Log in to Acrobat Sign as an account-level administrator.
Adobe Acrobat Sign Service Accounts
Service Accounts are a vehicle to enable users in an enterprise-level account to send agreements under the authority of a userID explicitly generated for that purpose (vs. using their personal userID).
For example, a Service Account can be created to send legal documents. The user's profile can be designed to provide a functional name and email address that identify the Legal department and not an individual sender. All users that need to send NDA agreements (for example) can switch to the Legal Service Account and send under that profile, affording the transaction a more consistent and authoritative look. Additionally, agreements of a specific nature can be limited to the Service Account's group, constraining all agreements of a functional type to that one user instead of being distributed throughout the user base.
Service Accounts are available to enterprise customers that have enabled advanced sharing and manage their accounts through the Adobe Admin Console.
The below process describes the use of Service Accounts accessed by users manually from the Acrobat Sign environment. Organizations that want to enable the API to send agreements on behalf of a centralized party should refer to the Technical Accounts for the API documentation.
Prerequisites
To enable a Service Account, your Acrobat Sign account must:
- Have enterprise tier ETLA service
- Manage users on the Adobe Admin Console*
- Have Advanced Account Sharing enabled with Sending permissions enabled.
- Users in Multiple Groups (strongly recommended).
* A note on the Adobe Admin Console
The Adobe Admin Console provides a framework for user management and license allocation. Most customers have only one Admin Console.
However, some customers with complex user/licensing requirements can have multiple Admin Consoles, which may become confusing in a process like Service Account creation, where one Admin Console may govern the federated user management, and another manages the Acrobat Sign licensing.
If you know you have multiple accounts or aren't sure, please read the below:
The difficulty with multiple Admin Consoles is ensuring that you are in the correct console for the actions you are trying to perform.
To determine if you have multiple Admin Consoles:
1. Log in to the Admin Console.
2. In the upper-right corner of the console, click on the organization name.
If you have a drop-down menu with multiple organizations, you have multiple Admin Consoles.
If you only have one Admin Console, user creation and licensing operations occur in the same organization, and you don't need to worry about switching between consoles.
If you have multiple Admin Consoles, take a moment to determine which organization manages federated user creation and which governs the Acrobat Sign license provisioning.
Companies with multiple Admin Consoles may deploy Acrobat Sign from more than one. You must identify the correct Admin Console where you want to establish the Service Account.
You should inspect each organization to determine which should contain the Service Account.
- Select the organization.
- Select Products from the top rail of options.
- Look for the Adobe Sign - Enterprise product card
For the purpose of this document, we will call this your Licensing Admin Console. This is the organization where your Service Account is created and managed.
Organizations that use federated user management must de-sync the federated solution to create the Service Account outside of the federated environment.
To do this, you must inspect each organization to find which one controls the domains that enable the federated trust relationship. Multiple Admin Consoles can Trust a domain, but only one actively controls it.
- Select the orgnaization
- Select Settings from the top rail of options.
- Select Identity from the left rail of options.
- If there are directories listed with the Type being Federated ID and the Status is Trusted, click the row the directory is on to expose the Owning Organization.
The Owning Organization is the correct Admin Console to manipulate your federated ID synchronization controls.
- An email is provided for the console admin if you do not currently have access.
If the Type is Federated ID and the Status is Active, click the Name of the directory to open the directory settings.
On the settings page, select the Sync tab, which opens the IDP sync information.
For the purpose of this document, we will call this your Federated Sync Admin Console.
If you do not see a Sync tab, your account may have a Global Admin Console that you do not have access to.
You will need to contact your internal Adobe administrators to gain access.
Organizations that
- utilize the User Sync Tool (UST) to automatically sync users between Adobe and their Active Directory
- do not allow users to be manually added or created in Acrobat Sign
must create an "exception" group for all Service Account userIDs. All Service Account userIDs must be created in this exempt group to ensure they are not deactivated and do not have their license removed by the automatic user sync.
The exception group must be configured as exempt from the sync within the UST configuration.
In cases where Adobe hosts the UST on behalf of the customer's organization, the customer admin must communicate the Group Name to their Success Manager, Technical Account Manager, or account representative so they can work with the Adobe Customer Solutions team to ensure this group is exempt from the sync.
Overview
Creating a Service Account is a multi-step process that requires administrator-level access to the Adobe Acrobat Console and account-level administrator authority in Acrobat Sign.
The process requires the admin to:
- (Optional) Create a new Group in the Acrobat Sign system.
- Creating a dedicated group for the Service Account allows a very tight configuration of the agreement properties that may be too strict or different from other group configurations.
- Create a new Service Account in the Adobe Admin Console.
- This creates a Service Account that other users can switch to (via advanced account sharing) and send agreements.
- This creates a Service Account that other users can switch to (via advanced account sharing) and send agreements.
- Share the Service Account's account with the users and groups that should be allowed to use the Service Account.
- Sharing the Service Account with other users and groups allows those users to switch to the Service Account and generate new agreements that will be sent under that userIDs profile.
Consider generating a unique group in Acrobat Sign for the application
Adding a Service Account to a unique group allows the function of the Service Account to dictate the sending and signing parameters of the group, as well as the available workflows, templates, and reporting features.
In the example of a Service Account designed for Legal transactions, the group can define the default authentication requirement, expiration date, automatic CC parties, and PDF attachment rules, all of which would likely not be suitable for Sales transactions.
Additionally, constraining specific library templates to the Service Account's group ensures that all agreements using that template are associated with only the Service Account and not distributed throughout your user base.
To create a discrete group:
If your organization is
- using the User Sync Tool (UST) to automatically sync users between Adobe and your Active Directory
- not permitting users to be manually added or created in Acrobat Sign
you must create an exception group to be the primary group for all Service Account userIDs.
The name of the group is added to your UST configuration to ensure the sync process does not impact the userIDs, causing them to be deactivated or to have their entitlement removed.
Before creating the new Service Account, you must identify an email address that can be used for inbound replies/questions from your recipients. (e.g., legal_agreements@my_domain.dom)
To create the new Service Account:
-
Log in to your (Federated Sync) Admin Console as an administrator.
-
Log in to your Licensing Admin Console (if you are working with multiple Admin Consoles).
-
Configure your new Service Account with:
- Email or username: Use the email address that you want to capture any reply-to eamils from your recipients.
- ID Type: Federated ID
- First/Last name: this value is used in the Acrobat Sign system and is reflected in the audit report. Use a value that provides context. e.g.: Legal Department
- SSO username: Use the same email value.
- Country/Region: Select the appropriate country or region for your company.
- Select the Acrobat Sign product profile.
- Set the users role to User.
Click Save when done.
Share the Service Account with the groups or users that are authorized to use the Service Account
Creating a share to a group establishes a sharing connection with all users in the group, thereby allowing the group's users to switch into the Service Account interface and create agreements.
Sharing directly to one user establishes a connection to just that user.
-
Select the group or user to share the Service Account account with:
- Click the three lines icon to the right of the search box..
- Click the plus icon next to the group or user to select it.
- Individual users can be added by expanding a group and then selecting an individual user form that group.
- Enable Sending unser the Additional Permission beyond Viewing options.
- Click Save.
Test your new Service Account
To test that your users can access the Service Account: