Configure Entra ID for plan-level OIDC or SAML with Smartsheet

In both configurations, Entra ID controls your Entra ID's authentication settings. Entra ID controls all SSO policies and settings adjustments, not Smartsheet. 

• Open ID Connect (OIDC): Use the built-in Microsoft button and the corresponding Enterprise App in Entra ID (3290e3f7-d3ac-4165-bcef-cf4874fc4270). To restrict to Entra ID-only, use Smartsheet's authentication settings. 
• SAML: Create a new Enterprise app for Smartsheet in Entra ID and configure the SAML setup and user attribution in the app directly. This method provides more control over specific user attributes. 

Smartsheet offers SCIM provisioning with the Entra ID provisioning service, but it isn't a requirement for SSO. 

Keep in mind that Entra ID for OIDC or SAML is a plan-level configuration.

Set up SSO with OIDC

1. In Entra ID Enterprise Apps, browse to or search for the pre-built Smartsheet Enterprise App (ID 3290e3f7-d3ac-4165-bcef-cf4874fc4270).
2. Review Entra ID's settings, such as visibility to users and assignment required. User.read is the only required claim Smartsheet uses.
3. Activate and test the Microsoft Entra ID option in Smartsheet’s authentication settings.
4. When the test works, communicate the change to your users and disable any other authentication options. 

Configure Entra ID for SAML with Smartsheet

If you need more control over the login specifics, configure SAML with Entra ID as the SAML Identity Provider (IdP). As with OIDC, most configuration changes take place in Entra ID, not Smartsheet. 

When you set up SAML configuration between Smartsheet and Entra ID, users see the Your Company Account button on the Smartsheet login screen.

You must be a sysadmin on Smartsheet and Entra ID to configure Entra ID for OIDC or SAML with Smartsheet.

To configure Entra ID with SAML: 

You can't set up SAML on the Smartsheet-owned gallery app (ID 329..) in Entra ID. The built-in app offers control over OIDC SSO, a different option. To set up SAML in Entra ID, create a new enterprise app as follows:

In the basic SAML configuration, enter the following:

• Entity ID: https://sso.smartsheet.com/saml
• Reply URL: https://sso.smartsheet.com/Shibboleth.sso/SAML2/POST
• Sign-on URL: https://app.smartsheet.com/b/home

In User Attributes & Claims, Entra ID provides the following defaults:

• Unique User Identifier: user.userprincipalname
• Email address: user.mail
• Name: user-userprincipalname

The default Additional Claim of Name: user-userprincipalname causes an unexpected error. Delete it for SAML via Entra ID to work.

Under SAML signing certificate: 

1. Make sure Status = Active
2. Confirm your notification email. You receive a notification at this email when the certificate approaches expiry. 
3. Download Federation Metadata XML and open the file in Notepad or another raw text editor.
4. From the left panel, under Manage, select Properties, and scroll to the bottom to turn off User assignment required? Turning this feature off makes testing easier, and users are already managed in the Smartsheet userlist.  
5. Log in to Admin Center and select Authentication > SAML.
6. Select Edit Configuration next to SAML and select Add IdP.
7. Name the IdP (e.g., Entra IDSAML) and paste in the downloaded metadata. Save your changes. 
8. In the Edit IdP window, select Activate.
9. Close the Edit IdP window and the SAML Administration window.
10. In the Authentication window, select SAML.
11. Save your changes. 

The Company Account button for login via SAML should appear on the login screen. The newly created IdP for Entra ID SAML provides an SSO URL as a shortcut to SAML.

Set your SSO method in Smartsheet's Admin Center

1. On the left navigation bar, select Account. 
2. In the Account menu, select Admin Center. 
3. Select Security/Safe Sharing List. For more information about the other options on this page, see Security Controls.
4. In the Authentication section, select Edit.
5. Select your desired authentication options. You must select at least one.