Before starting the integration process, you must have requested, and been approved for, an Onshape Enterprise account or trial, and have an Onshape Enterprise domain name.

An example of an Enterprise domain name might be: MyCompanyName.onshape.com.

Note that you are only able to use one SSO provider at a time.

This configuration process might fail without parameter values customized for your organization. Use your Okta single-sign on and record the values that are specific for your organization. You need those values for the following procedure.

Onshape signs all outgoing SAML certification requests. You are not required to upload any certificates (for example, a SAML signing certificate), except in the case of ADFS integration because ADFS validates incoming SAML requests. Note that Microsoft also recommends migration from the latest version of ADFS to Microsoft Entra ID. See ADFS Overview for more information.

Adding Onshape to your Okta single sign on account

To enable single sign on for your company, you must first add Onshape to your Okta account:

  1. Sign in to your Okta account.
  2. Click Applications in the menu ribbon.
  3. Click the Add Application button.
  4. Type ‘Onshape’ in the search field.
  5. When Onshape appears, click the Add button.
  6. The ‘Add Onshape’ page appears.
  7. Enter your domain prefix for your Enterprise. (For example, MyCompanyName from the URL mentioned above.)
  8. Click Next.

At this point, you may assign Onshape to users in your account. On the Assign Onshape to People page, follow your usual procedure to add more users to the Onshape application.

Download the single sign on file

Once you are finished adding users to the Onshape application in your Okta account, download the Identity Provider metadata file (referred to in Onshape as the configuration file):

  1. From the Onshape application page within your Okta account, click Sign On from the menu ribbon.
  2. In the SAML Signing Certificates section, click the Actions button to the right of the active SHA-2 certificate. and then click View IdP metadata. When the page opens, right-click and save this information as an .xml file.

Upload the configuration file in Onshape

After downloading the metadata file from Okta:

  1. Sign in to your Onshape Enterprise account, using your specialized domain name, as an administrator.
  2. Select Company/Enterprise settings from the User menu.
  3. Select Authentication from the left menu.
  4. In the Single sign on (SSO) section:
    1. Click Upload configuration file.
    2. Select the metadata file you previously downloaded and click Open.
    3. In the dialog, enter a name for the SSO Provider and check the Enable SSO provider checkbox.
    4. Click OK.
  5. You see the Authentication section of Company/Enterprise settings listing the newly integrated Single Sign on:

    Authentication dialog showing the Two-factor authentication (2FA) and Single sign on (SSO) settings

  6. Sign out of the Onshape account.
  7. Do a hard refresh of the Onshape account page; notice the page has a new Sign in link at the bottom, (see the example of Sign in with Okta link below):

    Example of the Onshape sign in page with the Sign in with Okta button

  8. In order to sign in to Onshape, administrators must provision their users (in their single sign on account) to use the Onshape application.

Requiring Onshape sign in through Okta

Once you have signed in to Onshape as administrator, if you'd like to require your users to sign in only through the identity provider, you can return to the Company/Enterprise settings > Authentication page and check 'Disable Onshape password sign in':

To disable the typical Onshape password sign in for your users (and show just the SSO provider sign in), check the Disable Onshape password sign in checkbox.

Create SSO Provider dialog

You can disable the typical Onshape password sign in for your users and show just the SSO provider sign in prompt for the Onshape URL. However, do not perform this step at this time. Make sure you can sign in to Onshape yourself (as administrator) before disabling this additional sign in option. You can return here later, once sign in through your SSO provider has been verified to work correctly.

Choosing to enforce signing in to Onshape via SSO also results in users not being able to sign in to non-enterprise domains directly, such as cad.onshape.com.

With Onshape password sign in disabled, users will not see an Onshape sign in, they will see only an Okta sign in, like the one below:

Example of the Onshape sign in page with the Sign in with Okta button