Sign into the OneLogin administration panel to setup a new app connector to Onshape. Go to <yourdomain>.onelogin.com/admin

Onshape signs all outgoing SAML certification requests. You are not required to upload any certificates (for example, a SAML signing certificate), except in the case of ADFS integration because ADFS validates incoming SAML requests. Note that Microsoft also recommends migration from the latest version of ADFS to Microsoft Entra ID. See ADFS Overview for more information.

Add new application

  1. Select Applications from the top navigation bar.
  2. Select Applications.

OneLogin Applications dropdown screenshot

  1. Click Add App in the upper right corner.
  2. Search for SAML.

  3. Select SAML Test Connector (Advanced).

Add SAML Test Connector dialog

  1. Set the Display Name as "Onshape" and use any applicable icons.
  2. Click Save.

Configuration

Once the application is saved, there are more options that will be available for modification. This next section will setup important application details for the integration. Details about each section can be found on the Test connector configuration page.

  1. RelayState: Leave blank
  2. Audience (EntityID): com.onshape.saml2.sp
  3. Recipient: https://cad.onshape.com/identity/saml2/sso
  4. ACS (Consumer) URL Validator*: https://cad.onshape.com/identity/saml2/sso$
  5. ACS (Consumer) URL*: https://cad.onshape.com/identity/saml2/sso
  6. Single Logout URL: https://<custom_onshape_domain>.onshape.com
  7. Login URL: https://<custom_onshape_domain>.onshape.com
  8. SAML not valid before: 3 (Default value)
  9. SAML no valid on or after: 3 (Default value)
  10. SAML initiator: OneLogin (this is if you want your portal page to sign directly in)
  11. SAML nameID format: Email
  12. SAML issuer type: Specific
  13. SAML signature element: Assertion
  14. Encrypt assertion: (Unchecked)
  15. SAML encryption method: TRIPLEDES-CBC (Default)
  16. Sign SLO Response: (Unchecked)
  17. SAML sessionNotOnOrAfter: 1440 (Default)
  18. Generate Attribute Value tag for empty values: (Checked)
  19. Sign SLO Request: (Unchecked)

Parameters

This should be configured to pass the appropriate information over to Onshape during the SSO handshake. These values are as follows:

  1. NameID value: Email (Default value)

  2. companyName: Macro type (type in the custom domain name into the field), for example, in a domain that is "company.onshape.com" enter only "company" in this field

Editing the companyName field dialog

  1. firstName: Map to First Name and include in SAML assertion
  2. lastName: Map to Last Name and include in SAML assertion

SSO

Here, you will have to set only the SAML Signature Algorithm option.

Example setup of the SAML Test Connector dialog

Download the SAML Metadata

Now that OneLogin is configured and saved, in the upper right corner, pull down the More Actions menu and select SAML Metadata, which downloads an XML file to your local machine. This file will be used in the set up of OneLogin in the Onshape Enterprise Authentication settings.

Once OneLogin is configured, setting up the Onshape Authentication options can be completed.

  1. Sign into the Enterprise with an Administrator account.
  2. Click the account name in the upper right corner, select Enterprise settings.
  3. Select Authentication on the left side filter.
  4. Click the Configure SSO provider button.
  5. Give the connection a name: OneLogin
  6. Select OneLogin from the provider type.
  7. Click the Upload configuration file button and select the XML file that was downloaded.
  8. Click OK.

Testing the connection

Now that both Onshape and OneLogin are configured it is time to test. Go to the OneLogin portal and click on the Onshape application. Sign in should be redirected to the Activity page in the Onshape enterprise.