User Guide Cancel

Configure an Identity Check Policy for digital identities

 

Adobe Acrobat Sign Guide

What's New

Get Started

Administer

Send, Sign, and Manage Agreements

Advanced Agreement Capabilities and Workflows

Integrate with other products

Acrobat Sign Developer

Support and Troubleshooting

Ensure that digital identity authentication matches the recipient name and email the sender intends.

Overview

Digital Identities provide a solid method to verify who applies a signature based on their ability to authenticate to a trusted identity provider. However, the digital identity process occurs in a secure session between the signer and the identity provider (outside the Acrobat Sign environment). This means that the digital identity alone does not guarantee that the recipient is the exact intended email for which the sender configured the agreement.

The Identity Check policy allows for Digital Identities to match the name and email address configured by the sender to the name and email values associated with the Digital identity provider's records. this directly ties who the sender configured the agreement for to the authentication of the user. Additionally, the identity check can allow for alternate emails, as listed in the Identity Provider's records, and alternate or partial name values to accommodate how names might be communicated.

The Identity Check policy can be configured to be:

  • Disabled - The sender cannot enable the Identity Check.
  • Required - The Identity Check is automatically enabled for all recipients that have a Digital Identity authentication method. The sender can still enable other elements of the identity check.
  • Allowed - The sender must configure the individual recipients to have a digital ID authentication method, and then enable the individual check policies and their respective elements.

Availability:

The Identity Check policy is available for enterprise license plans.

Configuration scope:

The feature can be enabled at the account and group levels.

How it's used

Senders

When the Identity Check policy is Required or Allowed, the sender must configure the recipient to use a Digital Identity Provider (IdP) as their authentication method and then configure which elements of the identity check they want to enforce. These values are checked against the IdP's record for the recipient, and authentication is based on passing acceptable values to the IdP.

When Recipient Name checking is enabled, the sender must provide one or more name values that will be accepted by the IdP.

The sender can configure only one IdP for the authentication process.
If the recipient does not have their identity in place with the selected IdP, they must either create a new identity or the sender must change their authentication method.

The Compose page with the authenticaiton methods expanded and the digital identity method highlighted.

Recipients

Recipient authentication starts with a challenge page that is slightly modified based on how the Indetity Check Policy is configured.
In all cases, an identity verification page is presented with instructions on what the recipient must do and a Verify Identity button that opens the session to the IdP.

Note:

The email address of the sender is provided on the challenge page in the event that the recipient has an issue completing the authentication process.

Configuration

The controls for this feature can be assessed by navigating to Digital Identity > Identity Check Policy

The Digital Identity tab highlighting the Identity Check policy controls.

The configurable options are:

Audit Report and Activity logs

Best practices

If your business practice requires that the signing party be the same as the party the agreement is sent to, and you are using digital identities for authentication, it's recommended to set the Recipient Email address matching to Required.

Unless you have a strong business reason to restrict the recipient to using an email explicitly tied to the primary verified email address at the identity provider, allowing alternate email values is recommended.

Recipient Name matching will depend on how critical an exact name value is to your internal process. In general, names have considerably more variability, so if names are to be matched, it's generally recommended to allow partial name matching.

Get help faster and easier

New user?