Integrating with Microsoft Entra ID (formerly Azure AD)
Before starting the integration process, you must have requested, and been approved for, an Onshape Enterprise account or trial, and have an Onshape Enterprise domain name.
An example of an Enterprise domain name might be: MyCompanyName.onshape.com.
You can use only one (single sign-on) SSO provider at a time.
This configuration process might fail without parameter values customized for your organization. Use your Microsoft Entra ID (formerly Azure AD) single sign-on dashboard to add Onshape as an application and record the values that are specific for your organization. You need those values for the following procedure.
Onshape signs all outgoing SAML certification requests. You are not required to upload any certificates (for example, a SAML signing certificate), except in the case of ADFS integration because ADFS validates incoming SAML requests. Note that Microsoft also recommends migration from the latest version of ADFS to Microsoft Entra ID. See ADFS Overview for more information.
Add Onshape to your Entra ID (formerly Azure AD) single sign-on account
To enable single sign-on for your company, you must first add the Onshape application to your Entra ID (formerly Azure AD) single sign-on account:
- Sign in to the Microsoft Entra ID (formerly Azure AD) portal. You are taken to the home page.
- In the search bar, enter Enterprise applications
and select Enterprise applications.
- At the top of the All applications page, click
New application.
- On the Browse Microsoft Entra Gallery page, search for Onshape in the Search application field. Then click the
Onshape
button.
-
The Onshape application pane opens on the right. Click the Create button at the bottom of the pane.
Microsoft Entra creates the new application for you. Be aware this can take a few seconds to set up.
- Once the app is created, click the
2. Set up single sign on
button.
- Since Onshape supports only SAML authentication, click the
SAML
box.
If the Save single sign-on setting opens, click Yes.
The SAML-based sign-on page opens.
SAML configuration
- In the User Attributes & Claims subsection, click
Edit
at the top right corner of the box.
- In the User Attributes & Claims page that opens, double-click the
companyName
claim.
-
Enter your domain name prefix into the Source attribute field. For example, if your Onshape enterprise name is Fishbowl.onshape.com, enter Fishbowl into the field. Once entered, you need to additionally click on the entry below the field (as shown by the cursor in the image below).
- Click
Save.
- Click
X
at the top right corner to close the page.
-
If you are asked if you want to Test the single sign-on, select No, I'll test later.
-
The SAML-based Sign-on page is displayed again. Your page should look similar to the image below.
- Scroll down the page to subsection 3
SAML Signing Certificate. At the bottom of this subsection, click the "Federation Metadata XML"
download
link. This XML file is used later in the Single sign-on configuration process.
-
A message appears in the top right upon successful download of this file. Click X to dismiss the message.
Set up users and groups
- In the left navigation pane, select
Users and groups.
-
The Users and groups page appears. Click Add user/group.
- The Add Assignment page opens. On the left, click
Users - None Selected.
The Users pane opens on the right. Search and then select the Users you would like to invite. Each user is moved into the Selected Items pane subsection below. Once all selected members are listed in this pane, click the Select button.
- Click
Assign.
- The Users and groups page appears with the new users.
At this point, you can leave the Microsoft Entra portal and open your Microsoft active directory application dashboard.
Upload the XML configuration file in Onshape
- Sign in to your Onshape enterprise account, using your specialized domain name, as an administrator.
Select
Enterprise settings
from your account.
- Select
Authentication
from the left navigation menu.
- In the Single sign-on (SSO) subsection, click the
Configure SSO provider
button.
- The Create SSO provider dialog opens. In the
Name
field, enter a three-letter name, such as
MSA. In the
Provider type
drop-down, select
Microsoft Azure. Then click the
Upload configuration file
button.
- Locate and select the XML file you downloaded previously, and click
Open.
- Click
OK.
- The file is uploaded. A notification appears when the upload is completed.
- Sign out of both your Onshape and Microsoft accounts. Be sure to do a hard refresh of both accounts. When you reach the Onshape sign-in page once again, the page has a new
Sign in
link at the bottom, for your Single sign-on provider.
You can disable the typical Onshape password sign-in for your users and show only the SSO provider sign-in prompt for the Onshape URL. However, do not perform this step at this time. Make sure you can sign in to Onshape yourself (as administrator) before disabling this additional sign-in option. You can return here later, once you verify you can sign in through your SSO provider.
Choosing to enforce signing in to Onshape via SSO also results in users not being able to sign in to non-enterprise domains directly, such as cad.onshape.com.
In order to sign in to Onshape, administrators must provision their users (in their single sign-on account) to use the Onshape application.
Troubleshooting
If you see the following error:
Close all tabs, fully sign out, and sign back into Microsoft.
Sign into Onshape again.
Be aware that the "test connection" button in the AD admin panel does not work.