Use Okta SCIM with Smartsheet

Achieve consistent enforcement of your organization’s security and compliance policies with the Smartsheet - Okta SCIM integration.

 

Who can use this?

Plans:

  • Enterprise

Permissions:

  • System Admin

Find out if this capability is included in Smartsheet Regions or Smartsheet Gov.

Overview

With the Smartsheet - Okta SCIM Integration, you can manage your user roles and access based on updates made in your Okta active directory environment.

Systems Admins can provision, deactivate, and manage the profile data of Smartsheet users through Okta’s active directory service. The integration allows you to provision and deactivate users through a central user directory and ensure that they can no longer access company data within Smartsheet once someone leaves the business.

Keep in mind that

All new users provisioned through Okta are designated provisional Members upon creation. The only exception to this rule is the System Admin role, which can be provisioned as Viewer. Upgrading or downgrading existing users is only supported through the User types and true-up page in Admin Center.

Provisional Members have the same access to features as regular Members, but only for a limited time. Learn more about the true-up process and capabilities of provisional Members.

Prepare Smartsheet for the Okta/SCIM integration

Before you configure the integration, you must complete a few tasks in Smartsheet. View the setup process as a tutorial. Remember that you must be a System Admin in Smartsheet and Okta to configure the integration.

  1. Enable SCIM Support: Your plan needs SCIM provisioning. Contact support to activate the feature.
  2. Validate your domain(s): Validate each domain used with Smartsheet-Okta. You must have at least one validated domain in Smartsheet. Only plans with the primary email address on a validated domain are supported.   

  3. Generate the API token: This is required to configure automatic user provisioning with Okta. Copy and save the API Access token. You aren't able to retrieve it, and you need the key to configure Okta.

    If you don't want your users to sign up for Smartsheet through UAP, turn off the UAP setting.

  4. Turn on Directory Integration: To use Okta SCIM, a System Admin must activate the directory integration feature via Admin Center. On the Security & Controls page, locate the Directory Integration card and toggle the feature on.

    Directory Integration feature in Admin Center

     

Configure Okta for the Smartsheet integration

  1. Sign into the Okta Admin page.
  2. Navigate to Applications > All integrations and search for Smartsheet SCIM in the application catalog. Select Smartsheet SCIM.
  3. Enter an application label, such as Smartsheet US. 
  4. Set your Sign-On Options.  If you're setting up SAML SSO, select View Setup Instructions towards the bottom of the page and complete the SAML SSO configuration.
  5. On the Advanced Sign-on Settings screen, under Credential Details, select Email for the Application username format and then select Done. This email is the user's Smartsheet account.  
  6. Go to the Provisioning tab and select Configure API Integration
  7. Select Enable API Integration and provide the Base URL:
  8. Enter your saved API Token into the API Token field. Select Test API Credentials to verify the token. If everything works as expected, you'll see the following message: "Smartsheet SCIM was verified successfully"
  9. Select Save. On the Provisioning tab under Settings, select To App
  10. Select Edit > Enable the features you want, then save your changes. 

Users you remove from your Okta SCIM instance will be deactivated in Smartsheet. Deactivated users can't sign in to Smartsheet and are no longer assigned a Member designation. That Member designation is then available for you to reassign.

Additional resources

Follow each link below to learn how to continue configuring the integration. It's important to follow these steps in the sequence listed here.

  1. Set up Smartsheet roles
  2. (Optional) Set up additional premium Connector roles

You can also view these articles as a step-by-step tutorial

Overview

With the Smartsheet - Okta SCIM Integration, you can manage your user roles and access based on updates made in your Okta active directory environment.

Systems Admins can provision, deactivate, and manage the profile data of Smartsheet users through Okta’s active directory service. The integration allows you to provision and deactivate users through a central user directory and ensure that they can no longer access company data within Smartsheet once someone leaves the business.

Keep in mind that

Smartsheet supports unlicensed users so you can also provision Smartsheet users without any roles. Any new unlicensed user provisioned through Okta doesn't appear in Smartsheet's Admin Center until they sign in for the first time or are added to a Smartsheet group.

Prepare Smartsheet for the Okta/SCIM integration

Before you configure the integration, you must complete a few tasks in Smartsheet. View the setup process as a tutorial. Remember that you must be a System Admin in Smartsheet and Okta to configure the integration.

  1. Enable SCIM Support: Your plan needs SCIM provisioning. Contact support to activate the feature.
  2. Validate your domain(s): Validate each domain used with Smartsheet-Okta. You must have at least one validated domain in Smartsheet. Only plans with the primary email address on a validated domain are supported.   

  3. Generate the API token: This is required to configure automatic user provisioning with Okta. Copy and save the API Access token. You aren't able to retrieve it, and you need the key to configure Okta.

    If you don't want your users to sign up for Smartsheet through UAP, turn off the UAP setting.

  4. Turn on Directory Integration: To use Okta SCIM, a System Admin must activate the directory integration feature via Admin Center. On the Security & Controls page, locate the Directory Integration card and toggle the feature on.

    Directory Integration feature in Admin Center

     

Configure Okta for the Smartsheet integration

  1. Sign into the Okta Admin page.
  2. Navigate to Applications > All integrations and search for Smartsheet SCIM in the application catalog. Select Smartsheet SCIM.
  3. Enter an application label, such as Smartsheet US. 
  4. Set your Sign-On Options.  If you're setting up SAML SSO, select View Setup Instructions towards the bottom of the page and complete the SAML SSO configuration.
  5. On the Advanced Sign-on Settings screen, under Credential Details, select Email for the Application username format and then select Done. This email is the user's Smartsheet account.  
  6. Go to the Provisioning tab and select Configure API Integration
  7. Select Enable API Integration and provide the Base URL:
  8. Enter your saved API Token into the API Token field. Select Test API Credentials to verify the token. If everything works as expected, you'll see the following message: "Smartsheet SCIM was verified successfully"
  9. Select Save. On the Provisioning tab under Settings, select To App
  10. Select Edit > Enable the features you want, then save your changes. 

Users you remove from your Okta SCIM instance will be deactivated in Smartsheet. Deactivated users can't sign in to Smartsheet and are no longer assigned a license. That license is then available for you to reassign.

Additional resources

Follow each link below to learn how to continue configuring the integration. It's important to follow these steps in the sequence listed here.

  1. Set up Smartsheet roles
  2. (Optional) Set up additional premium Connector roles

You can also view these articles as a step-by-step tutorial