Applies to
- Enterprise
IdP setups for multiple plans with the same domain
What's the best way to set up SAML and your identity provider (IdP)? Here are some examples of common setups, how they work, and why you would choose one instead of another.
Who can use this?
Plans:
- Enterprise
One IdP, one plan
- The default path for setting up SAML.
- Most organizations use this configuration.
One IdP, multiple plans
For example, you can have three different plans/user lists, all using the same IdP/metadata.
- The IdP Metadata used in one Enterprise plan can be loaded into Smartsheet by other Enterprise plans.
Smartsheet will recognize that this is the same IdP, and let the System Admin for subsequent Enterprise plans know they can't change it. Only the first plan (the plan that first set up SAML) can change it.
Pros
- Simplest to maintain long-term since changes to the IdP metadata are made in one place, the first Enterprise plan.
Cons
- You may not have a global IdP that can be reused in this fashion.
- You can only use UAP on one of the plans.
Multiple IdPs, one plan
Using user domains, route different people in the user list to the matching IdP. This works well for less centralized companies and companies where there are a lot of domains amongst Smartsheet users.
Multiple IdPs, multiple plans
Each group, in their own plan, sets up SAML independently. This isn't recommended. If you attempt to use the same IdP, you'll be forced into the one IdP, multiple plan option.