Before starting the integration process, you must have requested, and been approved for, an Onshape Enterprise account or trial, and have an Onshape Enterprise domain name.

An example of an Enterprise domain name might be: MyCompanyName.onshape.com.

Note that you can use only one single sign-on (SSO) provider at a time.

Onshape supports the following identity providers for single sign-on (SSO) purposes:

The set up for each of these identity providers varies and is explained in separate topics, but the overall steps are similar to these:

  1. Add Onshape to your single sign-on account.
  2. Download the required configuration file from your single sign-on account.
  3. Upload the configuration file into Onshape.
  4. In your Onshape administrator account, enable the single sign-on provider for your users.
  5. Do a hard refresh of your Onshape sign in page, then sign in with your SSO credentials.

Enabling the SSO method gives you the ability to assign users to Light or Full seats when they sign into an Enterprise for the first time. Only an Enterprise Administrator can enable or disable the "Assign auto-provisioned users as Light users" option. For more information, see the Single sign on (SSO) user auto-provisioning dropdown section (inside the Preferences Settings - ENT dropdown) of the Preferences topic.

Onshape signs all outgoing SAML certification requests. You are not required to upload any certificates (for example, a SAML signing certificate), except in the case of ADFS integration because ADFS validates incoming SAML requests. Note that Microsoft also recommends migration from the latest version of ADFS to Microsoft Entra ID. See ADFS Overview for more information.

Administrators can enforce Enterprise users to sign in to Onshape with only the configured SSO method and prevent signing in to the non-enterprise domain by toggling Disable Onshape password sign in.

For more information on integrating with a specific identity providers see the topic explaining the particular provider you use.