Question around SSO enablement

Hi,

I am hoping you all may be able to help me with a number of questions i have with regards to enabling SSO.

  1. Can you have SSO enabled alongside standard login? – This will allow us to do a small test user case to see how it would work.
  2. Will an existing email/password user be ‘converted’ to an SSO user if then login via SSO with the same email address
  3. How do I configure Smartsheet once Azure has been configured
  4. Auto provisioning – If you have enabled auto provisioning will this create a new account within Smartsheet for new user and vis verse will auto providing work the same way if the user is removed from an AD group will they be removed from Smartsheet? - How do other people manage licences for leavers ?

Any help or people experience would be really good.

Thank You

Paul

Answers

  • Hi @Paul Jenkins

    1) Yes, you can keep the Smartsheet Email + Password option available as a way to log in, even when you have SSO enabled. It's recommended that you allow the System Admins to always be able to log in this way, in case you experience any issues with other login options.

    See: Manage Authentication Options for an Enterprise Plan (System Admin)


    2) Your users will be able to log in based on the log in options that you, as a System Admin, have set up for them. If they can use SSO as well as the Email + Password option, then they can use both ways to log in. If you configure it so they only have SSO, then as long as their email is in the iDP, when they enter their email address it will route them to their SSO login.

    See: Set Up SAML 2 for Single Sign-On to Smartsheet


    3) I'm not quite sure what you mean by this, but here are two articles that go through Azure AD that may be helpful for you:


    4) Yes, auto-provisioning will automatically create an account for a new user if they go to log in to Smartsheet for the first time with a Domain that you have verified and set up.

    See: Automatically add users to an Enterprise plan with User Auto-Provisioning (UAP)

    However if you are using Azure AD, it's recommended that you either use Smartsheet's UAP or Azure's Active Directory provisioning. Here's some information from the FAQ article linked in point 3 above:

    How do we ensure users are added (similar to User Auto Provisioning) when they sign into Smartsheet for the first time?

    Once you have your groups configured and everything running, we suggest treating your SMARTSHEET_USER user group as an “all users” group. By adding all of your users to this unlicensed user group you are ensuring that they will be automatically added to your company account upon sign in. This will not impact licensing these users in the future.


    In regards to removing users, any action taken in Azure that removes a user from their assigned groups in Azure will deprovision the user in Smartsheet. This can be deleting the user or manually removing them from the assigned groups. Note: simply blocking their account will not deprovision the user.


    Cheers!

    Genevieve

    Join us at Smartsheet ENGAGE 2024 🎉
    October 8 - 10, Seattle, WA | Register now