Connecting federated authentication to Okta

  1. Welcome to Adobe Acrobat Sign for Government
    1. First steps for new accounts
    2. Claiming an email domains
    3. Connecting Okta to a federated identity solution
    4. Manually create/edit users in Okta
      1. Creating individual users manually
      2. Creating multiple users via CSV import
      3. Add or Remove a group from a user profile
      4. Elevating a user to Account/Privacy administrator status
      5. Changing your Okta password
  2. Configure Acrobat Sign
    1. Configuration Overview
    2. System requirements
    3. Branding
      1. Company and Hostname
      2. Logos
      3. Email header/footer images
    4. User access to features
    5. User experience within the application
      1. Allowed Signature types
      2. Signature order options
      3. Self Signing workflows
    6. Recipient experience when interacting with agreements
    7. Transaction security
    8. Compliance information
      1. GDPR
      2. HIPAA
      3. eVaulting Chattle paper
      4. IVES
  3. Administrator processes
    1. Admin guide overview
    2. Users
      1. Manage users in the Gov CloudCreating users
      2. Add users to a group
      3. Remove a user from group membership
      4. Update users in bulk
      5. Users in Multiple Groups (UMG)
        1. Overview
        2. Differences in UMG enabled accounts
    3. Groups
      1. Create a group
      2. Delete a group
      3. Modify a group name
      4. Modify group-level settings
    4. Templates
      1. Edit shared templates
      2. Transfer template ownership
    5. Custom workflow designer
      1. Create a custom workflow
    6. GDPR deletion processes
      1. Delete a user
      2. Delete agreements
    7. Sandbox
  4. User environment and processes
    1. Support resources
    2. Transaction limits
    3. Page layouts
      1. Home page
      2. Send page
      3. Manage page
      4. Reports page
    4. Configure your profile
      1. "My Profile" overview
      2. Change your email address
      3. Define your signature
      4. Configure your event and alert notifications
      5. Define your language preferences
      6. Define your personal email footer
      7. Review account sharing
      8. Configure auto delegation
    5. Send agreements
      1. Compose an agreement to send for signature
      2. Recipient signing order
        1. Sequential or parallel signing
        2. Hybrid signing (Both sequential and parallel)
        3. Recipient groups
      3. Written signatures
      4. Send an agreement to yourself only
      5. Send in Bulk
      6. Sending from a template on the Manage page
      7. Sign agreements
      8. Fill and Sign a document
      9. Self Signing
      10. Signing a document from an email link
      11. Sign a document from the Manage page
    6. Custom workflow designer
      1. Overview
      2. Create a new sending workflow
      3. Edit a sending workflow
      4. Activate/Deactivate a workflow
      5. Send agreements using a workflow
    7. Manage agreements
      1. Search for agreements
      2. View Agreements
      3. Activity history and Audit Report
      4. Add a note to an agreement
      5. Set a reminder
      6. Cancel a reminder
      7. Add an expiration date
      8. Modify/Delete an expiration date
      9. Modify the files of a sent agreement
      10. Replace the current recipient
      11. Upload a signed agreement
      12. Share an individual agreement
      13. Download an agreement
      14. Download the individual files of an agreement
      15. Download the audit report
      16. Download the signer identity report
      17. Download the field data from an agreement
      18. Cancel an agreement
      19. Hide an agreement from view
    8. Reporting
      1. Create a report with classic reporting
      2. Report charts and data exports
        1. Overview
        2. User permissions for report charts and exports
      3. Data Exports
        1. Create a data export
        2. Open and edit a data export
        3. Refresh the data in an existing export
        4. Download the CSV from a data export
      4. Report Charts
        1. Create a report chart
        2. Open and edit a report chart
        3. Rename a data export/report chart
        4. Duplicate a data export/report chart
        5. Delete a data export/report chart
    9. API
      1. API Swagger documentation
      2. Webhooks

Connecting Okta to a federated authentication system

Okta allows for other federated identity solutions to maintain the source of truth around their users and function purely as access control for shared applications.

Below are direct links to the Okta documentation for their primary directory integrations.  

Note that configuring an external identity solution requires that you have a user in Okta with the appropriate Okta admin authority (configured in the Okta user profile).
Okta admin authority

Okta also permits external identity providers to be configured.

Log in to the Okta admin console and navigate to Security > Identity Providers  > Add Identity Provider to see a list of options:

Okta list of IdPs

Note:

Notice that a generic SAML 2.0 IdP option exists for any SAML 2.0 compliant identity provider that isn't listed.

Adding the Acrobat Sign Administrative Roles to your directory or IdP configuration

Managing your users via directory or IdP will prevent the option to edit the user profile in the Okta admin console directly.

This means you must customize your identity solution to update the Acrobat Sign admin roles.

Each solution will have differences, but below are a couple of suggestions for some of the more common solutions that may help in your configuration.

Contact your onboarding/professional services team if you need assistance with your particular solution.

LDAP and Active Directory admins can use membership in a group to map the admin roles:

  • String.stringContains(appuser.group, "signAdmins")? {"Account Admin"} : {}  can be used to map the account admins.
  • String.stringContains(appuser.group, "privacyAdmins")? {"Privacy Admin"} : {}  can be used to map the privacy admins.

Configure the SAML 2.0 provider:

All SAML providers will have different interfaces and processes, so the below idea should be understood conceptually and followed to the best of your ability. Contact the Adobe professional services team if you have any trouble or concerns.

We are using OneLogin in this example. Both the SAML provider and the Okta admin console have configuration steps.

  1. Log in to the SAML provider as an Admin

  2. Navigate to Users > Roles

    Select New Role

    NAvigate to Roles

  3. Enter the role name: PRIVACY_ADMIN and select the green checkmark.

    Click Save

    Define the role

  4. Click New Role

  5. Enter the role name: ACCOUNT_ADMIN and select the green checkmark.

    Click Save

  6. Navigate to Applications > Applications. 

    Search for your SAML Test Connector (Advanced) App.

    Navigate to parameters

  7. Select the Parameters tab and click on the + button (marked with the red circle) to add a new parameter.

  8.  Add parameter name: SignRoles. 

    • Enable Include in SAML Assertion
    • Enable Multi-value parameter
    • Click Save
    Add parameter

  9. In the Default if no value selected field, select User Roles from the drop-down list.

    Select Semicolon Delimited input from the next drop-down list.

    Click Save.

    Edit field properties

  10. Click on the Save button in the top right corner.

    SAML

Configure the Okta admin console:

  1. In Okta the admin console, navigate to Directory > Profile Editor

  2. Select your SAML 2.0 IdP from the list.

    Select your SAML IdP

  3.  In the Profile Editor of your IdP, click on the Add Attribute button.

  4. Configure the attribute as follows:

    • Data Type: string array
    • Display name: Sign Roles
    • Variable name: signRoles
    • External name: signRoles

    Click Save

    Configure attribute

  5. In the Profile Editor of your IdP, click on Mappings button.

  6. Select signRoles (appuser.signRoles) from the drop-down list and map it to signRoles in Okta.

    Click on the Save Mappings button.

    Select Apply Updates now.

    Save mappings

  7. In the Profile Editor of your IdP, click on Mappings button (again).

  8. Click on Okta User to SAML 2.0 IdP

    Click on Okta user

  9. Choose signRoles from the drop-down list and map it to signRoles in SAML 2.0 IdP

    Click on the Save Mappings button.

    Select Apply Updates now.

    Apply mappings now

Get help faster and easier

New user?