Azure SSO Logins
We've implemented Azure SSO successfully and we have tested logging into SmartSheet via the option. However we have been seeing inconsistencies with the login page.
When we test with admin id, it regularly shows the "Sign in with your company account" option after entering the email address. But when we tested it with other users, either the option would show up only have the time, or for others it would not show up at all.
It would not seem to be our configuration since the admin gets the option and others get the option sometimes. But I'm not able to identify a root cause why the option is only occasionally showing, ever after clearing caches on the browsers.
And if any of the admins are going to suggest we open a ticket, we did that and they sent us here.
Answers
-
The Company Account option only appears for Smartsheet app users that are associated with a plan that has SSO turned on. This means that the default app login page does not show this as an option to start with, before an email address is entered.
You can test this by going to https://app.smartsheet.com in an incognito window:
Notice that the Company Account is not one of the main generic options.
However if my company has SSO enabled, after I've entered my email and I click Submit, then the app can identify what account that email is associated with and will redirect me through the SSO set-up.
Then (depending on my browser settings) the next time I go to log in it should remember this and present me with the Company Account option associated with my email:
For your users who aren't seeing this option, can you confirm if this changes after they log in, entering their email, then log out and come back to the login screen?
Cheers,
Genevieve
-
Yes, we have been testing logins using that process. And for some users, after entering their email address, the option does not show.
-
Are those users then logging in with their email and password, and it's not routing them through your SSO? If so, is it possible they're not set up in the iDP, or that these employees aren't members of your Smartsheet account?
-
All users had been previously using Smartsheet before we added SSO. And in one exampled The user enters the same email address she had used previously to login, and I confirmed it is the same in M365.
-
When you note that they had been "using Smartsheet", can you clarify if their accounts are associated with your company's account under User Management? See: Admin Center Overview
Cheers,
Genevieve
-
All users have their M365 email in their users account, and all are licensed through the company account. Is that what you are refering to?
-
Thank you, this helps! I was wanting to know if that email address was a member of your plan, licensed or unlicensed. If they're all licensed and a part of your Smartsheet company account in User Management that answers my inquiry.
As a final question, what login options do you have enabled in Smartsheet? For example, did you disable logging in with an email and password, to make sure they only use your SSO? (See: Manage authentication options)
-
No we did not until we could verify it works correctly. That would be ironic.
-
To clarify my last comment, we did not disable Email/Password login, until we could verify the SSO worked properly.
-
That makes sense!
So to clarify, the "My Company Account" button should appear after the user enters their email address and clicks "Continue" as in the screen captures above. It does not always show immediately for some users (prior to the email being added) based on the browser's cookies.
However, you've confirmed the following:
- Your users are entering their Primary email address for their Smartsheet account
- This account is associated with your plan (either as a licensed or unlicensed member)
- The same email address is listed in your iDP
- The users have tried logging in and logging out again, checking the sign-in page
Yet they are still not seeing the "Sign in with your company account" button.
At this point, I would suggest replying back to Support with the ticket you have created in a private channel. This is because in order to look into this further they will need sensitive information: the email addresses of the specific members who are unable to see the button and screen captures / recordings of their experience. When you confirm the troubleshooting points listed above, please also let Support know what browsers these users are trying.
Thank you!
Genevieve
