Before starting the integration process, you must have requested, and been approved for, an Onshape Enterprise account or trial, and have an Onshape Enterprise domain name.

An example of an Enterprise domain name might be: MyCompanyName.onshape.com.

Note that you can use only one (single sign-on) SSO provider at a time.

Onshape signs all outgoing SAML certification requests. You are not required to upload any certificates (for example, a SAML signing certificate), except in the case of ADFS integration because ADFS validates incoming SAML requests. Note that Microsoft also recommends migration from the latest version of ADFS to Microsoft Entra ID. See ADFS Overview for more information.

Steps

  1. Navigate to your Account settings menu and select Enterprise settings.

  2. Select Authentication in the left pane.

  3. When the Authentication page opens, select "Configure SSO provider" under Single sign on (SSO) heading. The following dialog opens:

    Create SSO provider dialog

  4. Give the configuration a name, "Google SSO", for example.

  5. Select a provider type of Google.

  6. If you wish to provision users through a specific domain name (@companyname.com, or @schoolname.edu, for example), enter that domain in the Domain whitelist field without the @ symbol. (Note that provisioning users this way automatically assigns them as Full users or Light users depending on the Enterprise SSO auto-provisioning setting. See Enterprise Settings - Preferences and navigate to the Single sign on (SSO) user auto-provisioning dropdown for more information.)

    Ceate SSO provider dialog showing the provisioning of users through a specific domain name

    Using a domain whitelist means that anyone with a valid email address in that domain will be granted access to the Onshape enterprise account, as a Full user. Use care in provisioning via a generic domain, like @gmail.com, for example.

    If you do not wish to grant entry to all users within a specific domain, you can leave that field empty, then add users later as a member of the enterprise through an email sent by the admin. Keep in mind that the email has to match the user's Google SSO email. If the user already has a Google account, they can sign in immediately upon receiving the email. If the user doesn't have an account, or has a pending account, Onshape activiates their enterprise account and sets their Onshape first/last name to the details found in their Google profile.

  7. Check the box to Enable SSO provider.

  8. If you wish to enforce all users to signin to Onshape via the SSO provider only, check the box next to "Disable Onshape password sign in". When you disable Onshape password signin, users will see only the signin for Google, and not for Onshape.

    Their password for Onshape will not be valid.

    The administrator will also be forced to signin to Onshape through the Google SSO. As a failsafe, it is highly recommended that admins copy the Password signin URL and save it in a safe place, in the event they need to sign in directly through Onshape:
    Example showing the Password sign in URL for admins