SAML for Smartsheet

Overview

Smartsheet.com provides SAML (Security Assertion Markup Language) integration for Enterprise customers to enable a single sign-on experience with Smartsheet. Smartsheet currently only supports SAML 2. This help page is intended for technical professionals who are familiar with SAML and have access to the Identity Provider that will be configured for use with Smartsheet.com. One common Identity Provider is Microsoft Active Directory with Active Directory Federation Services.

Configuring Your Identity Provider for SAML with Smartsheet.com

1)  Obtain the Smartsheet Metadata (contact support@smartsheet.com)
2)  Configure a Relying Party within your Identity Provider using the Metadata provided.

  • Details on how to do this are specific to your Identity Provider. Please consult your documentation for further details.

3)  Smartsheet requires the following attributes to be asserted during the SAML exchange process:

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  • The first assertion must contain a persistent Id that is the same for each user whenever they log in. The second is the user’s email address.

4)  The following are recommended, but optional attributes:

  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
  • As their names indicate, the first represents a user’s given name, and the second the user’s surname.

Configuring Smartsheet.com for use with your SAML Identity Provider

1)  Ensure that your account is an Enterprise account by clicking on your account Email in the upper left corner and selecting Account Admin. On the Plan and Billing Info page, make sure the Plan is Enterprise. If your plan is not Enterprise, please upgrade your account before proceeding.

2)  In Account Administration, select Security Controls. Click the “Edit” button beneath the SAML Status.

3)  On the Single Sign-on Using SAML page, check the SAML Enabled checkbox.

4)  Obtain the SAML Metadata XML for your Identity Provider and paste it into the SAML Federation Metadata text area. Consult your Identity Provider’s documentation to determine how to obtain this.

5)  Choose the appropriate sign-on option for your organization.

  • Convenience Option: Users can access Smartsheet via SAML or Smartsheet.com login page.
    • This option is useful to simplify the user provisioning process, but users must be manually removed from the organization through Smartsheet.com when they are no longer with an organization.
  • Lock-down option: Users can only access Smartsheet via SAML.
    • This option simplifies the user provisioning process and also prevents users who are no longer with the organization from being able to log on to Smartsheet. However, depending on how your Identity Provider is set up, users may need to have network access to your domain, either being physically in the office or through VPN, in order to sign in.

6)  Click OK.

7)  At this point, the status will change to Pending Smartsheet Action.

8)  Smartsheet will contact you regarding what domain name(s) you would like associated with your organization and will initiate the domain verification process.

9)  Once your domain(s) has been verified, Smartsheet will review your SAML Configuration and change your SAML status to Active.

Logging in via SAML

1)  Once your Identity Provider has been configured to work with Smartsheet and Smartsheet has set your SAML status to Active, you can log in using the following:

  • https://www.smartsheet.com/b/orgsso/[domain.com] where [domain.com] is the domain that has been verified by Smartsheet.

2)  The URL above will initiate the single sign-on process and will direct you to your login page for your Identity Provider, as defined in your SAML Metadata.

3)  Depending on how your Identity Provider works, you may be required to enter your sign-on credentials or authentication may happen automatically.

4)  Once authentication occurs, you will be redirected back to Smartsheet and will be granted access.

5)  New users for your organization can use the URL above to log in for the first time. Their accounts will be created during the single sign-on process.

6)  You can also manually invite users to your organization using the User Management tab in Account Administration.