SAML assertion: Supported claims examples in Smartsheet

Required attributes

For successful sign in authentication, both the Persistent ID and Email Address claims need to be passed to Smartsheet. This requires two separate claims. Find additional details below. 

Persistent ID

This can be described as the attribute that is least likely to change for an identity. Smartsheet accepts six formats (a few of them are not specified in the SAML 2.0 standard) encoded in the NameID element. Here are the formats we support:

• urn:oasis:names:tc:SAML:1.1:nameid-­format:emailAddress
• urn:oasis:names:tc:SAML:2.0:nameid­-format:email
• urn:oasis:names:tc:SAML:2.0:nameid-­format:persistent
• urn:oasis:names:tc:SAML:2.0:nameid-­format:unspecified
• urn:oasis:names:tc:SAML:1.1:nameid­-format:unspecified
• urn:oid:1.3.6.1.4.1.5923.1.1.1.10 

Smartsheet also accepts assertions without a NameID element and will extract a Persistent ID value from an attribute if there's an attribute that matches the following: 

• name="eduPersonPrincipalName" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-­format:basic"
• name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"
• name="persistent" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-­format:persistent"
• name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-­format:uri"
• name="eduPersonPrincipalName" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-­format:uri"

Email address

This is the email address associated with the Smartsheet account. This equates to a username in the Smartsheet service. This must be an attribute and won't be extracted from the NameID element. Here are the accepted formats: 

• name="email" name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
• name="emailAddress",nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-­format:basic"
• name="Email",nameFormat="urn:oasis:names:tc:SAML:2.0:attrname­-format:basic"
• name="saml_username",nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-­format:basic"
• name="emailaddress",nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-­format:unspecified"
• name="emailaddress",nameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
• name="urn:oid:0.9.2342.19200300.100.1.3",nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-­format:uri"
• name="mail",nameFormat="urn:oasis:names:tc:SAML:2.0:attrname­-format:basic" 

Optional attributes 

Given name

The given name of the person associated with the account (first name). Here are the formats that Smartsheet supports: 

• name="givenName" name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
• name="givenname" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-­format:basic"
• name="given_name" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-­format:basic"
• name="givenname" nameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
• name="givenname" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname­-format:unspecified"
• name="urn:oid:2.5.4.42" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-­format:uri"

Surname

The surname of the person associated with the account (last name). Here are the formats that Smartsheet supports:

• name="surname" 
• name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
• name="surname" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname­-format:basic"
• name="sur_name" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-­format:basic"
• name="surname" nameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
• name="surname" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname­-format:unspecified"
• name="urn:oid:2.5.4.4" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname­-format:uri"

Sample assertion 

When you generate metadata, you must use the claims given above.

Go to the following link to see several examples of SAML response assertions:
https://www.samltool.com/generic_sso_res.php

These examples are for illustrative purposes only and won't work in Smartsheet. Your metadata must be generated by your IdP.