Before starting the integration process, you must have requested, and been approved for, an Onshape Enterprise account or trial, and have an Onshape Enterprise domain name.

An example of an Enterprise domain name might be: MyCompanyName.onshape.com.

Note that you are only able to use one SSO provider at a time.

This configuration process might fail without parameter values customized for your organization. Use your custom SSO identity provider (for example: Okta, PingOne, or ClassLink) dashboard to add Onshape as an application and record the values that are specific for your organization. You need those values for the following procedure.

Onshape signs all outgoing SAML certification requests. You are not required to upload any certificates (for example, a SAML signing certificate), except in the case of ADFS integration because ADFS validates incoming SAML requests. Note that Microsoft also recommends migration from the latest version of ADFS to Microsoft Entra ID. See ADFS Overview for more information.

OneLogin SSO setup for Onshape

Sign into the OneLogin administration panel to setup a new app connector to Onshape. Go to <yourdomain>.onelogin.com/admin.

Add new application

  1. Select Applications from the top navigation bar.
  2. Select Applications.

OneLogin Applications dropdown screenshot

  1. Click Add App in the upper right corner.
  2. Search for SAML.
  3. Select SAML Test Connector (Advanced).

Add SAML Test Connector dialog

  1. Set the Display Name as "Onshape" and use any applicable icons.
  2. Click Save.

Configuration

Once the application is saved, there are more options that will be available for modification. This next section will setup important application details for the integration. Details about each section can be found on the Test connector configuration page.

  1. RelayState: Leave blank
  2. Audience (EntityID): com.onshape.saml2.sp
  3. Recipient: https://cad.onshape.com/identity/saml2/sso
  4. ACS (Consumer) URL Validator*: https://cad.onshape.com/identity/saml2/sso$
  5. ACS (Consumer) URL*: https://cad.onshape.com/identity/saml2/sso
  6. Single Logout URL: https://<custom_onshape_domain>.onshape.com
  7. Login URL: https://<custom_onshape_domain>.onshape.com
  8. SAML not valid before: 3 (Default value)
  9. SAML no valid on or after: 3 (Default value)
  10. SAML initiator: OneLogin (this is if you want your portal page to sign directly in)
  11. SAML nameID format: Email
  12. SAML issuer type: Specific
  13. SAML signature element: Assertion
  14. Encrypt assertion: (Unchecked)
  15. SAML encryption method: TRIPLEDES-CBC (Default)
  16. Sign SLO Response: (Unchecked)
  17. SAML sessionNotOnOrAfter: 1440 (Default)
  18. Generate Attribute Value tag for empty values: (Checked)
  19. Sign SLO Request: (Unchecked)

Parameters

This should be configured to pass the appropriate information over to Onshape during the SSO handshake. These values are as follows:

  1. NameID value: Email (Default value)
  2. companyName: Macro type (type in the custom domain name into the field), for example, in a domain that is "company.onshape.com" enter only "company" in this field

Editing the companyName field dialog

  1. firstName: Map to First Name and include in SAML assertion
  2. lastName: Map to Last Name and include in SAML assertion

SSO

Here, you will have to set only the SAML Signature Algorithm option.

Example setup of the SAML Test Connector dialog

Download the SAML Metadata

Now that OneLogin is configured and saved, in the upper right corner, pull down the More Actions menu and select SAML Metadata, which downloads an XML file to your local machine. This file will be used in the set up of OneLogin in the Onshape Enterprise Authentication settings.

Configure the SSO Provider in Onshape

Once Onshape is configured in the identity provider and you have downloaded the identity provider's metadata file (referred to in Onshape as the configuration file), the SSO provider can be configured in Onshape.

The example images below shows a generic identity provider being configured, but the steps are the same for all identity providers.

  1. Sign in to your Onshape Enterprise account, using your specialized domain name, as an administrator. Select Enterprise settings from your account:

    Going into My Account menu and clicking the Enterprise settings button

  2. Select Authentication from the left navigation menu:

    Seleting Authentication from the left side navigation menu

  3. In the Single sign-on (SSO) subsection, click the Configure SSO provider button:

    Clicking the Configure SSO provider under the Single sign on (SSO) settings

  4. The Create SSO provider dialog opens:

    Create SSO Provider dialog

    1. In the Name field, enter name, such as Custom SSO

    2. In the Provider type dropdown, select your SSO provider from the list.

    3. Leave Enable SSO provider checked.

    4. Leave Disable Onshape password sign in unchecked for the moment.

      Disable Onshape password sign in disables the typical Onshape password sign in for you and your users. Only the SSO provider sign in prompt is displayed for the Onshape URL. Before checking this option, ensure you can sign in to Onshape yourself (as administrator). You can return here later and enable it once sign in through your SSO provider is verified to work correctly.

      Choosing to enforce signing in to Onshape via SSO also results in users not being able to sign in to non-enterprise domains directly, such as cad.onshape.com.

    5. Click the Upload configuration file button:

  5. Locate and select the metadata configuration file you downloaded previously, and click Open:

    Opening the previously downloaded XLM metadata file

  6. Click OK:

    Finalizing the creation of the SSO Provider by clicking OK

  7. The file is uploaded. A notification appears when the upload is completed:

    Notification showing the SSO Configuration file was successfully uploaded

  8. Sign out of both your Onshape and SSO provider accounts. Be sure to do a hard refresh of both accounts. When you reach the Onshape sign-in page once again, the page has a new Sign in link at the bottom, for your SSO provider.

    Onshape Sign-in screen

In order to sign in to Onshape, administrators must provision their users (in their single sign on account) to use the Onshape application.