Integrating with Microsoft Azure AD
This functionality is available on Onshape's browser, iOS, and Android platforms.
Before starting the integration process, you must have requested, and been approved for, an Onshape Enterprise account or trial, and have an Onshape Enterprise domain name.
An example of an Enterprise domain name might be: MyCompanyName.onshape.com.
You can use only one (single sign-on) SSO provider at a time.
This configuration process might fail without parameter values customized for your organization. Use your Microsoft Azure AD single sign-on dashboard to add Onshape as an application and record the values that are specific for your organization. You need those values for the following procedure.
Onshape signs all outgoing SAML certification requests. You are not required to upload any certificates (for example, an SAML signing certificate), except in the case of ADFS integraion because ADFS validates incoming SAML requests.
Add Onshape to your Azure AD single sign-on accountCopy link
To enable single sign-on for your company, you must first add the Onshape application to your Azure AD single sign-on account:
- Sign in to the Microsoft Azure portal. Click the menu icon at the top left corner to open the left side navigation pane.
- Select Azure Active Directory in the navigation pane.
- Select Enterprise applications in the new navigation pane that opens on the left.
- At the top of the All applications page, click New application.
- On the Browse Azure AD Gallery page, search for Onshape in the Search application field. Then click the Onshape button.
The Onshape application pane opens on the right. Click the Create button at the bottom of the pane.
Microsoft Azure creates the new application for you. Be aware this can take a few seconds to set up.
- Once the app is created, click the 2. Set up single sign on box.
- Since Onshape supports only SAML authentication, click the SAML box.
If the Save single sign-on setting opens, click Yes.
The SAML-based sign-on page opens.
SAML configurationCopy link
- In the User Attributes & Claims subsection, click Edit at the top right corner of the box.
- In the User Attributes & Claims page that opens, double-click the companyName claim.
Enter your domain name prefix into the Source attribute field. For example, if your Onshape enterprise name is Fishbowl.onshape.com, enter Fishbowl into the field. Once entered, you need to additionally click on the entry below the field (as shown by the cursor in the image below).
- Click Save.
- Click X at the top right corner to close the page.
If you are asked if you want to Test the single sign-on, select No, I'll test later.
The SAML-based Sign-on page is displayed again. Your page should look similar to the image below.
- Scroll down the page to subsection 3 SAML Signing Certificate. At the bottom of this subsection, click the "Federation Metadata XML" download link. This XML file is used later in the Single sign-on configuration process.
A message appears in the top right upon successful download of this file. Click X to dismiss the message.
Set up users and groupsCopy link
- In the left navigation pane, select Users and groups.
The Users and groups page appears. Click Add user/group.
- The Add Assignment page opens. On the left, click Users - None Selected.
The Users pane opens on the right. Search and then select the Users you would like to invite. Each user is moved into the Selected Items pane subsection below. Once all selected members are listed in this pane, click the Select button.
- Click Assign.
- The Users and groups page appears with the new users.
At this point, you can leave the Azure portal and open your Microsoft active directory application dashboard.
Upload the XML configuration file in OnshapeCopy link
- Sign in to your Onshape enterprise account, using your specialized domain name, as an administrator.
Select Enterprise settings from your account.
- Select Authentication from the left navigation menu.
- In the Single sign-on (SSO) subsection, click the Configure SSO provider button.
- The Create SSO provider dialog opens. In the Name field, enter a three-letter name, such as MSA. In the Provider type drop-down, select Microsoft Azure. Then click the Upload configuration file button.
- Locate and select the XML file you downloaded previously, and click Open.
- Click OK.
- The file is uploaded. A notification appears when the upload is completed.
- Sign out of both your Onshape and Microsoft accounts. Be sure to do a hard refresh of both accounts. When you reach the Onshape sign-in page once again, the page has a new Sign in link at the bottom, for your Single sign-on provider.
You can disable the typical Onshape password sign-in for your users and show only the SSO provider sign-in prompt for the Onshape URL. However, do not perform this step at this time. Make sure you can sign in to Onshape yourself (as administrator) before disabling this additional sign-in option. You can return here later, once you verify you can sign in through your SSO provider.
Choosing to enforce signing in to Onshape via SSO also results in users not being able to sign in to non-enterprise domains directly, such as cad.onshape.com.
In order to sign in to Onshape, administrators must provision their users (in their single sign-on account) to use the Onshape application.
If you see the following error:
Close all tabs, fully sign out, and sign back into Microsoft.
Sign into Onshape again.
Be aware that the "test connection" button in the AD admin panel does not work.