Before starting the integration process, you must have requested, and been approved for, an Onshape Enterprise account or trial, and have an Onshape Enterprise domain name.

An example of an Enterprise domain name might be: MyCompanyName.onshape.com.

You can use only one (single sign-on) SSO provider at a time.

This configuration process might fail without parameter values customized for your organization. Use your PingOne single sign-on dashboard to add Onshape as an application and record the values that are specific for your organization. You need those values for the following procedure.

Onshape signs all outgoing SAML certification requests. You are not required to upload any certificates (for example, an SAML signing certificate), except in the case of ADFS integraion because ADFS validates incoming SAML requests.

Add Onshape to your PingOne single sign-on account

To enable single sign-on for your company, you must first add the Onshape application to your PingOne single sign-on account:

  1. Sign in to the PingOne portal as an Administrator. Click the Connections icon on the left side navigation pane.

  2. PingIdentity page, clicking Connections from the left side navigation bar

  3. Click Add Application.

    PingIdentity Applications page with Add Application button outlined

  4. Click the Web App box. Then click the Configure button to the right of the SAML connection type.

    Clicking the Web App box and then clicking the Configure button in the SAML Connection type dialog

  5. In the Create App Profile tab that opens, enter an Application Name and Description. Then click the Next button at the bottom of the pane.

    Create App Profile page with Application name and Description outlined

  6. In the Configure SAML tab that opens, enter https://cad.onshape.com/identity/saml2/sso in the ACS URL field.

  7. The ACS URL, above, must be "cad.onshape.com" and not the URL of your Onshape enterprise.

    Configure SAML Connection page with the Metadata file outlined

  8. In the same tab, scroll down and enter com.onshape.saml2.sp In the Entity ID field, and 300 In the Assertion Validity Duration in Seconds field. Then click the Save and Continue button.

    PingIdentity Onshape Application page, with Entity ID and Assertion Validity outlined.

  9. In the Map Attributes tab, select Email Address from the PingOne User Attribute drop-down list.

    Attribute Mapping page with the SAML Attributes outlined

  10. In the same tab, create the following three SAML Attributes:

    1. Click the Add Attribute link and select Static Attribute from the drop-down list. This creates the first Static Attribute. In the Static Key field, enter firstName, and in the Static Value field enter First Name.

    2. Click the Add Attribute link again, and select Static Attribute from the drop-down list. This creates the second Static Attribute. In the Static Key field, enter lastName, and in the Static Value field enter Last Name.

    3. Click the Add Attribute link again, and select Static Attribute from the drop-down list. This creates the third Static Attribute. In the Static Key field, enter companyName, and in the Static Value field enter your domain name prefix. For example, if your Onshape enterprise name is Fishbowl.onshape.com, enter Fishbowl into the field.

    4. Selecting Static Attribute from the SAML Attributes page

  11. Once all three SAML Attributes are entered, it should look similar to the image below. Click the Save and Close button.

    Mapping Attributes on the SAML Attributes page

  12. The Applications window opens. Click the Avg daily sign-ons switch to enable sign-ons to the application. A notice appears at the top right corner stating that the application is Successfully Saved.

    Applications page showing the switch to turn on the Average daily sign-ons

  13. Click the Configuration subsection. Then click the Download button to download the metadata file. A message appears in the top right upon successful download of this file. Click X to dismiss the message.

    Applications page, clicking Configuration, and then Downloading the Metadata file

Upload the metadata configuration file in Onshape

  1. Sign in to your Onshape enterprise account, using your specialized domain name, as an administrator. Select Enterprise settings from your account.

    Going into My Account menu and clicking the Enterprise settings button

  2. Select Authentication from the left navigation menu.

    Seleting Authentication from the left side navigation menu

  3. In the Single sign-on (SSO) subsection, click the Configure SSO provider button.

    Clicking the Configure SSO provider under the Single sign on (SSO) settings

  4. The Create SSO provider dialog opens. In the Name field, enter name, such as PingOne Identity. In the Provider type drop-down, select PingOne. Then click the Upload configuration file button.

    Entering a Name, selecting a Provider type, and clicking the Upload Configuration file button in the Create SSO Provider page

  5. Locate and select the metadata configuration file you downloaded previously, and click Open.

    Opening the previously downloaded XLM metadata file

  6. Click OK.

    Finalizing the creation of the SSO Provider by clicking OK

  7. The file is uploaded. A notification appears when the upload is completed.

    Notification showing the SSO Configuration file was successfully uploaded

  8. You can disable the typical Onshape password sign-in for your users and show only the SSO provider sign-in prompt for the Onshape URL. However, do not perform this step at this time. Make sure you can sign in to Onshape yourself (as administrator) before disabling this additional sign-in option. You can return here later, once you verify you can sign in through your SSO provider.

    Choosing to enforce signing in to Onshape via SSO also results in users not being able to sign in to non-enterprise domains directly, such as cad.onshape.com.

  9. Sign out of both your Onshape and PingOne accounts. Be sure to do a hard refresh of both accounts. When you reach the Onshape sign-in page once again, the page has a new Sign in link at the bottom, for your Single sign-on provider.

    Onshape sign in page with the new SSO Sign in with Ping button