Overview
The Adobe Acrobat Sign Digital Identity Gateway allows organizations to select from a wide variety of pre-configured third-party digital identity providers (IDP) and leverage the type of identity verification that best suits their functional, security, or compliance needs. IDP services for user authentication, signer identity verification, and identity federation solutions utilize the standard OpenID Connect (OIDC) authentication protocol to integrate with Acrobat Sign. Depending on the IDP selected, the service may include:
- Video identity verification
- Electronic identity (eID) authentication
- Identity document confirmation
- Knowledge-based authentication (KBA)
- Biometric identification, authentication
Many of the IDP services meet NIST 800-63A/B/C standards for multi-factor authentication solutions up to AAL3, identity verification options up to IAL3, as well as federation assertion up to FAL3. Some IDP services also meet up to ISO 29115 LoA4 and/or EU Regulation 910/2014 (eIDAS) up to LoA High.
All IDP services require a commercial contract and configuration with the provider prior to use along with ongoing monitoring to ensure that your organization maintains a sufficient volume of IDP service transactions for your use cases.
Procurement, consumption, and reporting of authentication transactions
Identity providers are not included in the Acrobat Sign licensing, and Adobe does not provide a commercial channel to procure identification services from the various IDPs that can be configured.
It is incumbent upon the customer to acquire and maintain a sufficient volume of identity transactions with the IDP of their choice.
The IDP will provide clear guidance on how transactions are consumed and billed and report consumption/availability directly to the customer.
Recipient experience
Through the Acrobat Sign signature process, the customer is delivered a Review and Sign email like any other agreement.
When the recipient selects the Review and sign button to open the agreement, they are presented with an information dialogue indicating that identity verification is required to access the document. Depending on the configured settings, the customer will see:
- A high-level summary of the verification process.
- The name and logo of the IDP that performs the identity verification.
- An email and phone number to contact the IDP's Support if there is an issue with the verification process.
- The email address of the Acrobat Sign user that sent the agreement, in case the recipient needs to contact them.
- A statement that the recipient's identity data will be stored in the Signer Identity Report (if the Sender's account is configured to do so).
- A warning message about the number of remaining verification attempts available to the recipient before the agreement is canceled. This message appears only after the recipient has tried the identification process and failed.
- The Verify Identity button triggers the verification process by opening a pop-up screen and handing the process over to the IDP.
- The recipient's experience of the verification process and the type of verification to be done are dependent on the identity provider the Sender selected.
Once the verification process is completed successfully, the recipient is returned to the Acrobat Sign window, and the agreement is presented to their attention.
Sender experience
Choosing the Identity Provider when composing a new agreement
When one or more IDPs are configured and enabled for the Sender’s account or group, users will see the option to select the IDP in the drop-down menu that contains all the authentication methods available to the recipient. Enabled IDPs will be listed under the Digital Identity Gateway section. If no IDPs are enabled, then the Digital Identity Gateway section will not be present, and the user will not see any IDPs.
Mousing over an IDP in the menu list shows a tooltip that provides a short description of the IDP service.
Updating the IDP after the agreement is sent
If a user needs to update the authentication to select a different IDP (or any other authentication method), the user can use the same process to edit the authentication method.
The user is not constrained to select another IDP from the Digital Identity Gateway. Any other enabled authentication method may be selected.
Audit Report
The audit report clearly indicates that the recipient was verified by an Identity Provider from the Digital Identity Gateway and specifies which IDP was involved and a description of their service:
Signer Identity Report (SIR)
By default, Acrobat Sign does not retain the identity information returned by the IDP. However, account and group administrators can enable the option to save the identity information on Acrobat Sign servers.
Additionally, admins can configure, at the account and group level, the option for users to download the Identity Report on the Manage page from the list of available actions.
The Signer Identity Report contains all of the identity information returned by the IDP when the identity verification transaction succeeds, as well as relevant data when a transaction fails. Content varies depending on the vendor and authentication method. Common data includes:
- Reference ID: A unique identifier of the transaction that occurred at the IDP end. Useful for Support requests as well as forensic analysis.
- sub (Subject Identifier): Provides a unique identifier for the recipient in the context of the IDP system.
- ID Token Raw value: Provides an assertion signed by the IDP containing the result of the identification process. Proof that the identity was verified in the context of the current transaction.
For more information on the Signer Identity Report, consult this page >
Configuration access to use IDPs as identity verification
Enable the authentication method under the Digital Identity tab in the admin menu.
There are three high-level settings in this view, with the full list of available IDPs populating at the bottom of the page.
- Digital Identity Gateway - This setting is the gate that allows access to digital identity services.
- Allow signers X attempts to validate their signature before canceling the agreement - Any recipient that violates the maximum number of attempts to validate their identity cancels the agreement automatically.
- The maximum number of attempts is ten
- Understand the nature of your IDP's transaction consumption policy when setting this value. Some vendors charge per attempt.
- Store verified identity data to allow Signer Identity Reports
- When enabled, the identity verification information is stored on Acrobat Sign servers and can be retrieved using the SIR.
- When disabled, the identity information is not stored on the Acrobat Sign servers.
- Data collection starts as soon as the setting is enabled and saved. Likewise, data collection stops as soon as the setting is disabled and saved.
- Data that is not collected at the time the recipient is vetted cannot be gathered at a later time.
- Allow signers X attempts to validate their signature before canceling the agreement - Any recipient that violates the maximum number of attempts to validate their identity cancels the agreement automatically.
When the Digital Identity Gateway is enabled, the identity authentication method for internal recipients via the Digital Identity Gateway is enabled also. This option may not be disabled while the Digital Identity Gateway is enabled.
It is not possible to configure different IDPs for external and internal recipients. All options available in the Digital Identity interface are available for both types of recipients.
Related controls
There are two additional settings to review if you intend to allow users to download the Signer Identity Report:
Configuring the individual IDPs
At the bottom of the Digital Identity page are the IDP "cards." Each card represents one or more authentication methods from the IDP.
To enable an IDP card, click the gear icon:
The Adobe Okta IDP is used in this documentation for example purposes only. Customers do not have access to this IDP.
One IDP can be configured at the account and/or group level, depending on your needs. The interface changes slightly to provide context about the inheriting status of the group level setting:
At the account level, the interface only requires the Enable this service for verification checkbox to be enabled:
If the Enable this service for verification checkbox is unchecked and the line is greyed out when viewing an IDP configuration at the group level, the account level IDP service is unconfigured.
The group-level configuration can be enabled by checking the Override account settings with group level configuration checkbox.
If the Enable this service for verification checkbox is unchecked when viewing an IDP configuration at the group level, the account level IDP service is configured.
The group-level configuration can be enabled and defined with group-specific parameters by checking the Override account settings with group level configuration checkbox.
When the Enable this service for verification and Override account settings with group level configuration checkboxes are checked, the IDP service is configured explicitly for the group.
The IDP configuration requirements depend on the authentication method the IDP uses:
Basic Authentication requires two elements that your IDP will provide to you:
- The Client ID
- The Client Secret
Save the configuration when done.
Private Key JWT requires three elements that will be provided to you by your IDP:
- The Client ID
- The signing certificate (in .p12 or .pfx format).
- The password used to secure the signing certificate.
Save the configuration when done.
Client Secret Post Authentication requires two elements that your IDP will provide to you:
- The Client ID
- The Client Secret
Save the configuration when done.
Client Secret JWT Authentication requires two elements that your IDP will provide to you:
- The Client ID
- The Client Secret
Save the configuration when done.
Disable/Enable a configured IDP
The IdP service can be disabled without deleting the configuration information on the IDP card by pressing the checkbox icon in the upper left corner and saving the page configuration. Disabling an IDP service this way preserves the configuration information in the event that you need to re-enable the IDP at a later time.
Disabling an IDP service this way does not produce a challenge since information is lost, and the service can quickly be re-enabled by pressing the checkbox again and saving the page configuration.
Deleting the IDP configuration
An IdP configuration can be deleted directly from the Digital Identity panel by pressing the trashcan icon on the IdP card.
A dialog will challenge the administrator to confirm that the configuration should be deleted.
This dialog also warns about the impact on recipients that have not yet completed their authentication with the IDP.
If the IDP configuration is deleted or the service is disabled, an error will be shown to the recipient when they try to verify their identity.
Things to know
If the IDP service is disabled for any reason when a recipient attempts to verify their identity, an error is produced that provides a basic message that the service is disabled and instruction to contact the agreement sender. The sender's email address is provided.
Senders that are notified of a problem with the IDP service may need to change the authentication method to a new IDP or some other acceptable method.