This functionality is available on Onshape's browser, iOS, and Android platforms.

Single sign-on is available on all Onshape platforms including iOS and Android.

Before starting the integration process, you must have requested, and been approved for, an Onshape Enterprise account or trial, and have an Onshape Enterprise domain name.

An example of an Enterprise domain name might be: MyCompanyName.onshape.com.

You can use only one (single sign-on) SSO provider at a time.

This configuration process might fail without parameter values customized for your organization. Use your Microsoft Azure AD single sign-on dashboard to add Onshape as an application and record the values that are specific for your organization. You need those values for the following procedure.

Add Onshape to your Azure AD single sign-on accountCopy link

To enable single sign-on for your company, you must first add the Onshape application to your Azure AD single sign-on account:

  1. Sign in to the Microsoft Azure portal. Click the menu icon at the top left corner to open the left side navigation pane.

    Onshape SSO with Microsoft Azure step 1

  2. Select Azure Active Directory in the navigation pane.

    Onshape SSO with Microsoft Azure step 2

  3. Select Enterprise applications in the new navigation pane that opens on the left.

    Onshape SSO with Microsoft Azure step 3

  4. At the top of the All applications page, click New application.

    Onshape SSO with Microsoft Azure step 4

  5. On the Browse Azure AD Gallery page, search for Onshape in the Search application field. Then click the Onshape button.

  6. The Onshape application pane opens on the right. Click the Create button at the bottom of the pane.

    Microsoft Azure creates the new application for you. Be aware this can take a few seconds to set up.

  7. Once the app is created, click the 2. Set up single sign on box.

    Onshape SSO with Microsoft Azure step 7

  8. Since Onshape supports only SAML authentication, click the SAML box.

    Onshape SSO with Microsoft Azure step 8

    If the Save single sign-on setting opens, click Yes.

    The SAML-based sign-on page opens.

SAML configurationCopy link

  1. In the User Attributes & Claims subsection, click Edit at the top right corner of the box.

  2. In the User Attributes & Claims page that opens, double-click the companyName claim.

  3. Enter your domain name prefix into the Source attribute field. For example, if your Onshape enterprise name is Fishbowl.onshape.com, enter Fishbowl into the field. Once entered, you need to additionally click on the entry below the field (as shown by the cursor in the image below).

  4. Click Save.

  5. Click X at the top right corner to close the page.

  6. If you are asked if you want to Test the single sign-on, select No, I'll test later.

  7. The SAML-based Sign-on page is displayed again. Your page should look similar to the image below.

    SAML Configuration step 10

  8. Scroll down the page to subsection 3 SAML Signing Certificate. At the bottom of this subsection, click the "Federation Metadata XML" download link. This XML file is used later in the Single sign-on configuration process.

    SAML Configuration step 11

  9. A message appears in the top right upon successful download of this file. Click X to dismiss the message.

    SAML Configuration step 12

Set up users and groupsCopy link

  1. In the left navigation pane, select Users and groups.

    Users and Groups SSO Configuration Step 1

  2. The Users and groups page appears. Click Add user/group.

    Users and Groups SSO Configuration Step 2

  3. The Add Assignment page opens. On the left, click Users - None Selected.

    The Users pane opens on the right. Search and then select the Users you would like to invite. Each user is moved into the Selected Items pane subsection below. Once all selected members are listed in this pane, click the Select button.

    Users and Groups SSO Configuration Step 3

  4. Click Assign.

    Users and Groups SSO Configuration Step 4

  5. The Users and groups page appears with the new users.

    Users and Groups SSO Configuration Step 5

    At this point, you can leave the Azure portal and open your Microsoft active directory application dashboard.

    Users and Groups SSO Configuration Step 6

Upload the XML configuration file in OnshapeCopy link

  1. Sign in to your Onshape enterprise account, using your specialized domain name, as an administrator. Select Enterprise settings from your account.

    Configuring SSO in Onshape step 1

  2. Select Authentication from the left navigation menu.

    Configuring SSO in Onshape step 2

  3. In the Single sign-on (SSO) subsection, click the Configure SSO provider button.

    Configuring SSO in Onshape step 3

  4. The Create SSO provider dialog opens. In the Name field, enter a three-letter name, such as MSA. In the Provider type drop-down, select Microsoft Azure. Then click the Upload configuration file button.

    Configuring SSO in Onshape step 4

  5. Locate and select the XML file you downloaded previously, and click Open.

    Configuring SSO in Onshape step 5

  6. Click OK.

    Configuring SSO in Onshape step 6

  7. The file is uploaded. A notification appears when the upload is completed.

    Configuring SSO in Onshape step 7

  8. You can disable the typical Onshape password sign-in for your users and show only the SSO provider sign-in prompt for the Onshape URL. However, do not perform this step at this time. Make sure you can sign in to Onshape yourself (as administrator) before disabling this additional sign-in option. You can return here later, once you verify you can sign in through your SSO provider.

    Choosing to enforce signing in to Onshape via SSO also results in users not being able to sign in to non-enterprise domains directly, such as cad.onshape.com.

  9. Sign out of both your Onshape and Microsoft accounts. Be sure to do a hard refresh of both accounts. When you reach the Onshape sign-in page once again, the page has a new Sign in link at the bottom, for your Single sign-on provider.

    Configuring SSO in Onshape step 8

In order to sign in to Onshape, administrators must provision their users (in their single sign-on account) to use the Onshape application.

TroubleshootingCopy link

If you see the following error:

Close all tabs, fully sign out, and sign back into Microsoft.

Sign into Onshape again.

Be aware that the "test connection" button in the AD admin panel does not work.