Achieve consistent enforcement of your organization’s security and compliance policies with the Smartsheet - Okta SCIM integration.
USM Content
With the Smartsheet - Okta SCIM Integration, you can manage your user roles and access based on updates made in your Okta active directory environment.
Systems Admins can provision, deactivate, and manage the profile data of Smartsheet users through Okta’s active directory service. The integration allows you to provision and deactivate users through a central user directory and ensures they can no longer access company data in Smartsheet once they leave the organization.
How it works
Directory Integration (DI) uses Okta as the source of truth for seat management. Once enabled, Smartsheet automatically assigns and updates seat types based on the Okta groups your users belong to, reducing the need for manual updates in Admin Center.
Here's what happens during a sync:
- Seat assignment by group: Users receive a seat type based on their Okta group membership. Members of a licensed group (such as Smartsheet Licensed User) receive a Member seat, while users assigned the Smartsheet app but not placed in a specific group default to a Contributor seat.
- Automatic upgrades and downgrades: When a user moves between Okta groups, their seat type updates automatically during the next sync. No manual intervention is necessary.
- Privileged group takes precedence: If a user belongs to multiple groups with different roles, DI assigns the most privileged seat type.
- Provisional Members: DI upgrades Provisional Members as needed, but doesn't automatically downgrade them. System Admins must handle downgrades manually in Admin Center—or, if your plan is set to auto-downgrade, the change happens at the end of the review period. Learn more about Provisional Member settings.
- Deactivation: When a user is removed from Okta or unassigned from the Smartsheet app, they're automatically deactivated in Smartsheet on the next sync.
To reactivate a deactivated user, a System Admin must temporarily turn off DI, reactivate the user, and then re-enable DI.
Once DI is active, it overrides any manual seat changes made by System Admins in Admin Center during the next sync. It’s recommended to turn off the auto-upgrade setting in Smartsheet to avoid conflicts with IdP-driven workflows.
Provisional Members have the same access to features as regular Members, but only for a limited time. Learn more about Smartsheet’s user model and provisional membership.
Group-to-seat mapping
| Smartsheet roles | Mapping values | Variable names (preferred) | Resulting seat type |
|---|---|---|---|
| Smartsheet Licensed User | LICENSED_USER | smartsheetLicensedUser | Member |
| Smartsheet Group Admin | GROUP_ADMIN | smartsheetGroupAdmin | Member |
| Smartsheet Resource Viewer | RESOURCE_VIEWER | smartsheetResourceViewer | Member |
| Smartsheet System Admin | USER_ADMIN, PAYMENT_ADMIN, DATA_ADMIN | smartsheetSystemAdmin | Contributor |
Assigning a user to the Smartsheet app without adding them to any Okta group results in a Contributor seat type.
Supported seat type changes via group mappings
Directory Integration handles the following transitions automatically:
| From | To |
|---|---|
| Contributor | Member |
| Provisional Member | Member |
| Member | Contributor |
- If a Contributor enters a Provisional Member state and then gets added to a Member-level group in DI, they automatically upgrade to a Member seat.
- If a Contributor enters a Provisional Member state but hasn't been added to a Member Seat Type IdP group, they remain in that state until either the Admin Approval Setting downgrades them or a System Admin manually changes their seat type in Admin Center.
Unsupported seat type changes via group mappings
Directory Integration doesn't handle the following transitions. Find out where you should perform them:
| From | To | Where to act |
|---|---|---|
| Provisional Member | Contributor | Admin Center |
| Contributor | No Access | Admin Center |
| Contributor | Provisional Member | System-triggered only |
| Provisional Member | No Access | Admin Center |
| Member | No Access | Admin Center |
- Downgrading from Member to Provisional Member isn't supported directly in Admin Center or in DI.
- Deactivation is still supported by removing or deactivating the user profile in Okta.
- You must manage Guests entirely in Admin Center, as they don't exist in your IdP.
Prepare Smartsheet for the Okta/SCIM integration
Before you configure the integration, you must complete a few tasks in Smartsheet. View the setup process as a tutorial. Remember that you must be a System Admin in Smartsheet and Okta to configure the integration.
- Enable SCIM Support: Your plan needs SCIM provisioning. Contact support to activate the feature.
- Validate your domain(s): Validate each domain used with Smartsheet-Okta. You must have at least one validated domain in Smartsheet. Only plans with the primary email address on a validated domain are supported.
Generate the API token: This is required to configure automatic user provisioning with Okta. Copy and save the API Access token. You can't retrieve it, and you need the key to configure Okta.
If you don't want your users to sign up for Smartsheet through UAP, turn off the UAP setting.
Turn on Directory Integration: To use Okta SCIM, a System Admin must activate the directory integration feature via Admin Center. On the Security & Controls page, locate the Directory Integration card and toggle the feature on.
Brandfolder Image
In Smartsheet's item ownership model, plans take ownership of items rather than individual users. This means Smartsheet doesn’t transfer the items from a deprovisioned user to an escrow account because those items remain active on the plan. However, doing so is still recommended as a precautionary measure.
- Assign the Smartsheet app: Ensure the Smartsheet app is assigned to the relevant users within Okta.
- Organize users into groups: Assign users to the appropriate Okta groups to trigger the correct seat type in Smartsheet.
- Deactivate auto-upgrade (recommended): If DI is active, deactivate the auto-upgrade setting in Smartsheet to avoid conflicts with IdP-driven seat assignments.
Configure Okta for the Smartsheet integration
- Sign in to the Okta Admin page.
- Navigate to Applications > All integrations and search for Smartsheet SCIM in the application catalog. Select Smartsheet SCIM.
- Enter an application label, such as Smartsheet US.
- Set your Sign-On Options. If you're setting up SAML SSO, select View Setup Instructions towards the bottom of the page and complete the SAML SSO configuration.
- On the Advanced Sign-on Settings screen, under Credential Details, select Email for the Application username format and then select Done. This email is the user's Smartsheet account.
- Go to the Provisioning tab and select Configure API Integration.
- Select Enable API Integration and provide the Base URL:
- For Smartsheet US, use https://scim.smartsheet.com/v2
- For Smartsheet EU, use https://scim.smartsheet.eu/v2
For Smartsheet AU, use https://scim.smartsheet.au/v2
If you get an error while pushing your groups, try using these Base URLs instead:
- US: https://scim.smartsheet.com/v3
- EU: https://scim.smartsheet.eu/v3
- AU: https://scim.smartsheet.au/v3
- Enter your saved API Token into the API Token field. Select Test API Credentials to verify the token. If everything works as expected, you'll see the following message: Smartsheet SCIM was verified successfully
- Select Save. On the Provisioning tab under Settings, select To App.
- Select Edit > Enable the features you want, then save your changes.
Additional resources
Follow each link below to learn how to continue configuring the integration. It's important to follow these steps in the sequence listed here.
You can also view these articles as a step-by-step tutorial.
LCM Content
With the Smartsheet - Okta SCIM Integration, you can manage your user roles and access based on updates made in your Okta active directory environment.
Systems Admins can provision, deactivate, and manage the profile data of Smartsheet users through Okta’s active directory service. The integration allows you to provision and deactivate users through a central user directory and ensure that they can no longer access company data within Smartsheet once someone leaves the business.
Keep in mind that
Smartsheet supports unlicensed users so you can also provision Smartsheet users without any roles. Any new unlicensed user provisioned through Okta doesn't appear in Smartsheet's Admin Center until they sign in for the first time or are added to a Smartsheet group.
Prepare Smartsheet for the Okta/SCIM integration
Before you configure the integration, you must complete a few tasks in Smartsheet. View the setup process as a tutorial. Remember that you must be a System Admin in Smartsheet and Okta to configure the integration.
- Enable SCIM Support: Your plan needs SCIM provisioning. Contact support to activate the feature.
- Validate your domain(s): Validate each domain used with Smartsheet-Okta. You must have at least one validated domain in Smartsheet. Only plans with the primary email address on a validated domain are supported.
Generate the API token: This is required to configure automatic user provisioning with Okta. Copy and save the API Access token. You can't retrieve it, and you need the key to configure Okta.
If you don't want your users to sign up for Smartsheet through UAP, turn off the UAP setting.
Turn on Directory Integration: To use Okta SCIM, a System Admin must activate the directory integration feature via Admin Center. On the Security & Controls page, locate the Directory Integration card and toggle the feature on.
Brandfolder Image
Configure Okta for the Smartsheet integration
- Sign into the Okta Admin page.
- Navigate to Applications > All integrations and search for Smartsheet SCIM in the application catalog. Select Smartsheet SCIM.
- Enter an application label, such as Smartsheet US.
- Set your Sign-On Options. If you're setting up SAML SSO, select View Setup Instructions towards the bottom of the page and complete the SAML SSO configuration.
- On the Advanced Sign-on Settings screen, under Credential Details, select Email for the Application username format and then select Done. This email is the user's Smartsheet account.
- Go to the Provisioning tab and select Configure API Integration.
- Select Enable API Integration and provide the Base URL:
- For Smartsheet US, use https://scim.smartsheet.com/v2
- For Smartsheet EU, use https://scim.smartsheet.eu/v2
For Smartsheet AU, see https://scim.smartsheet.au/v2
If you get an error while pushing your groups, try using these Base URLs instead:
- US: https://scim.smartsheet.com/v3
- EU: https://scim.smartsheet.eu/v3
- AU: https://scim.smartsheet.au/v3
- Enter your saved API Token into the API Token field. Select Test API Credentials to verify the token. If everything works as expected, you'll see the following message: "Smartsheet SCIM was verified successfully"
- Select Save. On the Provisioning tab under Settings, select To App.
- Select Edit > Enable the features you want, then save your changes.
Users you remove from your Okta SCIM instance will be deactivated in Smartsheet. Deactivated users can't sign in to Smartsheet and are no longer assigned a license. That license is then available for you to reassign.
Additional resources
Follow each link below to learn how to continue configuring the integration. It's important to follow these steps in the sequence listed here.
You can also view these articles as a step-by-step tutorial.