Before starting the integration process, you must have requested, and been approved for, an Onshape Enterprise account or trial, and have an Onshape Enterprise domain name.

An example of an Enterprise domain name might be: MyCompanyName.onshape.com.

Note that you are only able to use one SSO provider at a time.

This configuration process might fail without parameter values customized for your organization. Use your custom SSO identity provider (for example: Okta, PingOne, or ClassLink) dashboard to add Onshape as an application and record the values that are specific for your organization. You need those values for the following procedure.

Onshape signs all outgoing SAML certification requests. You are not required to upload any certificates (for example, a SAML signing certificate), except in the case of ADFS integration because ADFS validates incoming SAML requests. Note that Microsoft also recommends migration from the latest version of ADFS to Microsoft Entra ID. See ADFS Overview for more information.

Steps

  1. Navigate to your Account settings menu and select Enterprise settings.

  2. Select Authentication in the left pane.

  3. When the Authentication page opens, select "Configure SSO provider" under Single sign on (SSO) heading. The following dialog opens:

    Create SSO provider dialog

  4. Give the configuration a name, "Google SSO", for example.

  5. Select a provider type of Google.

  6. If you wish to provision users through a specific domain name (@companyname.com, or @schoolname.edu, for example), enter that domain in the Domain whitelist field without the @ symbol. (Note that provisioning users this way automatically assigns them as Full users or Light users depending on the Enterprise SSO auto-provisioning setting. See Enterprise Settings - Preferences and navigate to the Single sign on (SSO) user auto-provisioning dropdown for more information.)

    Ceate SSO provider dialog showing the provisioning of users through a specific domain name

    Using a domain whitelist means that anyone with a valid email address in that domain will be granted access to the Onshape enterprise account, as a Full user. Use care in provisioning via a generic domain, like @gmail.com, for example.

    If you do not wish to grant entry to all users within a specific domain, you can leave that field empty, then add users later as a member of the enterprise through an email sent by the admin. Keep in mind that the email has to match the user's Google SSO email. If the user already has a Google account, they can sign in immediately upon receiving the email. If the user doesn't have an account, or has a pending account, Onshape activiates their enterprise account and sets their Onshape first/last name to the details found in their Google profile.

  7. Check the box to Enable SSO provider.

  8. If you wish to enforce all users to sign in to Onshape via the SSO provider only, check the box next to "Disable Onshape password sign in". When you disable Onshape password sign in, users will see only the sign in for Google, and not for Onshape.

    Their password for Onshape will not be valid.

    The administrator will also be forced to sign in to Onshape through the Google SSO. As a failsafe, it is highly recommended that admins copy the Password sign in URL and save it in a safe place, in the event they need to sign in directly through Onshape:
    Example showing the Password sign in URL for admins

    Choosing to enforce signing in to Onshape via SSO also results in users not being able to sign in to non-enterprise domains directly, such as cad.onshape.com.