Configuration Guides

Configuring SAML SSO with DocuSign and PingOne for Enterprise

Learn how to enable DocuSign sign on from the PingOne for Enterprise console (IdP-initiated sign-on) and direct DocuSign sign on using PingOne for Enterprise (SP initiated sign on).

Before you begin

  • Link PingOne for Enterprise to an identity repository containing the users requiring application access.

  • Make sure DocuSign has a valid domain, an organization created, and is populated with at least one user to test access.

  • You must have administrative access to PingOne for Enterprise and DocuSign.

Copy PingOne values for the Supplied DocuSign Application

  1. Sign on to PingOne for Enterprise, go to Applications → Application Catalog, and search for DocuSign.

    Screen capture of the Application Catalog in PingOne for Enterprisewith a completed search for DocuSign in the Search Field. In the list of applications, the DocuSign 2.0 Production application name’s expand button is highlighted in red.

  2. Expand the DocuSign 2.0 - Production entry and click the Setup icon.

  3. Copy the Issuer and IdP ID values.

  4. Download the Signing Certificate.

    Screen capture of the SSO Instructions Signing Certificate field with the download button highlighted in red, and the IdP ID and Issuer configuration parameter fields higlighted in red.

Add the PingOne for Enterprise IdP Connection to DocuSign

  1. Sign on to your DocuSign Admin organization as an administrator.

  2. In the left navigation pane, select Identity Providers, and then click Add Identity Provider.

    Screen capture of the DocuSign Admin portal open to the Identity Providers window with the Add Identity Provider button highlighted in red.

  3. Configure the following fields

    Field Value

    Name

    A name for the identity provider

    Identity Provider Issuer

    The Issue value from PingID

    Identity Provider Login URL

    https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=PingOne for Enterprise IdP ID value

    Send AuthN Request by

    POST

    Select Send Logout Request by

    POST
    Screen capture of the Add Identity Provider fields for SSO Protocol: SAML 2.0.. The Name, Identity Provider Issuer, and Identity Provider Login URL fields are required.

  4. In the Custom Attribute Mapping section, click Add New Mapping, and then:

    • In the Field list, select surname, then enter surname in the Attribute field.

    • In the Field list, select givenname, then enter givenname in the Attribute field.

    • In the Field list, select emailaddress, then enter emailaddress in the Attribute field.

  5. Click Save.

  6. Click Add New Certificate.

    Screen capture of the PingOne for Enterprise identity provider with no current valid certificate. The Add New Certificate button is highlighted in red.

  7. Click Add Certificate.

    Screen capture of the Identity Provider Certificates field with the Add Certificate button highlighted in red.

  8. Select the signing certificate that you downloaded from PingOne for Enterprise. Click Save.

  9. In the Actions list for the IdP that you created, select Endpoints.

    Screen capture of the Identity Providers list with the PingOne for Enterprise identity provider Actions menu expanded. The Endpoints option is highlighted in red.

  10. Copy the Service Provider Issuer URL andService Provider Assertion Consumer Service URL values.

    Screen capture of the Service Provider Issuer URL and Service Provider Assertion Consumer Service URL fields highlighted in red.

    The DocuSign connection configuration is complete.

    After testing, you can set the domain to require IP authentication to remove the DocuSign sign-on screen.

Complete the DocuSign setup in PingOne for Enterprise

  1. Continue editing the DocuSign entry in PingOne for Enterprise.

    If the session has timed out, complete the initial steps to the point of clicking Setup.

  2. Click Continue to Next Step.

  3. Set the ACS URL to the DocuSign Service Provider Assertion Consumer Service URL value.

  4. Set the Entity ID to the DocuSign Service Provider Issuer URL value.

    Screen capture of the Connection Configuration section with the ACS URL and Entity ID fields filled in.

    Do not just update the organization ID.

  5. Click Continue to Next Step.

  6. Map the required attributes to the corresponding attribute names in your environment.

    The corresponding attribute names might not be an exact match.
    Screen capture of the Attribute Mapping section with the Identity Bridge Attribute or Literal Value fields highlighted in red for the SAML_SUBJECT, emailaddress, givenname, and surname application attributes.

  7. On the SAML_SUBJECT line, click Advanced, and change the name format you’re sending to DocuSign to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.

  8. Click Continue to Next Step twice.

  9. Click Add for all user groups that should have access to DocuSign.

    Screen capture of the Group Access section with the list of user groups that should have access to the Docusign application.

  10. Click Continue to Next Step.

  11. Click Finish.

    PingOne for Enterprise configuration is complete.

Test the PingOne for Enterprise IdP-initiated SSO integration

  1. Go to your Ping desktop as a user with DocuSign access.

    To find the Ping desktop URL in the Admin console, go to Setup → Dock → PingOne Dock URL.

  2. Complete the PingOne for Enterprise authentication.

    You’re redirected to your DocuSign domain.

    Screen capture of the DocuSign domain.

Test the PingOne for Enterprise SP-initiated SSO integration

  1. Go to https://account.docusign.com.

  2. Enter your email address.

  3. Click Use Company Login.

  4. When you’re redirected to PingOne for Enterprise, enter your PingOne username and password.

    Screen capture of the PingOne for Enterprise sign-on page.

    After successful authentication, you’re redirected back to DocuSign.

    Screen capture of the DocuSign domain.