Learn how to enable DocuSign sign on from a PingFederate URL (IdP-initiated sign on) and direct DocuSign sign on using PingFederate (SP-initiated sign on).
- Configure PingFederate to authenticate against an IdP or datastore containing the users requiring application access.
- Make sure DocuSign has a valid domain, an organisation created, and is populated with at least one user to test access.
- You must have administrative access to PingFederate and DocuSign.
Create a PingFederate SP Connection for
- Sign on to PingFederate administration console.
Create an SP connection for DocuSign in PingFederate:
You will update this value later.
- Configure using Browser SSO profile SAML 2.0.
- Set Partner’s Entity ID to Placeholder.
You will update the placeholder value later.
- Enable the following SAML Profiles:
- IdP-Initiated SSO
- SP-Initiated SSO
- In Assertion Creation: Attribute Contract, extend the contract to add attributes named SAML_NAME_FORMAT, surname, givenname and emailaddress.
- In Assertion Creation: Authentication Source Mapping: Attribute Contract Fulfillment, map SAML_SUBJECT, surname, givenname and emailaddress and map SAML_NAME_FORMAT to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
- In Protocol Settings: Assertion Consumer Service URL, set binding to POST, and set Endpoint URL to http://placeholder.
- In Protocol Settings: Allowable SAML Bindings, enable POST.
- In Credentials: Digital Signature Settings, select the PingFederate signing certificate.
- Save the configuration.
- Export the signing certificate.
Export and then open the metadata file, and copy the value of:
- the entityID
- the Location entry (https://<your value>/idp/SSO.saml2)
Add the PingFederate connection to
- Sign on to your DocuSign domain as an administrator.
In the left navigation pane, select Identity
Providers, and then click Add Identity
Configure the following fields.
A name for the identity provider.
Identity Provider Issuer
Enter the Issue value from PingID.
Identity Provider Login URL
https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=<The PingOne IdP ID value>
Send AuthN Request by
Select Send Logout Request by
In the Custom Attribute Mapping section, click
Add New Mapping, and then:
- In the Field list, select surname, then enter surname in the Attribute field.
- In the Field list, select givenname, then enter givenname in the Attribute field.
- In the Field list, select emailaddress, then enter emailaddress in the Attribute field.
- Click Save.
Click Add New Certificate.
Click Add Certificate.
- Select the signing certificate that downloaded from PingFederate. Click Save.
In the Actions list for the identity provider
that you created, select Endpoints.
Copy the Service Provider Issuer URL
and Service Provider Assertion Consumer Service
The DocuSign connection configuration is complete.Note:
After testing, you can set the domain to require IP authentication to remove the DocuSign sign-on screen.
Update the EntityID and ACS URL values in PingFederate:
- Sign on to the PingFederate administrative console.
- Edit the SP connection for DocuSign.
- Set Partner’s Entity ID to the DocuSign Service Provider Issuer URL value.
- Set Assertion Consumer Service URL Endpoint URL to the DocuSign Service Provider Assertion Consumer Service URL value.
- Save the changes.
Test the PingFederate
IdP-initiated SSO integration:
- Go to the PingFederate SSO application endpoint for the DocuSign SP connection.
Complete PingFederate authentication.
You're redirected to your DocuSign domain.
Test the PingFederate
SP-initiated SSO integration.
- Go to https://account.docusign.com.
- Enter your email address.
- Click Use Company Login.
After you're redirected to PingFederate, enter your PingFederate username
After successful authentication, you're redirected back to DocuSign.