Applies to
Smartsheet
- Enterprise
Capabilities
Who can use this capability
- System Admin
Configure single sign-out (SLO) for Smartsheet and your IdP
To limit security risks, you can configure SAML so when your users log out of Smartsheet, they also log out of your SAML IdP at the same time.
Who can use this?
Plans:
- Enterprise
Permissions:
- System Admin
Find out if this capability is included in Smartsheet Regions or Smartsheet Gov.
After a System Admin configures the feature, when a user logs out of Smartsheet, they are also logged out of your IdP.
Prerequisites
- The Single Logout feature relies on the SAML (Security Assertion Markup Language) protocol for secure communication between Smartsheet and the IdP. Your IdP should have the capability to configure SAML settings for Single Logout.
- You must have System Admin level permissions in Smartsheet and your IdP to configure single logout.
- This article is specific to Okta. If you don't use Okta, follow the process according to your IdP policies using the signature certificate.
Configure single logout with Okta
If you use Okta as IdP for Single Sign-On (SSO) and use the SAML Application Integration Wizard to configure Single Log-out (SLO):
- In the Okta Admin Console, go to Applications.
- Select the Smartsheet SAML application where you want to configure the SLO.
- In the General settings tab, on the SAML Settings panel, select Edit.
- In the SAML configuration wizard, select Next.
- On the Configure SAML page, select Show Advanced Settings.
- Select Allow application to initiate Single Logout.
- Provide the following details:
Single Logout URL: This is the URL for the SLO return. The URL can be your SSO URL (You can get this from your Smartsheet IdP details section) or https://app.smartsheet.com.
Provide the SP Issuer: This is the application's identifier. It can be an ACS URL or the SP Entity ID. The SP application also includes this value in the metadata sent in the SLO request.
Signature Certificate: Okta requires a digital signature for the SLO request. Download that file here. Upload a copy of the signature certificate or CA that the SP (Smartsheet) uses to sign the SLO request. - Select Next > Finish.
Retrieve SLO details and add them to Smartsheet SAML metadata
- In the Okta Sign On settings tab, on the Settings panel, select View Setup Instructions.
- The page that appears shows the Identity Provider Single Logout URL. Copy this URL, open it in a browser, and copy its contents.
- In Smartsheet, go to Admin Center > Authentication. Paste the contents of the URL into the metadata section of the IdP on the Smartsheet SAML setup page.
- To test your SLO flow, sign in to your Smartsheet application using the Okta integration and then use the sign-out method from within the Smartsheet application. The browser should sign you out of both your Smartsheet application and Okta.