Provisioning Docusign with PingOne

Docusign is a cloud-based service for electronic signatures and managing agreements. By using the Docusign connection in PingOne, you can provision users and groups between your Docusign account and PingOne, ensuring seamless access control and identity management.

Provisioning capabilities

The following table summarizes the inbound and outbound provisioning capabilities for each resource type:

Resource Capability Description Inbound Outbound

Resource	Capability	Description	Inbound	Outbound
User	Create	Generates a new user record in the destination.	Yes	Yes
Read	Retrieves or polls user attributes for synchronization.	Yes	Yes
Update	Modifies existing attributes, such as `job title`.	Yes	Yes
Delete	Deletes a user or temporarily suspends an account.	Yes	Yes
Group	Create	Provisions a new group in the target application.	No	Yes
Rename	Updates the display name or identifier of an existing group.	No	Yes
Delete	Removes a group from the target application.	No	Yes
Membership	Add and remove	Adds or removes users from groups.	No	Yes

User

Create

Generates a new user record in the destination.

Yes

Read

Retrieves or polls user attributes for synchronization.

Yes

Update

Modifies existing attributes, such as job title.

Yes

Delete

Deletes a user or temporarily suspends an account.

Yes

Group

Create

Provisions a new group in the target application.

Yes

Rename

Updates the display name or identifier of an existing group.

Yes

Delete

Removes a group from the target application.

Yes

Membership

Add and remove

Adds or removes users from groups.

Yes

Before you begin

Make sure that you have:

A Docusign administrative account. Learn more in Existing Docusign Customer in the Docusign documentation.
The following from your Docusign account for OAuth authentication:
- Client ID
- Client Secret
- Refresh Token
- Token Endpoint
Users assigned to a specific population or group in PingOne designated for DocSign provisioning. Learn more in Adding a user and Managing groups.

Steps

Create a Docusign connection:

In the PingOne admin console, go to Integrations > Provisioning.
Click and then click New Connection.
Click Select for Identity Store.
Click Select for the Docusign connection, and click Next.
Enter a Name and Description for this provisioning connection.
Click Next.

In the Configure Authentication section, enter the following configurations that apply to your Docusign account:

Service URI: Enter the base URL for the Docusign API endpoint, for example, https://demo.docusign.net.

Authentication Method: Select OAUTH and enter the following:

Configuration Example

Configuration	Example
Account	`12345678-90ab-cdef-1234-567890abcdef`
Client ID	`9f3b2c1d-4e5f-6789-abcd-1234567890ef`
Client Secret	`7y3b2c8e-4e5f-6776-rtyu-1564525790df`
Token Endpoint	`https://account-d.docusign.com/oauth/token`
Grant Type	`refresh_token`
Refresh Token	`bcX7LM_-aQMAAAAAAAAAAGh3kTQPLmNZ933_wEr8JkLm4pQz7yHtYU-VbNQ-DtKp`

Account

12345678-90ab-cdef-1234-567890abcdef

Client ID

9f3b2c1d-4e5f-6789-abcd-1234567890ef

Client Secret

7y3b2c8e-4e5f-6776-rtyu-1564525790df

Token Endpoint

https://account-d.docusign.com/oauth/token

Grant Type

refresh_token

Refresh Token

bcX7LM_-aQMAAAAAAAAAAGh3kTQPLmNZ933_wEr8JkLm4pQz7yHtYU-VbNQ-DtKp

Click Test Connection to verify that PingOne can establish a connection to the Docusign.

Result:

If there are any issues with the connection, a Test Connection Failed modal opens. Click Continue to resume the setup with an invalid connection.

You can’t use the connection for provisioning until you’ve established a valid connection to Docusign. If the connection fails, click Cancel in the Test Connection Failed modal, verify that you have entered the configuration details in step g correctly, and try again.

Click Next.

In the User Actions section, enter the following as needed:

Field

Description

Enable users creation

Creates a user in the target identity store when the user is created in the source identity store.

Enable users updation

Updates user attributes in the target identity store when the user is updated in the source identity store.

If Enable users updation is selected, you can choose to select Enable users disable, which disables a user in the target identity store when the user is disabled in the source identity store.

Enable users deprovision

Deprovisions a user in the target identity store when the user is deprovisioned in the source identity store. If Enable users deprovision is selected, the following options appear:

Remove Action: Removes or disables a user in the target identity store when the user is deleted in the source identity store. Select Delete or Disable.

Remove Action is only available if you select Enable users disable.
Deprovision on rule deletion: Deprovisions users if the associated provisioning rule is deleted.

Click Save.
To enable the connection, click the toggle at the top of the details panel to the right (blue).

You can disable the connection by clicking the toggle to the left (gray).

Create an inbound or outbound rule and select the existing Docusign connection as the target or source. You can optionally add attribute mappings.

Directly mapping the PingOne Enabled attribute Boolean to the Docusign userStatus attribute String causes a schema error. To prevent this, PingOne provides a default, optional attribute mapping that uses a Spring Expression Language (SpEL) expression to convert the values, such as mapping true to Active.

For Box, Docusign, and Dropbox inbound rules, enabling the Sync Only Active Users configuration in the Onboarding Settings panel triggers an immediate full resync. Any users currently in PingOne who were previously provisioned by this specific rule, but don’t have an Active status, will be deleted from PingOne.

Validation

Confirm users and groups are successfully provisioned to Docusign. View the sync status to review synchronization results and any errors. You can find examples in Outbound provisioning sync summary examples.

Docusign directory attributes

The following table lists common Docusign attributes that can be mapped for user provisioning:

Attribute Description

Attribute	Description
`userName`	The unique identifier or username for the user.
`email`	The user’s primary email address.
`firstName`	The user’s first name.
`lastName`	The user’s last name.
`jobTitle`	The professional title assigned to the user.

userName

The unique identifier or username for the user.

email

The user’s primary email address.

firstName

The user’s first name.

lastName

The user’s last name.

jobTitle

The professional title assigned to the user.

Docusign provisioning known limitations

The following limitations apply to the Docusign provisioning:

Docusign doesn’t support disabling Docusign user accounts.
Currently, user filtering isn’t supported for inbound rules. All users from the source Docusign instance will be provisioned to PingOne.
For inbound provisioning, data updates once a day. The sync occurs daily at the time the initial full-sync completed. Manual syncs don’t change this schedule. Changes in the source appear in PingOne after the daily update.
Using both inbound and outbound sync rules for the same application can cause issues, such as duplicate users, because the rules operate independently.