Applies to

Resource Management

For more information about plan types and included capabilities, see the Smartsheet Plans page.

Capabilities

Who can use this capability

Resourcing Administrators can enable SSO on their accounts.

Find out if this capability is included in Smartsheet Regions or Smartsheet Gov.

Single sign on (SSO) for Resource Management

Use single sign on (SSO) for password management, user provisioning, and to ensure people are securely logging in to your account.

PLANS

  • Resource Management

For more information about plan types and included capabilities, see the Smartsheet Plans page.

Permissions

Resourcing Administrators can enable SSO on their accounts.

Find out if this capability is included in Smartsheet Regions or Smartsheet Gov.

 

This article is exclusively for existing Resource Management customers using Resource Management SSO, which is now discontinued for new sign-ups. Now, anyone requiring SSO must use Smartsheet Authentication.  

Resource Management provides SSO using the SAML 2.0 protocol, which works with all major providers, including but not limited to ADFS, Azure AD, OKTA, and Google. Resource Management supports the Web Browser SSO profile.

Only SP (Service Provider) Initiated login is supported. IdP initiated sign on is not supported.

Before you begin

First, create or designate an account that will use a username and password (not SSO) to log in. 

This account provides you with a backup strategy in the event that changes are made to your SSO configuration and SSO-enabled users are no longer able to log in. The backup account allows you to log in if SSO fails. If you don't have a backup account, you may be unable to log in.

Set up SSO for your account

Migrate your SSO identity provider to https://rm.smartsheet.com.

 

Make sure an Administrator confirms these changes on the Account Settings > SSO configuration page immediately after you update the identity provider.

 

  1. In your SSO identity provider (IdP) set up Resource Management as an app (relying party) using the relevant SSO configuration values from https://rm.smartsheet.com/saml/metadata.

    ACS URL: https://rm.smartsheet.com/saml/acs
    EntityID (audience): https://rm.smartsheet.com/saml/metadata
    NameID: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  2. Log in to https://rm.smartsheet.com as an administrator. Navigate to https://rm.smartsheet.com/settings and select the SSO section. If SSO has not yet been enabled, select Setup SSO, otherwise, choose Edit.
  3. Add the URL to your IdP Metadata. Then choose one of the two available configuration modes: automatic or manual.

    • Automatic Configuration: Enter your IdP supplied metadata URL. IdP supplied metadata provides the Single Sign On URL, the Entity ID and the x.509 certificate file required by Resource Management. Automatic configuration is easier to configure than manual and does not require extracting and uploading a certificate.  

      The Automatic Configuration SSO mode in Resource Management will dynamically fetch the latest certificates and Sign On URLs when users log in to Resource Management. This mode also supports scenarios where you have multiple certificates associated with your SSO application (i.e. rotating certificates gracefully). Your identity provider must supply a publicly available metadata URL as XML.

    • Manual Configuration: Enter your SAML 2.0 signing certificate and URLs.
      Use this option if your IdP does not supply a publicly available metadata URL, metadata XML is incomplete/malformed, and/or the organization is not in favor of mutable settings. 

      Obtain the x.509 certificate, SSO Sign in target URL, and Logout target URL from your IdP. If you're unsure what URLs are needed, reach out to your IT department or IdP admin for assistance.

       

      Your SAML 2.0 signing certificate must be PEM encoded. DER encoding is not supported.

      automatic configuration for RM SSO

4. Select the Auto-provision authenticated users not in account option to allow users to bypass the invitation process.
When you select this check box, new users do not need to accept an invitation to join the application. They can visit the sign-in page, enter their email address, and they will be recognized as a user in the system with the option to sign into your company account.
 

This auto-provision check box does not automatically provision new user accounts. New user accounts must be created through the application. 

 

5. Select Save.

Required attributes

For successful sign-in authentication, a NameID claim with the format of an email address must be passed to Resource Management. The required name identifier format supplied by the identity provider is:

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

After setup

Once a user logs in with SSO, they can not log in with a username and password, and their profile email address will be locked in the application. To update their login email, please contact us for assistance.

If your SSO in Resource Management is set to Manual Configuration mode, and you need to make changes to your SSO settings in the application, first enable Automatic Configuration using the steps above. Once SSO is set to Automatic, Resource Management will detect changes to your IdP SSO configuration. 

If you use Manual Configuration mode and make changes to your SSO configuration, do so with caution. Before making changes to your active SSO configuration, ensure that you have at least one administrative user who does not log in with SSO and still has a username/password login. This will allow you to log in with that profile should you need to revert any changes.

Once SSO is enabled for your organization, in order to log in with username and password, select the link labeled Sign in using your Resource Management password.

If you are encountering issues, contact support.

Was this article helpful?
YesNo