Applies to

Smartsheet
  • Enterprise

Capabilities

Who can use this capability

  • System Admin

SAML troubleshooting: Capture an assertion

Who can use this?

Plans:

  • Enterprise

Permissions:

  • System Admin

Find out if this capability is included in Smartsheet Regions or Smartsheet Gov.

Overview

During a SAML sign-in, the browser, the service provider (SP, also known as Smartsheet), and the identity provider (IdP, which could be Okta, Azure, OneLogin, etc.) exchange several requests and responses. One of these requests includes the assertion, where the IdP provides the SP with information about the user logging in, such as the 509 certificate, persistent ID (IdP unique identifier), and email address (Smartsheet unique identifier).


What's an assertion?

An assertion is information passed from the Identity Provider (IdP) to Smartsheet or Resource Management. The assertion contains the authentication information Smartsheet needs to verify that the right person is logging into the account. If users are experiencing issues logging in or setting up SAML, reviewing assertions can help to troubleshoot what might be going wrong.

Smartsheet will respond with: “Yes, your certificate is valid, and you have a valid persistent ID and email address, so you may log in.” Alternatively, it may say: “No, your certificate is invalid (not secure) or you don't have the expected persistent ID or email address. Your login failed. This error might indicate what's broken.”

The instructions below tell you how to capture the assertion. Follow them carefully, save the file, and analyze the assertion using the guidelines in this article.


To capture an assertion

  1. Close all incognito windows and open a new incognito window in Google Chrome.
    • Select the upper-right Chrome menu > New Incognito Window to start with a fresh browser.
  2. Select the upper-right Chrome menu > More Tools > Developer Tools
  3. Open the Network tab and check the box for Preserve Log.
  4. Browse to: https://app.smartsheet.com/b/home or https://rm.smartsheet.com/ if troubleshooting Resource Management.
  5. Enter your email address in the box and select Continue.
  6. If you're redirected to log in with your company credentials, go to step 7.
    • If not, a grey button labeled Your Company Account should appear at the bottom of the screen. Select the Your Company Account button and log in with your company credentials.
  7. Provide your credentials to authenticate to your company's SSO system. This should reproduce the error.
  8. Select the Network tab at the top of the Developer Tools and search for POST in the Filter field (or 'acs' for Resource Management.)
  9. Select the POST result under Name (or 'acs' for Resource Management) and then select the Payload tab to the right. Scroll down and review the SAMLResponse in the Form Data section. This is an encoded assertion.
  10. Select all of the SAMLResponse and make sure to copy it in its entirety, as it's a long section of text.
  11. Copy this encoded assertion, and browse to: https://idp.ssocircle.com/sso/toolbox/samlDecode.jsp
  12. Paste the encoded assertion message into the box under SAML Request, select the POST option below it, and select the Decode button.
  13. Select XML View
  14. Save the file.

You can now determine if there are errors or missing information. Learn how to identify issues in a SAML assertion.