Autodesk Single Sign-On (SSO)

As of Monday, May 8, 2023, all active Autodesk Subscription customers are eligible to enable Single Sign-On which uses Windows log-in credentials to authenticate Autodesk users' access to their account and to their assigned software.  Autodesk has a detailed guide (link below) on the set up and testing process to enable SSO.  It is our recommendation that customers pass along this guide to their network administrators to see if this is a feature that can be enabled. We also highly recommend that your network administrator test out SSO for a group of users before turning on that option for all Autodesk users. Once SSO is turned on for the entire user list, Autodesk would have to turn off that option in their system so that users go back to the regular Autodesk Sign-In experience. If your team has trouble with the SSO setup process, Autodesk Contract administrators can log a support ticket with Autodesk Support at https://www.autodesk.com/support/contact-support. Choose the Post-Purchase Support\Sign-in & Profile selections to see the Single Sign-On option.

The following Configuration Guide contains the procedures for setting up Autodesk SSO with the following Identity Providers:

https://help.autodesk.com/view/SSOGUIDE/ENU/?guid=SSOGUIDE_Okta_Guide_About_Single_Sign_on_SSO_Set_up_your_connection_html 

• Active Directory Federation Service (ADFS)
• Microsoft Azure
• Okta
• OneLogin
• PingOne
• PingFederate

To begin the setup process, the Contract primary admin will need to assign a user to be the SSO Admin in the User Management\By User menu in the Autodesk Account portal. Select that intended admin user in the list, and choose the Change Role option to enable the SSO admin role for that user. The SSO admin will be able to configure the SSO Console and run the testing phase for Single Sign-On by going through these steps after logging into manage.autodesk.com.

1. In Autodesk Account, go to User management > By user or By Group.
2. Select your team from the drop-down list and click the Team Settings⚙️ icon in the upper right-hand corner.
3. Go to the section Enterprise access and select Manage SSO.
4. Select Manage SSO tab > Set up connection.
5. You will be asked to name your connection. Enter a name that will help you easily identify the connection between your identity provider and Autodesk. The name you choose can also help differentiate between connections. The name you choose must be unique and not in use by another team or organization.
6. Select your identity provider from the drop-down menu.

The following configuration directions are for Microsoft Azure from the Autodesk Configuration Guide:

This section explains how to set up your SSO connection using Azure as the identity provider, so that users can sign in to Autodesk with their organization’s email address. This connection uses SAML (Security Assertion Markup Language) to allow Autodesk to communicate with Azure to authenticate users. To enable this communication, you will need to add metadata from Azure to Autodesk and vice versa.

Set up SSO with Microsoft Azure

Register Autodesk SSO as a Gallery Application on Azure  

To set up SSO with Azure, you must register Autodesk SSO on the Azure Portal. 

1. Open the Azure Portal and sign in as an administrator. Under Manage Azure Active Directory, click View.
   
   
   Note:
   If Azure Active Directory is not visible, follow as shown below.
   -  Click More services from the bottom of the screen to search for Azure Active Directory.
   -  Or, in the filter search box, enter "Azure Active Directory", and select Azure Active Directory from the search results.
   
2. Click Enterprise applications.
   
3. Click + New application.
   
4. In the Browse Azure AD Gallery section, type Autodesk SSO in the search box, then select the Autodesk SSO application (SP) from the results panel.
   
   Note: This application is pre-configured with all the essential settings including the SAML attributes mapping. Refer to the manual configuration procedure in case of any issues with the Autodesk pre-configured template or to view/update the SAML mapping source.

5. In the Name box, specify an Application name and click Create.
   
6. Wait for the application to load. Once the Autodesk SSO application integration page displays, select Get started.
   
7. Select SAML as the sign-on method.
   

Add Azure metadata to Autodesk

This section covers how to get metadata from Azure that is needed to set up a SAML connection with Autodesk.

You can either choose:

• Automatic setup to download the metadata file from Azure and upload it to Autodesk (recommended),
• Manual setup to copy and paste the information manually.

For automatic setup (Recommended):

1. In the Basic SAML Configuration section, click edit to enter these dummy values:
   -  Reply URL: https://autodesk-prod.okta.com/sso/saml2/UNIQUE-ID (Replace “UNIQUE-ID” with any value.)
   -  Sign-On URL: https://profile.autodesk.com
   
2. Click Save to save the values and X to close the pop-up window.
   Note: This is important for downloading the correct metadata in the next step.
3. In the SAML Signing Certificate section, next to Federation Metadata XML, click Download.
   
4. Switch to Autodesk Account, select Upload to upload the federation metadata XML file downloaded from Azure. This will prefill the Entity ID, Sign-on URL and Identity provider certificate.
5. Confirm that the fields are filled in and click Next.

Note:
In case of time-out in Autodesk Account, go to Manage SSO > Set up Connection and continue setup.

For manual setup:

Note: Skip the manual setup steps if you chose automatic setup.

1. In Azure, go to section 3 - SAML Signing Certificate and click Download Certificate (Base64).
   
2. Go to section 4 - Set up AutodeskSSO and copy the Azure AD Identifier, Login URL, and App Federation Metadata URL.
   
   
3. Enter the information you copied from Azure into the corresponding fields and upload the certificate into Autodesk as shown in the table.

4. Confirm that the fields are filled in and click Next in Autodesk Account.

Note:
*Binding refers to the mechanism used to transmit authentication data between the identity provider and service provider (Autodesk). There are two binding methods: Post and Redirect.

The Post method is recommended, and is selected by default. This method transmits SAML messages within an HTML form using base64-encoded content. Because messages are encoded, it is more secure than the Redirect method, and is recommended as a security best practice.

The Redirect method transmits SAML messages encoded as HTTP URL parameters. The response is part of the URL and may be captured and exposed in various logs, making this method less secure than the Post method.

Add Autodesk metadata to Azure

This step allows your identity provider to connect back to Autodesk for user authentication.

You can select either:

• Automatic setup to download the Autodesk metadata file and upload it to Azure (Recommended)
• Manual setup to copy and paste the information manually.

For automatic setup (Recommended):

1. In Autodesk Account > Step 2 - Add Autodesk metadata and attributes, click Download to download the metadata file.
2. Switch to Azure portal, click Upload metadata file and select the Autodesk metadata file. This will prefill the Identifier and Reply URL.
3. Once the file is successfully uploaded, switch to Autodesk Account and click Next.

For manual setup:

Note:
Skip the manual setup steps if you have completed automatic setup.

1. In Autodesk Account, copy the Entity ID, Assertion Customer Service (ACS) URL, and Sign-on URL. Azure does not require the verification certificate so you can ignore this field.
   

2. Return to Azure portal.
3. Enter the information you copied from Autodesk and paste into Section 1- Basic SAML Configuration in Azure as shown in the table.
4. Click Save.

Map attributes

1. In Azure portal, Section 2 – User Attributes & Claims, make sure that the user attributes are mapped correctly according to the table.

2. After you confirm that the attributes are mapped correctly, return to Autodesk Account and click Next.

Note:
The attributes to map are case-sensitive and contain no spaces. Do not map additional attributes. For SSO, the backend does not store any other attributes you may have mapped. However, if you set up directory sync, additional attribute mapping will cause the sync to fail, and you will have to remove the additional attributes.

Test your connection

Note:
Before testing the connection, make sure you assign yourself access to the Autodesk SSO application that you created with your identity provider. Go to Assign a user account for more information.

1. Click Test Connection to be redirected to your organization’s SSO sign-in page. (If you are not redirected, see Troubleshooting).
   

2. Sign in to make sure that the connection between your identity provider and Autodesk is set up correctly. If the test is successful, you will see the message “Connection Test Result: Success” and a list of properties.
3. Confirm that the attributes have mapped correctly by comparing the Property and Value columns. The property “first name” should appear next to the user’s first name, “last name” should appear next to the user’s last name, and so on. If you need to make changes, return to the previous step (Mapping attributes) and re-map the attributes.
4. Once you have confirmed that attributes are mapped correctly, return to the Autodesk Account tab and click Next.

Link verified domains

1. You will see a list of your verified domains. Select one or more verified domains to link to your connection.
   
2. Click Save Connection to complete the setup.

Note:
If a domain is not verified, you can still save the connection and link it later in Manage SSO.

If you have not finished verifying domains, go to Add and verify domains to complete the process. Once you have finished linking domains, return to Manage SSO to test and turn on SSO.