Learn how to enable DocuSign sign on from a PingFederate URL (IdP-initiated sign on) and direct DocuSign sign on using PingFederate (SP-initiated sign on).
- Configure PingFederate to authenticate against an IdP or datastore containing the users requiring application access.
- Make sure DocuSign has a valid domain, an organisation created, and is populated with at least one user to test access.
- You must have administrative access to PingFederate and DocuSign.
-
Create a PingFederate SP Connection for
DocuSign:
- Sign on to PingFederate administration console.
-
Create an SP connection for DocuSign in PingFederate:
- Configure using Browser SSO profile SAML 2.0.
- Set Partner’s Entity ID to Placeholder.
You will update this value later.- Enable the following SAML Profiles:
- IdP-Initiated SSO
- SP-Initiated SSO
- In Assertion Creation: Attribute Contract, extend the contract to add attributes named SAML_NAME_FORMAT, surname, givenname and emailaddress.
- In Assertion Creation: Authentication Source Mapping: Attribute Contract Fulfillment, map SAML_SUBJECT, surname, givenname and emailaddress and map SAML_NAME_FORMAT to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
- In Protocol Settings: Assertion Consumer Service URL, set binding to POST, and set Endpoint URL to http://placeholder.
You will update the placeholder value later.- In Protocol Settings: Allowable SAML Bindings, enable POST.
- In Credentials: Digital Signature Settings, select the PingFederate signing certificate.
- Save the configuration.
- Export the signing certificate.
-
Export and then open the metadata file, and copy the value of:
- the entityID
- the Location entry (https://<your value>/idp/SSO.saml2)
-
Add the PingFederate connection to
DocuSign:
- Sign on to your DocuSign domain as an administrator.
-
In the left navigation pane, select Identity
Providers, and then click Add Identity
Provider.
-
Configure the following fields.
Field Value Name
A name for the identity provider.
Identity Provider Issuer
Enter the Issue value from PingID.
Identity Provider Login URL
https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=<The PingOne IdP ID value>
Send AuthN Request by
Click POST.
Select Send Logout Request by
Click POST.
-
In the Custom Attribute Mapping section, click
Add New Mapping, and then:
- In the Field list, select surname, then enter surname in the Attribute field.
- In the Field list, select givenname, then enter givenname in the Attribute field.
- In the Field list, select emailaddress, then enter emailaddress in the Attribute field.
- Click Save.
-
Click Add New Certificate.
-
Click Add Certificate.
- Select the signing certificate that downloaded from PingFederate. Click Save.
-
In the Actions list for the identity provider
that you created, select Endpoints.
-
Copy the Service Provider Issuer URL
and Service Provider Assertion Consumer Service
URL values.
The DocuSign connection configuration is complete.
Note:After testing, you can set the domain to require IP authentication to remove the DocuSign sign-on screen.
-
Update the EntityID and ACS URL values in PingFederate:
- Sign on to the PingFederate administrative console.
- Edit the SP connection for DocuSign.
- Set Partner’s Entity ID to the DocuSign Service Provider Issuer URL value.
- Set Assertion Consumer Service URL Endpoint URL to the DocuSign Service Provider Assertion Consumer Service URL value.
- Save the changes.
-
Test the PingFederate
IdP-initiated SSO integration:
- Go to the PingFederate SSO application endpoint for the DocuSign SP connection.
-
Complete PingFederate authentication.
You're redirected to your DocuSign domain.
-
Test the PingFederate
SP-initiated SSO integration.
- Go to https://account.docusign.com.
- Enter your email address.
- Click Use Company Login.
-
After you're redirected to PingFederate, enter your PingFederate username
and password.
After successful authentication, you're redirected back to DocuSign.