Single Sign-on (SSO) is an authentication mechanism that facilitates a user logging into several independent software systems using a single ID and set of credentials. This is advantageous to organizations in several ways:
Mitigates risk because user passwords are not stored or managed externally
Reduces the time it takes for users to gain access to external resources
Lowers the number of IT password-related tickets
Reduces “password fatigue” where users adopt predictable password patterns due to the volume of passwords they need to manage
Plan Availability | Enterprise, Signature |
Permissions | Administrators: Can access and modify workspace settings |
Related Reading |
SmartSuite’s Workspace Administration interface facilitates the configuration of Single Sign-On for a workspace, in the Single Sign-On section of the Workspace Settings page. This article is intended to provide an overview of the available settings and options for this feature, and is intended for workspace administrators who are familiar with SSO and its implementation.
Important NotesSSO is available only to SmartSuite Enterprise and Signature plan subscribers. If you are a SmartSuite Team or Professional plan subscriber and are interested in upgrading, you can contact us here for more information.
If a Workspace Admin enables SSO for Workspaces containing Solutions 1, 2, and 3, the Admin cannot optionally remove the SSO gate for Solution 1 but leave it on for 2 and 3. |
Before You Begin
Prior to configuring SSO in your SmartSuite workspace, you will need information about your SSO provider.
Email domain. You will be required to provide the email domain associated with your Single Sign-on process.
Protocol. SmartSuite currently supports the OpenID Connect and SAML protocols for SSO. If your organization requires a different protocol, please contact us here.
NOTE:
You can obtain SmartSuite SSO metadata from this URL if it is required for your iDP configuration:
https://app.smartsuite.com/authentication/login/sso/metadata
Single Sign-On with OpenID Connect Prerequisites
Configuration of OpenID Connect SSO requires the following information:
Email Domain
Client ID
Client Secret
OIDC Issuer
Single Sign-On with SAML Prerequisites
Configuring SSO with SAML requires the following information:
Metadata XML file or file URL
User ID Attribute
SSO Configuration Process
After retrieving your organization's OpenID or SAML SSO metadata, navigate to the Workspace Administration interface from the user profile menu, then click on the Single Sign-On link in the left navigation menu or the Workspace Settings tab.
The Manage Single Sign-On dialog will be displayed. First specify the email domain associated with your Single Sign-On provider. Next, select whether you want to use OpenID or SAML to communicate with your provider.
The next steps will require the use of the SSO metadata you collected prior to starting configuration (see the beginning of this article if you skipped that). The exact steps differ depending on protocol.
OpenID Connect Configuration
Follow these steps to configure OpenID Connect:
Toggle SSO to Currently Enabled
Enter your email domain
Format: mycompany.com
If your iDP supports multiple domains, you can specify them in a comma-delimited list. Example:
sub1.mydomain.com,sub2.mydomain.com,mydomain.com
Select OpenID Connect in the Protocol dropdown
Specify the following values (these should be obtained from your IAM team):
Client ID
Client Secret
OIDC Issuer
Cut and paste the Callback URL for the provider
Specify this callback value in your OIDC Issuer
Click Save Configuration
The interface looks like this:
If configuration is successful, you should see the Single Sign-On pane in workspace settings with an Enabled indicator, like this:
SAML Configuration
Follow these steps to configure SAML:
Toggle SSO to Currently Enabled
Enter your email domain
Format: mycompany.com
If your iDP supports multiple domains, you can specify them in a comma-delimited list. Example:
sub1.mydomain.com,sub2.mydomain.com,mydomain.com
Select SAML in the Protocol dropdown
You have two options to configure your settings:
Provide a SAML Metadata URL
Upload a SAML Metadata file (if you upload the XML file, you can leave the Metadata URL blank)
Specify your User Email Attribute
This value specifies the SAML attribute that represents the user email address. For most configurations, this is the unique identifier for the user in both the iDP and in SmartSuite.
for Microsoft Entra AD use:
(Optional) Specify the User ID Attribute
This optional parameter is used to configure SmartSuite to use a specific SAML attribute as the unique identifier for the user. Use this when your configuration requires a distinct identifier that is different from the user's primary email.
Example: Higher Education institutions who use ePPN
Some colleges and universities identify users by ePPN, which can be formatted as an email. However, this ePPN identifier may not be the user's primary email. In this case, the administrator would configure SAML mappings like this:
User Email Attribute: email (the user's primary email)
User ID Attribute: ePPN
(Optional) Specify your User Groups Attribute
Use this optional setting to specify the attribute that contains a list of groups (Teams in SmartSuite) that the user should be a member of.
The attribute can be one of the following:
A comma-separated string of group names
An array of strings that represent group names
When the user logs in, they will be added to any groups specified. Note that the user will also be removed from any groups they are a member of that is not included in this attribute's value.
(Optional) Configure Single Sign Out
If single sign-out is desired, check this box.
When the box is checked, a Single Sign Out URL value will display below the Sign On URL.
Configure your IdP to send the LogoutResponse to this URL in an HTTP POST request.
Configure your SAML IDP with these values (they can be copied from the configuration UI):
Assertion Consumer Service (ACS) URL
Entity ID
Click Save Configuration
The configuration UI looks like this:
You can always click Edit if your Single Sign-On configuration needs to be modified in the future.
Configuring Microsoft Entra (formerly Azure AD) and SmartSuite SSO
Microsoft Entra Configuration
Microsoft Entra Configuration
Follow these steps to configure Microsoft Entra for use with SmartSuite SSO.
Log in to Microsoft Entra (link)
Navigate to Identity > Applications > Enterprise Applications
Click + New application
Click + Create your own application
Name your App (something like SmartSuite SSO)
Select: Integration any other application
Select Single sign-on
Select SAML
Edit Basic SAML Configuration
Set Identified (Entity ID) to urn:amazon:cognito:sp:us-east-2_OvB5P61CZ
Set Reply URL to https://auth-main.smartsuite.com/saml2/idpresponse
Click Save
In Single Sign-on > SAML Certificates section
Download the Federation Metadata XML file (You will need this to configure SmartSuite SSO)
SmartSuite Configuration
SmartSuite Configuration
Once Entra is configured, you can follow this set of steps to configure SmartSuite's SSO:
Navigate to Workspace Administration > Manage Single Sign-on
Click Enabled
Specify your email domain
Select SAML protocol
Upload the XML file you downloaded from Microsoft
Specify the following User ID Attribute:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Single Sign-On Tips
If you have multiple domains, they can be listed (comma separated) in the email domains entry. NOTE: All domains must use a single IdP.
Changes may take up to 5 minutes to take effect.
Users must still be invited by a SmartSuite administrator before they will be able to log in with SSO. Invited users receive an email with a verification code. Once this process is completed they will be able to use SSO to login without further restriction.
SSO FAQs
Here are a list of frequently-asked questions about SmartSuite's SSO capabilities:
Q. Does SmartSuite SSO work with Shibboleth?
A. Shibboleth supports SAML, which is one of two protocols SmartSuite supports (the other is OpenID Connect, which Shibboleth does not support).
Q. Can administrators (e.g. department staff) login using SSO?
A. Yes, administrators are permitted to log in using SSO.
Q. When a user logs out, is SmartSuite able to redirect the user to SSO IdP logout URL?
A. Yes, a sign out URL can be specified.
Q. What is the key identifier SmartSuite uses for SSO?
A. SmartSuite uses email as the key identifier
Q. Will SSO data (e.g. name, email, etc.) be accessed by SmartSuite staff?
A. No, SmartSuite staff will not access this data,
Q. How do we provision and de-provision access to target population or department staff?
A. SmartSuite does not yet support automated provisioning / de-provisioning. A SmartSuite user with the Administrator role must invite the user, and similarly must inactivate or delete a user to de-provision. The Invite and inactivation/deletion actions can be performed via SmartSuite’s REST API.
Q. Is API integration supported? For example, can the vendor make an API call to get the target population?
A. Your list of users can be retrieved via SmartSuite’s REST API.
Q. Please describe the storage environment and how data will be protected.
A. All internal data is transiting only through internal AWS VPC without any connection to the Internet. All external data has SSL encryption with latest AWS SSL security policies. All data at rest encrypted with AWS KMS keys generated for our account. Endpoints of our application are secured with AWS WAF protection.
Q. Where is SmartSuite hosted?
A. SmartSuite services currently run in Amazon Web Services (AWS) US-East2 data center.