Configure Azure for OIDC or SAML with Smartsheet

Applies to

Smartsheet
  • Enterprise

Capabilities

Who can use this capability

You must be a sysadmin on Smartsheet and Azure to configure Azure for OIDC or SAML with Smartsheet

You can use Azure for SSO with Smartsheet in two ways; both methods are effective. In both configurations, Azure controls your Azure's authentication settings. Azure controls all SSO policies and settings adjustments, not Smartsheet. 

  • OIDC (Open ID Connect): Use the built-in Microsoft button and  corresponding Enterprise App in Azure (3290e3f7-d3ac-4165-bcef-cf4874fc4270). To restrict to Azure-only, use Smartsheet's authentication settings. 
  • SAML: Create a new enterprise app for Smartsheet in Azure and configure the SAML setup and user attribution there in the app. This method provides more control over specific user attributes. 

Smartsheet offers SCIM provisioning with the Azure provisioning service, but it is not a requirement for SSO. 

Set up SSO with OIDC

 

  1. In Azure Enterprise Apps, browse to or search for the pre-built Smartsheet Enterprise App (ID 3290e3f7-d3ac-4165-bcef-cf4874fc4270).
  2. Review Azure settings such as visibility to users and assignment required. 
  3. Enable and test the Microsoft Azure AD option in Smartsheet’s authentication settings.
  4. When the test works, communicate the change to your users and disable any other authentication options. 

Configure Azure for SAML with Smartsheet

If you need more control over the login specifics, configure SAML with Azure as the SAML Identity Provider (IdP). As with OIDC, most configuration changes take place in Azure, not Smartsheet. 

When you set up SAML configuration between Smartsheet and Azure AD, users will see the Your Company Account button on the Smartsheet login screen.

To onfigure Azure AD with SAML: 

You cannot set up SAML on the Smartsheet-owned gallery app (ID 329..) in Azure. The built-in app offers control over OIDC SSO, a different option. To set up SAML in Azure, create a new enterprise app as follows:

In the basic SAML configuration, enter the following:

In  User Attributes & Claims, Azure will provide the following defaults:

  • Unique User Identifier: user.userprincipalname
  • Emailaddress: user.mail
  • Name: user-userprincipalname

The default “Additional Claim” of Name: user-userprincipalname will cause an unexpected error and must be deleted for SAML via Azure to work.

Under SAML Signing Certificate: 

  1. Make sure Status = Active
  2. Confirm your notification email. You will receive notification at this email when the certificate approaches expiry. 
  3. Download Federation Metadata XML and open the file in notepad or another raw text editor.
  4. From the left panel, under Manage, select Properties and scroll to the bottom to turn off User assignment required? Turning this feature off makes testing easier, and users are already managed in the Smartsheet userlist.  
  5. Login to admin.smartsheet.com > Authentication >SAML.
  6. Select Edit Configuration next to SAML and choose Add IdP.
  7. Name the IdP (e.g., AzureSAML) and paste in the downloaded metadata. Save your changes. 
  8. In the Edit IdP window, select Activate.
  9. Close the Edit IdP window and the SAML Administration window.
  10. In the Authentication window, check SAML.
  11. Save your changes. 

The Company Account button for login via SAML should appear on the login screen. The newly created IdP for Azure SAML will provide an SSO URL as a shortcut to SAML.

Set your SSO method in Smartsheet's Admin Center.

  1. On the left Navigation Bar, select Account
  2. In the Account menu, select Admin Center
  3. Select Security/Safe Sharing List. For more information about the other options on this page, see Security Controls.
  4. In the Authentication section, select Edit.
  5. Select your desired authentication options. You must select at least one.

Can I use a single Azure enterprise app to power SSO for multiple Smartsheet userlists?

Yes, Smartsheet allows you to use the same entityid across multiple userlists.

 

Can I change user attributes or claims in the “built-in” OIDC “Microsoft” button SSO?

No. Use  SAML to control the specifics of the SSO experience.

Can I set up exceptions or grouping to apply different login experiences to different sets of users?

 

No, the only exception is the optional email and password fallback for system admins under SAML.

 

Will external Smartsheet users be affected by Azure SSO?

Only users in the Azure SSO enabled Smartsheet userlist will be affected by Authentication Settings changes, including Azure SSO.  Only managed users invited by a Sys Admin or provisioned by Smartsheet can log in via SSO.  

How do I account for new users after enabling SSO?

Use Smartsheet’s built-in User Auto Provisioning for your domain. You can also use Azure SCIM. Setting up Azure SCIM is a complex process so start with Smartsheet UAP; you may find it meets your needs.