Before starting the integration process, you must have requested, and been approved for, an Onshape Enterprise account or trial, and have an Onshape Enterprise domain name.

An example of an Enterprise domain name might be: MyCompanyName.onshape.com.

You can use only one (single sign-on) SSO provider at a time.

This configuration process might fail without parameter values customized for your organization. Use your custom single sign-on dashboard to add Onshape as an application and record the values that are specific for your organization. You need those values for the following procedure.

Onshape signs all outgoing SAML certification requests. You are not required to upload any certificates (for example, a SAML signing certificate), except in the case of ADFS integration because ADFS validates incoming SAML requests. Note that Microsoft also recommends migration from the latest version of ADFS to Microsoft Entra ID. See ADFS Overview for more information.

Add Onshape to your custom single sign-on account

Each Identity provider (IdP) has its own proprietary setup procedure. Consult your identity provider's single sign-on setup instructions for the exact procedure to follow. The instructions in this section are meant to be used as general guidelines only.

Onshape only supports the SAML HTTP-POST binding.
Onshape does not have a way to express its SAML configuration as a metadata XML file.

In your Identity provider console, create a new trust relationship (sometimes called a "relying party") with the following configuration:

  1. Asssertion consumer service (ACS) URL: https://cad.onshape.com/identity/saml2/sso.

  2. Entity ID: com.onshape.saml2.sp.

  3. The assertion subject's NameId value. This is the email address of the user to whom the SAML assertion corresponds.

  4. The three SAML assertion attributes required by Onshape (sometimes called "claims"):

    • firstName - The assertion subject's given name

    • lastName - The assertion subject's family name.

    • companyName - The assertion subject's company. In most cases the company name is the same as the domain prefix of your enterprise. For example, if your Onshape enterprise name is fishbowl.onshape.com, enter fishbowl into this field.

  5. Locate and copy the SAML IdP Metadata XML file to your clipboard. You will need this later in the process.

  6. Make the new trust relationship available to all users to whom you want to provide Onshape SSO access.

Upload the metadata configuration file in Onshape

  1. Sign in to your Onshape enterprise account, using your specialized domain name, as an administrator. Select Enterprise settings from your account.

    Accessing Enterprise settings under My user account menu

  2. Select Authentication from the left navigation menu.

    Configuring SSO in Onshape step 2

  3. In the Single sign-on (SSO) subsection, click the Configure SSO provider button.

    Enterprise Settings menu item

  4. The Create SSO provider dialog opens. In the Name field, enter a name, usually the name of your identity provider, here noted as Custom IDP. In the Provider type drop-down, select Custom SSO. Then click the Upload configuration file button.

    Create SSO Provider, uploading configuration file

  5. Locate and select the metadata configuration file you downloaded previously, and click Open.

    Windows Open dialog

  6. Click OK.

  7. The file is uploaded. A notification appears when the upload is completed.

  8. You can disable the typical Onshape password sign-in for your users and show only the SSO provider sign-in prompt for the Onshape URL. However, do not perform this step at this time. Make sure you can sign in to Onshape yourself (as administrator) before disabling this additional sign-in option. You can return here later, once you verify you can sign in through your SSO provider.

    Choosing to enforce signing in to Onshape via SSO also results in users not being able to sign in to non-enterprise domains directly, such as cad.onshape.com.

  9. Sign out of both your Onshape and custom identity provider accounts. Be sure to do a hard refresh of both accounts. When you reach the Onshape sign-in page once again, the page has a new Sign in link at the bottom, for your Single sign-on provider.

    Onshape Sign-in screen