Autodesk has now enabled Single Sign-On (SSO) for all users, you don’t longer need to have an Autodesk Premium Plan. Just as the name implies, with SSO you only need to sign in once in order to use all connect products. In this case, if you are signed on your company-owned device, then you don’t need to sign in anymore in Autodesk.
The advantage of SSO is that the user only needs to sign in once and doesn’t have to remember multiple passwords. This prevents the change of users writing passwords done, or using simple passwords. Another big advantage is that access is automatically revoked to Autodesk once a user is removed from the identity provider.
Table of Contents
In this article, we are going to configure Autodesk Single Sign-On in combination with Microsoft 365.
What you need to know
Before we can enable SSO for your Autodesk environment there are a couple of things you need to know. The most important one is that once you have enabled SSO, you can’t disable it anymore. The only way to revert it is by contacting Autodesk Support.
Autodesk supports multiple Identity provides for SSO:
- Microsoft Azure (For Microsoft 365 users)
- Google Cloud Identity
- Okta
- OneLogin
- PingOne
- PingFederate
- Active Directory Federation Service (ADFS)
We will focus on Microsoft Azure, but the principle will be pretty much the same for all providers because they all use the Security Assertion Markup Language (SAML) 2.0 protocol.
When you enable SSO in Autodesk, it will be effective immediately. This means that the users will need to re-authenticate when they open an Autodesk product. Instead of the Autodesk login, they will then see the login screen of your identity provider. So in the case of Microsoft 365, the user will see the Microsoft login screen.
So it’s important to test SSO with only a small group of users before you roll it out to all users in your Autodesk tenant.
Set up Autodesk Single Sign-On
Setting up the Single Sign-On for Autodesk requires a couple of steps. Make sure that you have admin permission in Autodesk and Microsoft Azure. We will also need to create a new DNS record in your public domain or upload an HTML file for verification.
Step 1 – Add and Verify Domains in Autodesk
The first step is to verify your company’s domain in Autodesk. We will need to prove that we are the owner and admin of the domain.
- Open manage.autodesk.com
- Click on User Management> By User
- Open the Settings by clicking on the gear icon
- Click on Manage SSO
- Click on Add and Verify domains
- Enter the domain name of your company. This has to be the domain name that is used in the email addresses.
Note
If you don’t see the option Manage SSO, then you don’t have the correct permission of the team. You will need to be the Primary Admin or SSO Admin of the team. Learn more about changing the admin roles in this Autodesk article.
After you have added the domain(s), you will see a list with your domain(s). We will now need to verify each domain. You can do this by either uploading an HTML verification file to the root directory of your domain (where your website is hosted). Or by adding a DNS TXT record.
- Click on Verify domain
- Download the HTML verification file (or create the DNS records)
- Click on Verify now
Tip
If a file verification fails, even though you uploaded correctly and can open the file by clicking on the link (point 3 in the verify domain popup), then just delete the domain from the Domains list and re-add it again.
Step 2 – Set up SSO Connection
With the domain verified we can now create the SSO connection. For this, we will need access to the identity provider, which is Microsoft Azure in this case.
- Click on Manage SSO > Set up connection
- Enter a name for the connection
- Select the Identity Provider Microsoft Azure
We now need to create SAML XML file in Microsoft Azure, which we then can upload in Autodesk.
- Open portal.azure.com
- Open the Azure Active Directory and choose Enterprise Applications
- Click on + New Application
- Search for Autodesk SSO
- Select the Autodesk SSO application
- Click Create
- Wait for the application to be created and click on Get started in 2. Set up single sign on
- Choose SAML
- Edit the basic SAML Configuration
- Click on Add Reply URL and enter:
https://autodesk-prod.okta.com/sso/saml2/UNIQUE-ID(Replace “UNIQUE-ID” with any value.) - Enter the following Sign on URL:
https://profile.autodesk.com - Click on Save and close the pop-up
- Scroll a bit down and download the Federation Metadata XML file
We have now created and downloaded the SAML XML file, which we will need to upload to Autodesk. Go back to the Autodesk portal:
- Click on Upload and upload the Autodesk SSO.xml file that we just have downloaded
- Scroll down and click on Next (twice)
We will now need to test the connection. To test it, you will need to sign in with a user account that also has an account in Autodesk.
During my test, I got the error Application with Identifier was not found in the directory. It seems that the unique id, that we added in the SAML configuration isn’t matched correctly. I fixed it by changing the unique ID for the Identifier and Reply URL in the SAML configuration to the one listed in the error:
After the test is completed you can link the domain(s) to the connection and click on Save connection. This will not enable SSO immediately.
Step 3 – Test SSO with a couple of users
Before you turn on the single sign-on, you should really test it with a couple of users. In the connection list, click on Test and turn on SSO. You will get a popup where you can add the test users first before you turn it on.
Click on Add test users and add the email address of one or more users that you want to test the SSO connection with.
Let the test users sign out of their Autodesk applications and sign in again to test if the connection is working. They should see the Microsoft 365 sign-in screen after they enter their email address. If the test users can access their Autodesk applications then you can Turn on SSO for all the users.
Note
Keep in mind that you will need to contact Autodesk support to turn off SSO
Step 4 – Turn on Single Sign On
If you have fully tested SSO then you can turn on SSO for all users. You will need to enable per domain. To turn on single sign-on, you will need to go back to the User Management > Settings page and click on Manage SSO.
Open the tab Manage SSO and click on Test and turn on SSO. Select Turn on SSO and check the box that you understand the risk. Click on Turn on SSO to enable it.
Autodesk Single Sign-On is now enabled for all your users.
Wrapping Up
It’s great that single sign-on is now available for all Autodesk users. It makes it easier to manage and protect accounts in Autodesk and users don’t have unique credentials anymore for Autodesk.
The unique ID and reply URL can give some trouble when setting up SSO with Azure. I ended up adding both reply URLs and the unique ID in the SAML configuration to get it working.
I hope you found this article useful, if you have any questions, just drop a comment below.
You had the same issue that I had with the “Application with Identifier was not found in the directory” However, when I changed the “Unique ID” in the Identifier and Reply URLs to match the “unique ID” that was in the error message, it still gave me the error with a different Unique ID. I tried to test it without re-uploading the .xml file first and then tried again with re-uploading the .xml file. Any ideas?
I ended up with a different UNIQUE Id for the Identifier and Reply URL. I also added two reply urls:
https://authn.autodesk.com/sso/saml2/
https://autodesk-prod.okta.com/sso/saml2/UNIQUE-ID
The last one just had UNIQUE-ID in the string.
It doesn’t make sense, but it works…
I ended up getting mine as well. I was missing the step to download the metadata from Autodesk and upload it to Azure AD. After I did that it worked!