IdP setups for multiple plans with the same domain

What's the best way to set up SAML and your identity provider (IdP)? Here are some examples of common setups, how they work, and why you would choose one instead of another. 

One IdP, One Plan

  • The default path for setting up SAML. 
  • Most organizations use this configuration. 

One IdP, Multiple Plans

For example, you can have three different plans/user lists all using the same IdP / metadata.

  • The IdP Metadata used in one Enterprise plan can be loaded into Smartsheet by other Enterprise plans.
  • Smartsheet will recognize that this is the same IdP, and let the SysAdmin for subsequent Enterprise plans know they cannot change it. Only the first plan (the plan that first set up SAML) can change it. 

Pro

  • Simplest to maintain long-term since changes to the IdP metadata are made in one place, the first Enterprise plan.

Con

  • You may not have a global IdP that can be reused in this fashion. 
  • You can only use UAP on one of the plans. 

Multiple IdPs, One Plan

Using user domains, route different people in the user list to the matching IdP.  This works well for less centralized companies AND companies where there are a lot of domains amongst Smartsheet users.

Multiple IdPs, Multiple Plans

Each group in their own plan sets up SAML independently. This is not recommended. If you attempt to use the same IdP, you'll be forced into the one IdP, multiple plan option.

Was this article helpful?
YesNo