The below document pertains to customer accounts that manage their user licensing in the Adobe Admin Console.
Accounts that authenticate to Adobe Acrobat Sign directly must configure their IdP to permit this type of Single Sign-On.
Introduction
When administrators manage their Adobe Acrobat Sign user licenses within the Adobe Admin Console, they have the option to create end-user accounts with different identity requirements, including Federated ID (i.e. SSO / SAML): https://helpx.adobe.com/enterprise/using/identity.html
These Federated ID end users may already have an authenticated session with the organization's identity provider (IdP) before signing in to Acrobat Sign. For example, the user may have already authenticated with the IdP when logging into the organization's intranet page or a Microsoft service. In this case, the administrator may not want to require the end-user to authenticate again when accessing Acrobat Sign. To meet this goal, the administrator may create a URL with a unique URL parameter, so that Acrobat Sign can verify that the Federated ID end user is already authenticated to the organization's IdP, and therefore does not need to authenticate again. The administrator may then wish to publish this URL internally (for example, on an intranet page).
Prerequisites
- The Adobe Acrobat Sign account must be managed in the Adobe Admin Console
- The Admin must have enabled Federated ID by creating a directory and claiming a domain within the Admin Console. https://helpx.adobe.com/enterprise/using/set-up-identity.html
- The end-user must have a Federated ID account. (This workflow is not relevant for end-users with an Adobe ID, Business ID, or Enterprise ID.) https://helpx.adobe.com/enterprise/using/identity.html
- The end-user must already be entitled to Acrobat Sign within the Adobe Admin Console. (This workflow will not enable an end-user to be "auto-entitled".)
URL parameters
Construct a unique URL consisting of the following:
- A primary Acrobat Sign login URL of "https://secure.adobesign.com/public/adobeLogin"
- A suffix of "?dcid="
- A secondary suffix of "@domain.com". For example, "@acme.com"
Therefore, the entire URL will be similar to:
- https://secure.adobesign.com/public/adobeLogin?dcid=@acme.com
If the end-user meets the prerequisites above, and if the end-user is already authenticated with the company's IdP, then the end-user will be authenticated to Acrobat Sign and brought to the application homepage.
If the end-user is not already authenticated with the company's IdP, the end-user will likely be brought to the company's IdP login page, where they will be required to authenticate before being brought to the Acrobat Sign web application homepage.
