Integrating with Microsoft Azure AD
Before starting the integration process, you must have requested, and been approved for, an Onshape Enterprise account or trial, and have an Onshape Enterprise domain name.
An example of an Enterprise domain name might be: MyCompanyName.onshape.com.
You can use only one (single sign-on) SSO provider at a time.
This configuration process might fail without parameter values customized for your organization. Use your Microsoft Azure AD single sign-on dashboard to add Onshape as an application and record the values that are specific for your organization. You need those values for the following procedure.
Onshape signs all outgoing SAML certification requests. You are not required to upload any certificates (for example, an SAML signing certificate), except in the case of ADFS integraion because ADFS validates incoming SAML requests.
To enable single sign-on for your company, you must first add the Onshape application to your Azure AD single sign-on account:
- Sign in to the Microsoft Azure portal. Click the menu icon at the top left corner to open the left side navigation pane.
Azure Active Directory
in the navigation pane.
in the new navigation pane that opens on the left.
- At the top of the All applications page, click
- On the Browse Azure AD Gallery page, search for Onshape in the Search application field. Then click the
The Onshape application pane opens on the right. Click the Create button at the bottom of the pane.
Microsoft Azure creates the new application for you. Be aware this can take a few seconds to set up.
- Once the app is created, click the
2. Set up single sign on
- Since Onshape supports only SAML authentication, click the
If the Save single sign-on setting opens, click Yes.
The SAML-based sign-on page opens.
- In the User Attributes & Claims subsection, click
at the top right corner of the box.
- In the User Attributes & Claims page that opens, double-click the
Enter your domain name prefix into the Source attribute field. For example, if your Onshape enterprise name is Fishbowl.onshape.com, enter Fishbowl into the field. Once entered, you need to additionally click on the entry below the field (as shown by the cursor in the image below).
at the top right corner to close the page.
If you are asked if you want to Test the single sign-on, select No, I'll test later.
The SAML-based Sign-on page is displayed again. Your page should look similar to the image below.
- Scroll down the page to subsection 3
SAML Signing Certificate. At the bottom of this subsection, click the "Federation Metadata XML"
link. This XML file is used later in the Single sign-on configuration process.
A message appears in the top right upon successful download of this file. Click X to dismiss the message.
- In the left navigation pane, select
Users and groups.
The Users and groups page appears. Click Add user/group.
- The Add Assignment page opens. On the left, click
Users - None Selected.
The Users pane opens on the right. Search and then select the Users you would like to invite. Each user is moved into the Selected Items pane subsection below. Once all selected members are listed in this pane, click the Select button.
- The Users and groups page appears with the new users.
At this point, you can leave the Azure portal and open your Microsoft active directory application dashboard.
- Sign in to your Onshape enterprise account, using your specialized domain name, as an administrator.
from your account.
from the left navigation menu.
- In the Single sign-on (SSO) subsection, click the
Configure SSO provider
- The Create SSO provider dialog opens. In the
field, enter a three-letter name, such as
MSA. In the
Microsoft Azure. Then click the
Upload configuration file
- Locate and select the XML file you downloaded previously, and click
- The file is uploaded. A notification appears when the upload is completed.
- Sign out of both your Onshape and Microsoft accounts. Be sure to do a hard refresh of both accounts. When you reach the Onshape sign-in page once again, the page has a new
link at the bottom, for your Single sign-on provider.
You can disable the typical Onshape password sign-in for your users and show only the SSO provider sign-in prompt for the Onshape URL. However, do not perform this step at this time. Make sure you can sign in to Onshape yourself (as administrator) before disabling this additional sign-in option. You can return here later, once you verify you can sign in through your SSO provider.
Choosing to enforce signing in to Onshape via SSO also results in users not being able to sign in to non-enterprise domains directly, such as cad.onshape.com.
In order to sign in to Onshape, administrators must provision their users (in their single sign-on account) to use the Onshape application.
If you see the following error:
Close all tabs, fully sign out, and sign back into Microsoft.
Sign into Onshape again.
Be aware that the "test connection" button in the AD admin panel does not work.