Enable single sign-on into Adobe Sign when already authenticated via IdP

Note:

The below document pertains to customer accounts that manage their user licensing in the Adobe Admin Console.

Accounts that authenticate to Adobe Sign directly must configure their IdP to permit this type of Single Sign-On.

Introduction

When administrators manage their Adobe Sign user licenses within the Adobe Admin Console, they have the option to create end user accounts with different identity requirements, including Federated ID (i.e. SSO / SAML): https://helpx.adobe.com/enterprise/using/identity.html

These Federated ID end users may already have an authenticated session with the organization's identity provider (IdP) before signing in to Adobe Sign. For example, the user may have already authenticated with the IdP when logging into the organization's intranet page or a Microsoft service. In this case, the administrator may not want to require the end user to authenticate again when accessing Adobe Sign. To meet this goal, the administrator may create a URL with a unique URL parameter, so that Adobe Sign can verify that the Federated ID end user is already authenticated to the organization's IdP, and therefore does not need to authenticate again. The administrator may then wish to publish this URL internally (for example, on an intranet page).

Prerequisites

  • The Adobe Sign account must be managed in the Adobe Admin Console
  • The Admin must have enabled Federated ID by creating a directory and claiming a domain within the Admin Console. https://helpx.adobe.com/enterprise/using/set-up-identity.html
  • The end user must have a Federated ID account. (This workflow is not relevant for end users with an Adobe ID, Business ID, or Enterprise ID.) https://helpx.adobe.com/enterprise/using/identity.html
  • The end user must already be entitled to Adobe Sign within the Adobe Admin Console. (This workflow will not enable an end user to be "auto-entitled".)

URL parameters

Construct a unique URL consisting of the following:

  • A primary Adobe Sign login URL of "https://secure.adobesign.com/public/adobeLogin"
  • A suffix of "?dcid="
  • A secondary suffix of "@domain.com". For example, "@acme.com"

Therefore, the entire URL will be similar to:

  • https://secure.adobesign.com/public/adobeLogin?dcid=@acme.com

If the end user meets the prerequisites above, and if the end user is already authenticated with the company's IdP, then the end user will be authenticated to Adobe Sign and brought to the application homepage.

If the end user is not already authenticated with the company's IdP, the end user will likely be brought to the company's IdP login page, where they will be required to authenticate before being brought to the Adobe Sign web application homepage.

Adobe logo

Sign in to your account