Before starting the integration process, you must have requested, and been approved for, an Onshape Enterprise account or trial, and have an Onshape Enterprise domain name.

An example of an Enterprise domain name might be:

You can use only one (single sign-on) SSO provider at a time.

This configuration process will fail without parameter values customized for your organization. Use your ClassLink single sign-on dashboard to add Onshape as an application and record the values that are specific for your organization. You need those values for the following procedure.

Onshape signs all outgoing SAML certification requests. You are not required to upload any certificates (for example, a SAML signing certificate), except in the case of ADFS integration because ADFS validates incoming SAML requests.

Add Onshape to your ClassLink single sign-on account

  1. Navigate to the ClassLink SAML console, and enter the following value in the CompanyName field:

  2. Edit Service Provider dialog

  3. Metadata url or text - The customer must provide ClassLink IDP metadata URL.

  4. Login URL - District code is added in the box for Login URL or leave this field empty for Default Login URL

  5. ICON URL - Click here, search for the application, right-click and then copy the link address to enter it into the box (shown below).

    Icon service provider URL box

  6. Attribute Mapping - Enter the following attributes:

    • Select Given Name and rename in the box “firstName”

    • Select Family Name and rename in the box “lastName”

    • Select Email and rename in the box “email”

    • Select Custom Attribute and rename to “companyName”. Then enter your company name.
      The company name is the same as the domain prefix of a your education enterprise. For example, if your Onshape enterprise name is, enter Fishbowl into the field.

  7. Metadata Overrides

    • Select NameId Format from fields to override and select emailAddress

    • Select Signature Algorithm from fields to override and select RSA_SHA256

    • Select NameId Value from fields to override and select Email

    • Select Saml NotBefore from fields to override and add 3

  8. Update to save.

    Select and copy IDP initiate Login URL to add the app in the local library.

    IDP initiate Login URL field

Upload the metadata configuration file in Onshape

Onshape requires a metadata configuration file for the SSO with Classlink. Consult ClassLink to obtain and download the metadata file needed to complete the following steps.

  1. Sign in to your Onshape enterprise account, using your specialized domain name, as an administrator. Select Enterprise settings from your account.

    Signing into Enterprise settings from My user account

  2. Select Authentication from the left navigation menu.

    Configuring SSO in Onshape step 2

  3. In the Single sign-on (SSO) subsection, click the Configure SSO provider button.

    Enterprise Settings menu item

  4. The Create SSO provider dialog opens. In the Name field, enter name, such as ClassLink. In the Provider type drop-down, select ClassLink. Then click the Upload configuration file button.

    Create SSO provider dialog

  5. Locate and select the metadata configuration file you obtained from ClassLink, and click Open.

    Windows Open dialog

  6. Click OK.

  7. The file is uploaded. A notification appears when the upload is completed.

  8. You can disable the typical Onshape password sign-in for your users and show only the SSO provider sign-in prompt for the Onshape URL. However, do not perform this step at this time. Make sure you can sign in to Onshape yourself (as administrator) before disabling this additional sign-in option. You can return here later, once you verify you can sign in through your SSO provider.

    Choosing to enforce signing in to Onshape via SSO also results in users not being able to sign in to non-enterprise domains directly, such as

  9. Sign out of both your Onshape and ClassLink accounts. Be sure to do a hard refresh of both accounts. When you reach the Onshape sign-in page once again, the page has a new Sign in link at the bottom, for your Single sign-on provider.

    Onshape Sign-in screen