

For successful sign-in authentication, a NameID claim with the format of email address must be passed to Resource Management . The required name identifier format supplied by the identity provider is:

  1. urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

After Setup

Once a user has logged In with SSO, they will no longer be allowed to log in with a username and password, and their profile email address will be locked in the application. In order to update their login email, please contact us for assistance.

If your SSO in Resource Management is set to Manual Configuration mode and you need to make any changes to your SSO settings in the application, then we recommend switching to Automatic Configuration first (see step-by-step guide above). Once SSO is set to Automatic, Resource Management will detect changes to your IdP SSO configuration, automatically. If you would like to continue using Manual Configuration mode and make changes to your SSO configuration, then do so with caution. Before making any changes to your active SSO configuration ensure that you have at least one administrative user within your organization that has not logged In with SSO and still has a username/password login. This will allow you to log in with that profile should you need to revert any changes. 

Once SSO is enabled for your organization, in order to log in with username and password, click on the link labeled Sign in using your Resource Management password.

If you are encountering issues, contact support here.

Common Terminology

Term

Definition

EntityID

The identifier for the Service Provider. In some IdPs this is referred to as the Audience. This is supplied in the SP metadata.

Identity Provider (IdP)

The authority that verifies and asserts a user's identity and access to a requested resource (the "Service Provider")

Service Provider (SP)

The Resource Management service that users intend to access

Metadata

A set of information supplied by the IdP to the SP, and/or vice versa, in xml format

IdP Metadata

Provides the Single Sign On URL, the Entity ID and the x.509 certificate file required by the SP to decrypt the assertion. Input the URL to this file to automatically configure SSO in Resource Management.

SP Metadata

Supplied by Resource Management at
https://rm.smartsheet.com/saml/metadata and contains the ACS URL, the Audience Restriction (aka EntityID), the NameID format, and an x.509 certificate if the assertion needs to be encrypted

NameID

An attribute within the assertion that is used to specify the user’s email address. Resource Management SSO requires NameID format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Assertion Consumer Service (ACS) URL

The SP endpoint that is dedicated to handling SAML transactions.  In some IdPs this is referred to as the Single Sign On URL (SSO URL)