Integrating with Microsoft ADFS
Before starting the integration process, you must have requested, and been approved for, an Onshape Enterprise account or trial, and have an Onshape Enterprise domain name.
An example of an Enterprise domain name might be: MyCompanyName.onshape.com.
Note that you are only able to use one (single sign-on) SSO provider at a time.
This configuration process might fail without parameter values customized for your organization. Use your Microsoft ADFS single-sign on dashboard to add Onshape as an application and record the values that are specific for your organization. You need those values for the following procedure.
Onshape signs all outgoing SAML certification requests. You are not required to upload any certificates (for example, a SAML signing certificate), except in the case of ADFS integration because ADFS validates incoming SAML requests. Note that Microsoft also recommends migration from the latest version of ADFS to Microsoft Entra ID. See ADFS Overview for more information.
Create "relying party trust" in ADFS management application
- In your ADFS portal, navigate to "Relying Party Trusts" and then "Add Relying Party Trust…"
- Select "Claims aware."
- Select "Enter data about relying party manually."
- Select "Enable support for SAML 2.0 WebSSO protocol."
- Set "Relying party SAML 2.0 SSO service URL" to https://cad.onshape.com/identity/saml2/sso
- Set "Relying party trust identifier" to com.onshape.saml2.sp
Set SP cert and hash algorithm
- Double-click on the RP trust created with the instructions above.
- On the "Signature" tab, add the proper certificate.
- On the "Advanced" tab, set the hash algorithm to SHA-1.
Configure claims
- Right-click on RP trust and select "Edit Claims Issuance Policy."
- Add the three rules shown below (using the enterprise's DNS prefix in rule #3)
- Rule #1 template: "Send LDAP Attributes as Claims"
- Rule #2 template: "Pass Through or Filter an Incoming Claim"
- Rule #3 template: "Send Claims Using a Custom Rule"
Download the ADFS metadata file from:
https://<server>/federationmetadata/2007-06/federationmetadata.xml
and upload it to Onshape.
Make sure to replace <server> with the hostname of your ADFS server.
Make sure to replace "Onshape DNS prefix here" as shown above with your companyName value. For example, if your Onshape domain is acme.Onshape.com, use "acme" as the value of this field.
Upload the configuration file in Onshape
After downloading the configuration / metadata file:
- Sign in to your Onshape Enterprise account, using your specialized domain name, as an administrator.
- Select Company/Enterprise settings from the User menu.
- Select Authentication from the left menu.
- In the Single sign on (SSO) section:
- Click Upload configuration file.
- Select the metadata file you previously downloaded and click Open.
- In the dialog, enter a name for the SSO Provider and check the Enable SSO provider checkbox.
- Click OK.
You can disable the typical Onshape password sign in for your users and show just the SSO provider sign in prompt for the Onshape URL. However, do not perform this step at this time. Make sure you can sign in to Onshape yourself (as administrator) before disabling this additional sign in option. You can return here later, once sign in through your SSO provider has been verified to work correctly.
Choosing to enforce signing in to Onshape via SSO also results in users not being able to sign in to non-enterprise domains directly, such as cad.onshape.com. - Sign out of the Onshape account.
- Do a hard refresh of the Onshape account page; notice the page has a new Sign in link at the bottom for your SSO provider.
In order to sign in to Onshape, administrators must provision their users (in their single sign on account) to use the Onshape application.