Learning Track
This Help Article appears in the System Administration in Resource Management learning track. Get the most out of this learning track by starting at the beginning.
This Help Article appears in the System Administration in Resource Management learning track. Get the most out of this learning track by starting at the beginning.
Use Single Sign On (SSO) for password management and user provisioning to increase company control of access to Resource Management and ensure the right people are securely logging in to your account.
Resource Management provides SSO using the SAML 2.0 protocol, which works with all major providers, including but not limited to ADFS, Azure AD, OKTA, and Google. Resource Management currently only supports the Web Browser SSO profile. IdP Initiated Sign On is not supported.
https://en.wikipedia.org/wiki/SAML_2.0
Before setting up Resource Management with SSO, create or designate a user account that will access the account with a username and password exclusively—that is, designate a user who will not log in with SSO.
This designated user provides you with a backup strategy in the event that changes are made to your SSO configuration and SSO enabled users are no longer able to log in.
Failure to establish a backup user account may result in an inability to log in to your account should SSO fail for some reason.
For customers migrating their SSO identity provider to https://rm.smartsheet.com.
To ensure your team can access your account, make sure an Administrator confirms these changes on the Account Settings > SSO configuration page immediately after you updated the identity provider.
For successful sign-in authentication, a NameID claim with the format of email address must be passed to Resource Management . The required name identifier format supplied by the identity provider is:
Once a user has logged In with SSO, they will no longer be allowed to log in with a username and password, and their profile email address will be locked in the application. In order to update their login email, please contact us for assistance.
If your SSO in Resource Management is set to Manual Configuration mode and you need to make any changes to your SSO settings in the application, then we recommend switching to Automatic Configuration first (see step-by-step guide above). Once SSO is set to Automatic, Resource Management will detect changes to your IdP SSO configuration, automatically. If you would like to continue using Manual Configuration mode and make changes to your SSO configuration, then do so with caution. Before making any changes to your active SSO configuration ensure that you have at least one administrative user within your organization that has not logged In with SSO and still has a username/password login. This will allow you to log in with that profile should you need to revert any changes.
Once SSO is enabled for your organization, in order to log in with username and password, click on the link labeled Sign in using your Resource Management password.
If you are encountering issues, contact support here.
Term |
Definition |
---|---|
EntityID |
The identifier for the Service Provider. In some IdPs this is referred to as the Audience. This is supplied in the SP metadata. |
Identity Provider (IdP) |
The authority that verifies and asserts a user's identity and access to a requested resource (the "Service Provider") |
Service Provider (SP) |
The Resource Management service that users intend to access |
Metadata |
A set of information supplied by the IdP to the SP, and/or vice versa, in xml format |
IdP Metadata |
Provides the Single Sign On URL, the Entity ID and the x.509 certificate file required by the SP to decrypt the assertion. Input the URL to this file to automatically configure SSO in Resource Management. |
SP Metadata |
Supplied by Resource Management at |
NameID |
An attribute within the assertion that is used to specify the user’s email address. Resource Management SSO requires NameID format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
Assertion Consumer Service (ACS) URL |
The SP endpoint that is dedicated to handling SAML transactions. In some IdPs this is referred to as the Single Sign On URL (SSO URL) |