Applies to
- Business
- Enterprise
Capabilities
Who can use this capability
- System Admin
Configure Azure for plan-level OIDC or SAML with Smartsheet
You can use Azure for SSO with Smartsheet in two ways. Both methods are effective.
Who can use this?
Plans:
- Business
- Enterprise
Permissions:
- System Admin
Find out if this capability is included in Smartsheet Regions or Smartsheet Gov.
In both configurations, Azure controls your Azure's authentication settings. Azure controls all SSO policies and settings adjustments, not Smartsheet.
- Open ID Connect (OIDC): Use the built-in Microsoft button and the corresponding Enterprise App in Azure (3290e3f7-d3ac-4165-bcef-cf4874fc4270). To restrict to Azure-only, use Smartsheet's authentication settings.
- SAML: Create a new Enterprise app for Smartsheet in Azure and configure the SAML setup and user attribution in the app directly. This method provides more control over specific user attributes.
Smartsheet offers SCIM provisioning with the Azure provisioning service, but it isn't a requirement for SSO.
Keep in mind that Azure for OIDC or SAML is a plan-level configuration.
Set up SSO with OIDC
- In Azure Enterprise Apps, browse to or search for the pre-built Smartsheet Enterprise App (ID 3290e3f7-d3ac-4165-bcef-cf4874fc4270).
- Review Azure's settings, such as visibility to users and assignment required. User.read is the only required claim Smartsheet uses.
- Activate and test the Microsoft Azure AD option in Smartsheet’s authentication settings.
- When the test works, communicate the change to your users and disable any other authentication options.
Configure Azure for SAML with Smartsheet
If you need more control over the login specifics, configure SAML with Azure as the SAML Identity Provider (IdP). As with OIDC, most configuration changes take place in Azure, not Smartsheet.
When you set up SAML configuration between Smartsheet and Azure AD, users see the Your Company Account button on the Smartsheet login screen.
You must be a sysadmin on Smartsheet and Azure to configure Azure for OIDC or SAML with Smartsheet.
To configure Azure AD with SAML:
You can't set up SAML on the Smartsheet-owned gallery app (ID 329..) in Azure. The built-in app offers control over OIDC SSO, a different option. To set up SAML in Azure, create a new enterprise app as follows:
In the basic SAML configuration, enter the following:
- Entity ID: https://sso.smartsheet.com/saml
- Reply URL: https://sso.smartsheet.com/Shibboleth.sso/SAML2/POST
- Sign-on URL: https://app.smartsheet.com/b/home
In User Attributes & Claims, Azure provides the following defaults:
- Unique User Identifier: user.userprincipalname
- Email address: user.mail
- Name: user-userprincipalname
The default Additional Claim of Name: user-userprincipalname causes an unexpected error. Delete it for SAML via Azure to work.
Under SAML signing certificate:
- Make sure Status = Active
- Confirm your notification email. You receive a notification at this email when the certificate approaches expiry.
- Download Federation Metadata XML and open the file in Notepad or another raw text editor.
- From the left panel, under Manage, select Properties, and scroll to the bottom to turn off User assignment required? Turning this feature off makes testing easier, and users are already managed in the Smartsheet userlist.
- Log in to Admin Center and select Authentication > SAML.
- Select Edit Configuration next to SAML and select Add IdP.
- Name the IdP (e.g., AzureSAML) and paste in the downloaded metadata. Save your changes.
- In the Edit IdP window, select Activate.
- Close the Edit IdP window and the SAML Administration window.
- In the Authentication window, select SAML.
- Save your changes.
The Company Account button for login via SAML should appear on the login screen. The newly created IdP for Azure SAML provides an SSO URL as a shortcut to SAML.
Set your SSO method in Smartsheet's Admin Center
- On the left navigation bar, select Account.
- In the Account menu, select Admin Center.
- Select Security/Safe Sharing List. For more information about the other options on this page, see Security Controls.
- In the Authentication section, select Edit.
- Select your desired authentication options. You must select at least one.
Can I use a single Azure enterprise app to power SSO for multiple Smartsheet userlists?
Yes, Smartsheet allows you to use the same entity ID across multiple user lists.
Can I change user attributes or claims in the “built-in” OIDC “Microsoft” button SSO?
No. Use SAML to control the specifics of the SSO experience.
Can I set up exceptions or grouping to apply different login experiences to different sets of users?
No, the only exception is the optional email and password fallback for System Admins under SAML.
Does Azure SSO affect external Smartsheet users?
Only users in the Azure SSO enabled Smartsheet user list are affected by changes to authentication settings , including Azure SSO. Only managed users invited by a System Admin or provisioned by Smartsheet can log in via SSO.
How do I account for new users after enabling SSO?
Use Smartsheet’s built-in User Auto Provisioning for your domain. You can also use Azure SCIM. Setting up Azure SCIM is a complex process, so start with Smartsheet UAP; you may find it meets your needs.