在开始整合过程之前,您必须已经申请并核准了 Onshape Enterprise 帐户或试用版,并且拥有 Onshape Enterprise 域名。

Enterprise 域名的一个例子可能是:MyCompanyName.onshape.com。

请注意,您一次只能使用一个 SSO 提供程序。

This configuration process might fail without parameter values customized for your organization. Use your custom SSO identity provider (for example: Okta, PingOne, or ClassLink) dashboard to add Onshape as an application and record the values that are specific for your organization. You need those values for the following procedure.

Onshape 签署所有发出的 SAML 认证申请。您无需上传任何证书(例如,SAML 签名证书),ADFS 集成除外,因为 ADFS 会验证传入的 SAML 请求。请注意,Microsoft 还建议从最新版本的 ADFS 迁移到微软 Entra ID。有关更多信息,请参阅 ADFS 概述

将 Onshape 添加到您的自定义单点登录帐户

每个身份提供程序 (IdP) 都有自己的专有设置过程。请查看身份提供程序的单点登录设置说明,以了解要遵循的确切过程。此部分中的说明仅用作一般准则。

Onshape 仅支持 SAML HTTP-POST 绑定。
Onshape 无法将其 SAML 配置表示为元数据 XML 文件。

在您的身份提供程序控制台中,通过以下配置创建一种新的信任关系(有时称为“信赖方”):

  1. 断言使用者服务 (ACS) URL:https://cad.onshape.com/identity/saml2/sso

  2. 实体 ID:com.onshape.saml2.sp

  3. 断言主体的 NameId 值。这是 SAML 断言所对应的用户的电子邮件地址。

  4. Onshape 要求提供的三个 SAML 断言属性(有时称为“声明”):

    • firstName - 断言主体的名字。

    • lastName - 断言主体的姓氏。

    • companyName - 断言主体的公司。在大多数情况下,公司名称与企业的域前缀相同。例如,如果您的 Onshape 企业名称为 fishbowl.onshape.com,请在此输入框中输入 fishbowl

  5. 找到 SAML IdP 元数据 XML 文件并将其复制到剪贴板。您在操作过程中稍后将需要此文件。

  6. 让新的信任关系可供您希望将 Onshape SSO 访问权限提供给的所有用户使用。

Configure the SSO Provider in Onshape

Once Onshape is configured in the identity provider and you have downloaded the identity provider's metadata file (referred to in Onshape as the configuration file), the SSO provider can be configured in Onshape.

The example images below shows a generic identity provider being configured, but the steps are the same for all identity providers.

  1. Sign in to your Onshape Enterprise account, using your specialized domain name, as an administrator. Select Enterprise settings from your account:

    进入“我的帐户”菜单,然后单击“企业设置”按钮

  2. Select Authentication from the left navigation menu:

    从左侧导航菜单中选择“身份验证”

  3. In the Single sign-on (SSO) subsection, click the Configure SSO provider button:

    在单点登录 (SSO) 设置下单击“配置 SSO 提供程序”

  4. The Create SSO provider dialog opens:

    创建 SSO 提供程序对话框

    1. In the Name field, enter name, such as Custom SSO

    2. In the Provider type dropdown, select your SSO provider from the list.

    3. Leave Enable SSO provider checked.

    4. Leave Disable Onshape password sign in unchecked for the moment.

      Disable Onshape password sign in disables the typical Onshape password sign in for you and your users. Only the SSO provider sign in prompt is displayed for the Onshape URL. Before checking this option, ensure you can sign in to Onshape yourself (as administrator). You can return here later and enable it once sign in through your SSO provider is verified to work correctly.

      选择通过 SSO 强制登录到 Onshape 还会导致用户无法直接登录到非企业域,例如 cad.onshape.com。

    5. Click the Upload configuration file button:

  5. Locate and select the metadata configuration file you downloaded previously, and click Open:

    打开之前下载的 XML 元数据文件

  6. Click OK:

    单击“确定”来完成 SSO 提供程序的创建

  7. The file is uploaded. A notification appears when the upload is completed:

    显示已成功上传 SSO 配置文件的通知

  8. Sign out of both your Onshape and SSO provider accounts. Be sure to do a hard refresh of both accounts. When you reach the Onshape sign-in page once again, the page has a new Sign in link at the bottom, for your SSO provider.

    Onshape 登录屏幕

要登录到 Onshape,管理员必须(在其单点登录帐户中)将其用户配置为使用 Onshape 应用程序。