Digital Identity Gateway

Overview

The Adobe Acrobat Sign Digital Identity Gateway allows organizations to select from a wide variety of pre-configured third-party digital identity providers (IDP) and leverage the type of identity verification that best suits their functional, security, or compliance needs. IDP services for user authentication, signer identity verification, and identity federation solutions utilize the standard OpenID Connect (OIDC) authentication protocol to integrate with Acrobat Sign. Depending on the IDP selected, the service may include:

  • Video identity verification
  • Electronic identity (eID) authentication
  • Identity document confirmation
  • Knowledge-based authentication (KBA)
  • Biometric identification, authentication

Many of the IDP services meet NIST 800-63A/B/C standards for multi-factor authentication solutions up to AAL3, identity verification options up to IAL3, as well as federation assertion up to FAL3. Some IDP services also meet up to ISO 29115 LoA4 and/or EU Regulation 910/2014 (eIDAS) up to LoA High.

All IDP services require a commercial contract and configuration with the provider prior to use along with ongoing monitoring to ensure that your organization maintains a sufficient volume of IDP service transactions for your use cases.

Procurement, consumption, and reporting of authentication transactions

Identity providers are not included in the Acrobat Sign licensing, and Adobe does not provide a commercial channel to procure identification services from the various IDPs that can be configured. 

It is incumbent upon the customer to acquire and maintain a sufficient volume of identity transactions with the IDP of their choice. 

The IDP will provide clear guidance on how transactions are consumed and billed and report consumption/availability directly to the customer. 

Recipient experience

Through the Acrobat Sign signature process, the customer is delivered a Review and Sign email like any other agreement.

When the recipient selects the Review and sign button to open the agreement, they are presented with an information dialogue indicating that identity verification is required to access the document. Depending on the configured settings, the customer will see:

  • A high-level summary of the verification process.
  • The name and logo of the IDP that performs the identity verification.
  • An email and phone number to contact the IDP's Support if there is an issue with the verification process.
  • The email address of the Acrobat Sign user that sent the agreement, in case the recipient needs to contact them.
  • A statement that the recipient's identity data will be stored in the Signer Identity Report (if the Sender's account is configured to do so).
  • A warning message about the number of remaining verification attempts available to the recipient before the agreement is canceled. This message appears only after the recipient has tried the identification process and failed.
  • The Verify Identity button triggers the verification process by opening a pop-up screen and handing the process over to the IDP.
    • The recipient's experience of the verification process and the type of verification to be done are dependent on the identity provider the Sender selected.

Once the verification process is completed successfully, the recipient is returned to the Acrobat Sign window, and the agreement is presented to their attention.

Recipient authentication message

Sender experience

Choosing the Identity Provider when composing a new agreement

When one or more IDPs are configured and enabled for the Sender’s account or group, users will see the option to select the IDP in the drop-down menu that contains all the authentication methods available to the recipient. Enabled IDPs will be listed under the Digital Identity Gateway section. If no IDPs are enabled, then the Digital Identity Gateway section will not be present, and the user will not see any IDPs.

Mousing over an IDP in the menu list shows a tooltip that provides a short description of the IDP service.

Select the authentication method

Updating the IDP after the agreement is sent

If a user needs to update the authentication to select a different IDP (or any other authentication method), the user can use the same process to edit the authentication method.

The user is not constrained to select another IDP from the Digital Identity Gateway. Any other enabled authentication method may be selected.

Edit Authentication method

Audit Report

The audit report clearly indicates that the recipient was verified by an Identity Provider from the Digital Identity Gateway and specifies which IDP was involved and a description of their service:

Audit report

Signer Identity Report (SIR)

By default, Acrobat Sign does not retain the identity information returned by the IDP. However, account and group administrators can enable the option to save the identity information on Acrobat Sign servers.

Additionally, admins can configure, at the account and group level, the option for users to download the Identity Report on the Manage page from the list of available actions.

Download the SIR on the Manage page

The Signer Identity Report contains all of the identity information returned by the IDP when the identity verification transaction succeeds, as well as relevant data when a transaction fails. Content varies depending on the vendor and authentication method. Common data includes:

  • Reference ID: A unique identifier of the transaction that occurred at the IDP end. Useful for Support requests as well as forensic analysis.
  • sub (Subject Identifier): Provides a unique identifier for the recipient in the context of the IDP system.
  • ID Token Raw value: Provides an assertion signed by the IDP containing the result of the identification process. Proof that the identity was verified in the context of the current transaction.
Download the SIR on the Manage page

For more information on the Signer Identity Report, consult this page > 

Configuration access to use IDPs as identity verification

Enable the authentication method under the Digital Identity tab in the admin menu.

There are three high-level settings in this view, with the full list of available IDPs populating at the bottom of the page.

  • Digital Identity Gateway - This setting is the gate that allows access to digital identity services.
    • Allow signers X attempts to validate their signature before canceling the agreement - Any recipient that violates the maximum number of attempts to validate their identity cancels the agreement automatically.
      • The maximum number of attempts is ten
      • Understand the nature of your IDP's transaction consumption policy when setting this value. Some vendors charge per attempt.
    • Store verified identity data to allow Signer Identity Reports
      •  When enabled, the identity verification information is stored on Acrobat Sign servers and can be retrieved using the SIR.
      • When disabled, the identity information is not stored on the Acrobat Sign servers.
      • Data collection starts as soon as the setting is enabled and saved. Likewise, data collection stops as soon as the setting is disabled and saved.
      • Data that is not collected at the time the recipient is vetted cannot be gathered at a later time.
Digital Identity Gateway

When the Digital Identity Gateway is enabled, the identity authentication method for internal recipients via the Digital Identity Gateway is enabled also. This option may not be disabled while the Digital Identity Gateway is enabled.

Internal recipient configuration

Бележка:

It is not possible to configure different IDPs for external and internal recipients. All options available in the Digital Identity interface are available for both types of recipients.

Related controls

There are two additional settings to review if you intend to allow users to download the Signer Identity Report:

If you would like users to be able to download the SIR, you must explicitly enable their access at the account or group level.

  1. Navigate to Account Settings > Send Settings > Signer Identification Options.
  2. Enable Allow Senders to download a Signer Identity Report for agreements containing Verified Signatures.
  3. Save the page configuration.
DIG - Signer accessability

Бележка:

This setting enables the SIR for Digital Identity providers.

It is not the same setting that Government ID uses.

When downloading an identity report, the user must password protect the PDF.

Set the strength policy for the PDF password per your company policy for confidential PII documentation.

  1. Navigate to Account Settings > Security Settings > Document Password Strength
  2. Set the appropriate complexity.
  3. Save the page configuration.
DIG Document password strength

Configuring the individual IDPs

At the bottom of the Digital Identity page are the IDP "cards." Each card represents one or more authentication methods from the IDP.

To enable an IDP card, click the gear icon:

Configure the IDP card

Бележка:

The Adobe Okta IDP is used in this documentation for example purposes only. Customers do not have access to this IDP.

One IDP can be configured at the account and/or group level, depending on your needs. The interface changes slightly to provide context about the inheriting status of the group level setting:

At the account level, the interface only requires the Enable this service for verification checkbox to be enabled:

Account level IDP configuration

If the Enable this service for verification checkbox is unchecked and the line is greyed out when viewing an IDP configuration at the group level, the account level IDP service is unconfigured.

The group-level configuration can be enabled by checking the Override account settings with group level configuration checkbox.

Group level configuraiton - IDP is not configured at the account level

If the Enable this service for verification checkbox is unchecked when viewing an IDP configuration at the group level, the account level IDP service is configured.

The group-level configuration can be enabled and defined with group-specific parameters by checking the Override account settings with group level configuration checkbox.

Group level configuration - Same IDP configured at the account level

When the  Enable this service for verification and Override account settings with group level configuration checkboxes are checked, the IDP service is configured explicitly for the group.

Group level configuration - Overriding the account leve configuraiton

 

The IDP configuration requirements depend on the authentication method the IDP uses:

Basic Authentication requires two elements that your IDP will provide to you:

  • The Client ID
  • The Client Secret

Save the configuration when done.

Basic Authentication

Private Key JWT requires three elements that will be provided to you by your IDP:

  • The Client ID
  • The signing certificate (in .p12 or .pfx format).
  • The password used to secure the signing certificate.

Save the configuration when done.

Private key JWT

Client Secret Post Authentication requires two elements that your IDP will provide to you:

  • The Client ID
  • The Client Secret

Save the configuration when done.

Client Secret Post Auth

Client Secret JWT Authentication requires two elements that your IDP will provide to you:

  • The Client ID
  • The Client Secret

Save the configuration when done.

Client Secret JWT Auth

Disable/Enable a configured IDP

The IdP service can be disabled without deleting the configuration information on the IDP card by pressing the checkbox icon in the upper left corner and saving the page configuration. Disabling an IDP service this way preserves the configuration information in the event that you need to re-enable the IDP at a later time.

Disabling an IDP service this way does not produce a challenge since information is lost, and the service can quickly be re-enabled by pressing the checkbox again and saving the page configuration.

Disable-Enable the IDP card

Deleting the IDP configuration

An IdP configuration can be deleted directly from the Digital Identity panel by pressing the trashcan icon on the IdP card.

A dialog will challenge the administrator to confirm that the configuration should be deleted.

This dialog also warns about the impact on recipients that have not yet completed their authentication with the IDP.

If the IDP configuration is deleted or the service is disabled, an error will be shown to the recipient when they try to verify their identity.

Deletion challenge

Things to know

If the IDP service is disabled for any reason when a recipient attempts to verify their identity, an error is produced that provides a basic message that the service is disabled and instruction to contact the agreement sender. The sender's email address is provided.

Senders that are notified of a problem with the IDP service may need to change the authentication method to a new IDP or some other acceptable method.

Disabled service error