Introduction

The identity federation standard Security Assertion Markup Language (SAML) 2.0 enables the secure exchange of user authentication data between web applications and identity service providers.

When you use the SAML 2.0 protocol to enable single sign-on (SSO), security tokens containing assertions pass information about an end user (principal) between a SAML authority - an identity
provider (IdP)
, and a SAML consumer - a service provider (SP). (See for more information about the SAML protocol.)

Adobe Sign, acting as the service provider (SP), supports single sign-on through SAML using external identity providers (IdPs) such as Okta, OneLogin, Oracle Federated Identity (OIF), and Microsoft Active Directory Federation Service. Adobe Sign is compatible with all external IdPs that support SAML 2.0.

More information on integrating with these identity providers (IdPs), can be found in the following guides:

  • Enabling SAML Single Sign On for Microsoft Active Directory Federation Service
  • Enabling SAML Single Sign On for Okta 
  • Enabling SAML Single Sign On for OneLogin   
  • Enabling SAML Single Sign-on with Oracle Identity Federation

You can also configure Adobe Sign for single sign-on (SSO) with other systems already used in your organization, for example Salesforce.com, or other providers that support SAML 2.0.

Adobe Sign uses federated authentication as opposed to delegated authentication. Federated authentication does not validate the user's actual password in Adobe Sign. Instead, Adobe Sign receives a SAML assertion in an HTTP POST request. Adobe Sign also supports encrypted assertions.

The SAML assertion has a limited validity period, contains a unique identifier, and is digitally signed. If the assertion is still within its validity period, has an identifier that has not been used before, and has a valid signature from a trusted identity provider, the user is granted access to Adobe Sign.

A summary of the Adobe Sign authentication specification is included in the table below: 

Specification (Standard Name) Value
Federation Protocol SAML 2.0
Federation Profile Browser Post
Federation Unique Identifier Email Address
Relay State Not Needed.  Adobe Sign has the logic to know where to point the User after they are authenticated.  
Adobe Sign SAML request and response diagram

Prerequisites

To enable SSO, your corporate network must support the SAML 2.0 protocol. If your corporate network does not support SAML, contact Adobe Sign Support to discuss other options to enable Single Sign On in your account.

Before beginning to set up SAML SSO, you must do the following:

  • Establish a Domain Name. (For the examples in this guide, this will be rrassoc.com.)
  • Enable SAML for your domain using a provider such as Microsoft Active Directory Federation, Okta, Onelogin, Oracle Identity Federation, or others. You may need to open an Adobe Sign support ticket to get your domain enabled from the backend.
  • Create or verify that you have an administrator account with your IdP using an email address (For the examples in this guide, this email address will be susan@rrassoc.com.)
    • If you do not have an Okta account, you can create a free Okta Developer Edition organization using this link: https://www.okta.com/developer/signup/.
    • If you do not have a OneLogin account, you can create a free trials account using this link: https://www.onelogin.com/ and clicking the FREE TRIAL button in the upper right corner.
  • (Optional) Add an additional email id for User Provisioning in both IdP and SP. This will allow you to add more users who can log into Adobe Sign with their SSO credentials.
  • (Required) Verify that you have an admin user for Adobe Sign and an Admin user for the IdP.
    (Optional) Create or verify that you have an Adobe Sign administrator account that uses the same email address as the account for your IdP (For the examples in this guide, this email address will be susan@rrassoc.com.) This will make it easier for you to administer the accounts.
  • In Adobe Sign, set your SAML Mode to “SAML Allowed”. (See Working with the SAML Settings
    for more information.)

Note:

When setting up SAML SSO, we recommend that you set the SAML Mode to SAML Allowed until the entire setup process is complete and you’ve verified it is working correctly. Once verified, you can change the SAML Mode to SAML Mandatory.

Enabling Single Sign On using SAML

At a high level, enabling SAML SSO between Adobe Sign (the SP) and your IdP involves the following high-level steps:

1. If required (by your IdP), set up your IdP using the Adobe Sign Service Provider (SP) Information.

2. Set up Adobe Sign using information from your IdP.

3. Verify that the SAML SSO has been properly set up. 

Working with SAML Settings

To locate your Adobe Sign SAML Settings, log in as an account administrator or group administrator, then click Account. Under Account Settings, click SAML Settings

Adobe Sign SAML Settings within the Adobe Sign application

To view the options for User Creation, Login Page Customization, Identity Provider (IdP) Configuration, and Adobe Sign Service Provider (SP) Information, scroll to the bottom of the SAML Settings page. 

SAML Mode Settings

In Adobe Sign, there are three SAML Mode options and one additional option that works with the SAML Mandatory option.

Adobe Sign SAML Mode options
  • SAML Disabled—Enable this option that you are not using SAML for your account. When selected,  one of the SAML Settings are accessible.
  • SAML Allowed—Enable this option to allow all users, including account administrators, to use SAML  SSO. Users can also continue using their Adobe Sign credentials as well.
  • SAML Mandatory—Enable this option to enforce log in with SAML SSO for all users. If this option is selected, the “Allow Adobe Sign Administrators to log in using their Adobe Sign Credentials” option will be greyed out (disabled).

As noted above under Prerequisites, we recommend that you set the SAML Mode to SAML Allowed until you’ve verified your SAML SSO set up.

Hostname

The Hostname is your domain name. (See Prerequisites above.) When entered, your hostname
becomes part of the Assertion Consumer URL, the Single Log Out (SLO) URL, and Single
Sign-On (Login) URL. 

Adobe Sign SAML Hostname (Domain) setting

User Creation Settings

Only the first of the two User Creation settings is directly connected with SAML Setup. The second setting pertains to all pending users, whether or not they are added as a result of authenticating through SAML.

Adobe Sign SAML User Creation options
  • Automatically add users authenticated through SAML—If this option is enabled, users who are authenticated through your IdP are automatically added as pending users in Adobe Sign.
  • Automatically make pending users in my account active—If the Require signers in my account to log in to Adobe Sign before signing setting, under Signer Identity Verification (Security Settings), is enabled, this setting should also be enabled. When a signature is requested from a new user, this user is created as a pending user in your account. If this option is not enabled, these users are prevented from signing agreements sent to them for signature. 

Login Page Customization Settings

You can customize the sign on message that users see on the Adobe Sign Sign In page when SAML Single Sign On is enabled. 

Adobe Sign SAML login page custom settings
  • Single Sign On Login Message—Optionally, enter a message to display above the SSO Sign In button on the Adobe Sign Sign In page. Below are examples of a custom SSO Login Message and the default SSO login message, in this case for Okta, and the default message.
Adobe Sign custom SSO login message
Adobe Sign default SSO login message

Identity Provider (IdP) Configuration Within Adobe Sign

To set up most IdPs, except as noted for Okta, you must enter information from your IdP into the IdP configuration fields in Adobe Sign.

Adobe Sign SAML Identity Provider Configuration
  • Entity ID/Issuer URL—This value is provided by the IdP to uniquely identify your domain.
  • Logout URL/SLO Endpoint—When someone logs out of Adobe Sign, this URL is called to log them out of the IdP as well.
  • Login URL/SSO Endpoint—The URL that Adobe Sign will call to request a user login from the IdP.  The IdP is responsible for authenticating and logging in the user.
  • IdP Certificate—The authentication certificate issued by your IdP.

Adobe Sign SAML Service Provider (SP) Information

The SP information section displays the default information for Adobe Sign. Once you’ve entered and saved your host name and IdP Configuration information, the information in the SP information section is updated to include your hostname.

(In our example, https://secure.echosign.com/public/samlConsume
becomes https://globalcorp.na1.echosign.com/public/samlConsume.)

Adobe Sign SAML Service Provider Information

The SP Information provided is as follows:

  • Entity ID/SAML Audience—A URL that describe the entity that is expected to receive the SAML message. In this case, it is the URL for Adobe Sign.
  • SP Certificate—Some providers require a certificate to be used to identify the Service Provider. The link in this view points to the Adobe Sign Service Provider certificate.
  • Assertion Consumer URL— This is the callback that the IdP will send to tell Adobe Sign to log in a user.
  • Single Log Out (SLO) URL—The URL that users are redirected to when they log out.
  • Single Sign-On (Login) URL— This is the URL that the IdP will send login requests to.

Download

Microsoft Active Directory Federation Services Configuration

Guide for Configuring Microsoft Active Directory Federation Services

Overview

This document describes the process for setting up Single Sign On for Adobe Sign using Microsoft Active Directory Federation Service. Before proceeding, please review the Adobe Sign Single Sign On Using SAML Guide, which describes the SAML set up process and provides detailed information on the SAML Settings in Adobe Sign.

  • The process of setting up SAML SSO includes the following:
  • Installing the Active Directory Domain Service
  • Installing the Active Directory Federation Service
  • Creating a Test User 
  • Adding Adobe Sign as a relying party

Installing the Active Directory Domain Service

Before configuring SAML for MSAD, you must install the Active Directory Domain Service if it is not already installed. You must have system administrator privileges in Windows Server to install Active Directory Domain Services. 

Installing the Active Directory Federation Service

1. If required, launch the Server Manager, then click Dashboard.

MSAD Federation Service Configuration Panel

2. In the Dashboard, click Add roles and features. The Add Roles and Features Wizard displays.

3. In the Select installation type dialog, select Rule-based or Feature-based Installation then click
Next.

MSADF Select installation type dialog

4. In the Select destination server dialog of the wizard, leave the Select a server from the server pool option enabled, select a Server Pool, then click Next.

MSADF Select destination server dialog

5. In the Select server roles dialog, select Active Directory Federation Services, then click Next.

MSADF Select server roles dialog

6. In the Confirm installation selections dialog of the wizard, accept all the defaults by clicking Install.

7. On the post install options, select Create the first federation server in a federation server farm.

8. On the Welcome page, leave the options as is and click Next.

MSADF Welcome Screen

9. In the Connect to Active Directory Domain Services dialog of the wizard, select the Administrator account if not by default, then click Next.

MSADF Connect to Active Directory Domain Services dialog

10. In the Specify Service Properties dialog, import the pfx file that you created using the steps defined in the Certificate Creation section, enter a Federation Service Display Name, then click Next.

MSADF Specify Service Properties dialog

11. In the Specify Service Account dialog, select Use an existing domain user account or group Managed Service Account. Use Administrator as the service account and provide your administrator password, then click Next.

MSADF Specify Service Account dialog

12. In the Specify Configuration Database dialog, select Create a database on this server using Windows Internal Database, then click Next.

MSADF Specify Configuration Database dialog

13. In the Review Options dialog, click Next.

MSADF Review Options dialog

14. In the Prerequisite Checks dialog, once the prerequisite check is done, click Configure.

MSADF Prerequisite Checks dialog

15. In the Results dialog, ignore the warning and click Close.

MSADF Results dialog

Adding Adobe Sign as a relying party

1. From the Apps menu, launch AD Federation Service Management.

Launch AD Federation Service Management

2. In the AD FS console, select Authentication Policies then Edit.

MS AD FS Authentication Policies interface

3. In the Edit Global Authentication Policy dialog, under both Extranet and Intranet, enable Forms Authentication

MS AD FS Edit Global Authentication Policy dialog

4. In the AD FS console, under Trust Relationships, select Relying Party Trusts and click Add Relying Party Trust. The Add Relying Party Trust wizard displays.

5. In the Select Data Source dialog of the wizard, enable the Enter Data about the relying party manually option, then click Next.

MS AD FS  Add Relying Party Trust wizard

6. In the Specify Display Name dialog, enter a Display Name, then click Next.

MS AD FS  Specify Display Name dialog

7. In the Choose Profile dialog, enable the AD FS profile option, then click Next.

MS AD FS Choose Profile dialog

8. In the Configure Certification dialog there is no certificate to configure, so click Next.

MS AD FS  Configure Certification dialog

9. In the Configure URL dialog, select Enable support for the SAML 2.0 WebSSO protocol and enter the Assertion Consumer URL from Adobe Sign, then click Next.

(See the Hostname section of the Single Sign On with SAML Guide for more information about the Assertion Consume URL.)

MS AD FS Configure URL dialog

10. In the Configure Identifiers dialog, enter http://echosign.com for Relying party trust Identifier and click Add, then click Next.

MS AD FS Configure Identifiers dialog

11. In the next screen, leave the defaults as-is, and click Next.

MS AD FS Add Relay dialoge

12. In the Choose Issuance Authorization Rules dialog, confirm that the Permit all users to access the relying party option is enabled.

MS AD FS Choose Issuance Authorization Rules dialog

13. In the Ready to Add Trust dialog, click Next.

MS AD FS Ready to Add Trust dialog

14. In the Finish dialog, click Close.

MS AD FS Finish dialog

15. In the Edit Claim Rules dialog, click Add Rule.

MS AD FS Edit Claim Rules dialog

The Add Transform Claim Rule Wizard displays.

 

16.  In the Select Rule Template dialog of the wizard, select Send LDAP Attributes as Claims from the Claim rule template drop-down.

MS AD FS Select Rule Template dialog

17. In the Configure Rule dialog, select the options shown in the dialog and click Finish. Adobe Sign only supports the email address as the unique identifier. You need to select E-Mail Addresses as the LDAP Attribute and E-Mail Address as the Outgoing Claim.

MS AD FS Configure Rule dialog

18. When the Select Rule Template dialog of the wizard redisplays, select Send Claims Using a Custom Rule from the Claim rule template drop-down, then click Next.

19. In the Configure Rule dialog, enter the following:

  • Name of rule—Enter EmailToNameId
  • Custom rule desription—enter the following:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]

=> issue(Type =
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value,
ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"]
= "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"]
= "");

MS AD FS Configure Rule dialog

20. Click Finish. The Add Transform Claim Rule Wizard closes.

21. Back in the Edit Claim Rules for Adobe Sign dialog, click the Issuance Authorization Rules tab and Delegation Authorization rules tab and ensure that the Permit Access to All Users is enabled for both as shown below.

If not, add a rule, so that Permit Access To All Users is enabled.

MS AD FS Edit Claim Rules for Adobe Sign dialog,
MS AD FS Edit Claim Rules for Adobe Sign dialog

22. Click OK to accept all changes can close the Edit Claims Rules for Adobe Sign dialog.

 

Adding the Certificate from Adobe Sign

1. In the AD FS console, under Trust Relationships, select the Adobe Sign Relying Party click Properties.

2. Once launched, select Authentication Policies and then Edit.

MS AD FS console

3. Select the Signature tab.

4. Click Add and add the SP certificate file you downloaded from Adobe Sign.
(See the Adobe Sign SAML Service Provider (SP) Information section of the Single Sign On with SAML Guide for more information about the SP certificate.)

5. Select the Advanced tab and change the Secure Hash Algorithm to SHA-1.

6. Select the Endpoints tab and add the Single Logout (SLO) URL from Adobe Sign.
(See the Hostname section of the Single Sign On with SAML Guide for more information about the Single Logout (SLO) URL).

7.  Disable Claims Encryption – Open power shell on the ADFS server and type

8. Set-ADFSRelyingPartyTrust -TargetName "Adobe Sign" -EncryptClaims $false 

 

Adobe Sign specific settings

  • The account should have SAML_AVAILABLE=true
  • Host Name
  • SAML Mode
  • ACCOUNT_USER_ADD_EMAIL_DOMAINS setting to be for example dev.com
  • Select the token signing certificate in ADFS and export it as a cer file ( do not export private key) and add it to the account admins SAML Settings page in Adobe Sign.
MS AD FS Adobe Sign specific settings
MS AD FS Adobe Sign specific settings

Open this certificate file in notepad, and Adobe Sign Admin copy its contents into the IdP Certificate field in SAML Settings.

Now you should be able to test. 

Certificate Creation

1. On Windows, install openssl. On Mac , openssl is present.

2. Launch a command prompt and type:
openssl req -x509 -newkey rsa:2048 -keyout .pem -out .pem -days <#ofdays>

Enter the following:

  • Country code- US
  • State - Californiacity – San Jose
  • Enter some Organization and Organization unit
  • Common Name- This is the fully qualified name that is the same as your host system name example sjtest.es.com

3. Now create the pkcs12 key
pkcs12 -export -in <yourkeynameCer>.pem -inkey <yourkeyName>.pem -out my_pkcs12.pfx

4. Enter password when prompted

5. Click Import and select the my_pkcs12.pfx selected above and enter password that you provided at pkcs12 export time when prompted

Download

Okta Configuration

Guide for Configuring Okta Single Sign-On

Overview

Adobe Sign can support Security Assertion Markup Language (SAML) single sign-on (SSO) using external identity providers (IdPs) such as Okta. This document describes the steps for configuring Adobe Sign for SAML SSO with Okta. This document also provides information on testing your SAML SSO configuration. Before proceeding, please see the Adobe Sign Single Sign On Using SAML Guide, which describes the SAML set up process and provides detailed information on the SAML Settings in Adobe Sign.

Configuring SAML SSO with Okta

You must be an administrator for both your Adobe Sign and Okta accounts to enable SAML SSO. The username for both accounts must be the same. The passwords can be different.

When enabling SAML SSO with Okta, information only needs to be entered in Adobe Sign. Okta has developed a custom Adobe Adobe Sign Provisioning app that makes it unnecessary to transfer the SP Information from Adobe Sign to Okta. 

Note:

Note: For the most up-to-date instructions for Okta, see http://developer.okta.com/docs/guides/setting_up_a_saml_application_in_okta.html

1. Log in to Okta and Adobe Sign in different browsers or in different windows within the same browser.

  • In Okta, log in to your account with the same administrator account you use for your Adobe Sign Admin Account.
Okta Login Page
  • In Adobe Sign, log in to your account using the same admin account credentials that you use for Okta. 
Adobe Sign Login Page

2. Click the blue Admin button.

Okta Top bar

3. Click the Add Applications shortcut.

Okta shortcuts to add applications

The Add Application page displays.

Okta Add Applications page

4. In Search, type Adobe Sign.

  • Click the Add button to add the Adobe Sign Provisioning application.
Okta Add button to add the Adobe Sign Provisioning application

The Add Adobe Sign Provisioning wizard launches displaying the General Setting tab.

Okta  Add Adobe Sign Provisioning wizard

5. In Adobe Sign, navigate to the SAML Settings page. Note the Hostname for your account.

Adobe Sign SAML Settings page

6. In Okta under General Settings, enter the Hostname for your Adobe Sign account in the Your Adobe Sign Sub domain field. Click Next to continue. 

Note:

Note: If you don’t want users to automatically log in to Adobe Sign when they log in to Okta, disable the Automatically log in when user lands on the login page option. 

Okta General settings tab

7. On the Sign-On Options tab, enable SAML 2.0.

Okta  Sign-On Options tab,

The SAML 2.0 section displays.

 

8. Under SAML 2.0, click View Setup Instructions.

Okta SAML 2.0 panel

The Okta How to Configure SAML 2.0 for Adobe Sign page displays in a new browser window. This page includes instructions and the IdP information that you must enter in the Adobe Sign SAML Settings page.

Okta How to Configure SAML 2.0 for Adobe Sign page

9. Copy the Entity ID/Issuer URL from the Okta page, and enter it into the Entity ID/Issuer URL field in Adobe Sign.
(see the idP Configuration section of the How to Configure SAML 2.0 for Adobe Sign)

Note:

Note: The "Entity ID/Issuer URL" does not need to be a well formatted URL. It can be an any unique value.

Okta idP page showing Entity ID/Issuer URL

10. Copy the Login URL/SSO Endpoint from the Okta page, and enter it into the Login URL/SSO Endpoint field in Adobe Sign.
(see the idP Configuration section of the How to Configure SAML 2.0 for Adobe Sign)

Note:

Note that in Adobe Sign, the Logout URL/SLO Endpoint is before the Login URL/SSO Endpoint.

Okta idP page showing the URL/SSO Endpoint

11. Copy the Logout URL/SLO Endpoint from the Okta page and enter it into the Logout URL/SLO Endpoint field in Adobe Sign.
(see the idP Configuration section of the How to Configure SAML 2.0 for Adobe Sign)

Okta idP page showing the Logout URL/SLO Endpoint

Note:

Note: The Logout URL/SLO Endpoint shown above is only a suggestion. You can actually specify any valid URL (e.g., Google).

12. Copy the IdP Certificate from the Okta page to the IdP Certificate field in Adobe Sign.

  • Make sure there are no spaces or returns after “-----END CERTIFICATE-----“.

(see the idP Configuration section of the How to Configure SAML 2.0 for Adobe Sign)

Okta idP page showing the certificate

You can close the browser window that displays the Okta How to Configure SAML 2.0 for Adobe Sign page after you copy the IdP Certificate.

 

13. In Adobe Sign, click Save.

Adobe Sign Save button

14. Click the browser window that displays the Okta Sign-On Options if needed.

15. In the Credential Details section of Sign-On Options (see step 8 above), select Email from the Application username format drop-down, then click Next to continue.

Okta Credential Details section of Sign-On Options

16. Under Provisioning, you have the option to select the Enable provisioning features option. (See Setting up Auto-Provisioning for more information.) Click Next to continue without setting up Auto-provisioning. 

Okta Provisioning page

Note:

Note: If you enable the Enable provisioning features option, you must enable the Automatically add users authenticated through SAML in SAML settings in Adobe Sign.

17. Under the Assign to People tab, in the People section check the box next to your name to assign at least one active user (yourself), then click Next.

Okta Assign to People tab

18. Click Done.

Okta Provisioning Done button

You can now log out of Okta and proceed with testing your SAML setup. (See Testing Your Okta SAML SSO Configuration for more information.)

 

Setting Up Auto-provisioning in Okta

If this option is enabled, and the “Automatically add users authenticated through SAML” option in Adobe Sign is also enabled, you can automatically provision users in Adobe Sign.

Okta Add Adobe Sign Provisioning page

Setting up Auto-launch for Adobe Sign

You can automatically launch Adobe Sign when you log in to Okta. If this feature is enabled, Adobe Sign will open in a separate window when you log in to Okta. You must have pop-ups enabled in your browser for this feature to work.       

Note:

Note If you also enabled the “Automatically log in when user lands on login page” option, when you launch Okta two Adobe Sign windows will open. 

1. Log in to Okta. Your Home page will display.

Okta log in page showing Adobe Sign

2. On the Adobe Sign Provisioning app, cursor over the gear icon, then click to activate it.

Okta gear icon for Adobe Sign

3. When the Adobe Sign Provisioning Settings popup displays, click the General tab.

Okta Adobe Sign Provisioning Settings popup

4. Enable the Launch this app when I sign into Okta option.

Okta Launch this app when I sign into Okta option.

5. Click Save.

 

Testing Your Okta SAML SSO Configuration

There are two ways to test your Okta SAML setup. 

Log in to Adobe Sign through Okta

1. If logged in, log out of Okta.

2. Log in to Okta. Your Okta Home page displays.

3. On the Home page, click the Adobe Sign Provisioning app.

Okta Home page showing the Adobe Sign Provisioning app

You are automatically logged into Adobe Sign.

Adobe Sign login page

Log in to Adobe Sign using your URL

1.  Enter your company login URL in your browser. The Adobe Sign Sign In page displays.

2. On the Sign In page, click the second Sign In button. If you’ve entered a custom Single Sign On Login Message that message displays above this button. If you have not entered a custom message, the default message displays.

Adobe Sign login message showing both custom and default messaging.

You are logged into Adobe Sign.

Adobe Sign login page

Download

OneLogin Configuration

Guide for Configuring OneLogin Single Sign-On

Overview

Adobe Sign can support Security Assertion Markup Language (SAML) single sign-on (SSO) using external identity providers (IdPs) such as OneLogin. This document describes the steps for configuring Adobe Sign for SAML SSO with OneLogin. This document also provides information on testing your SAML SSO configuration. Before proceeding, please see the Adobe Sign Single Sign On Using SAML Guide, which describes the SAML set up process and provides detailed information on the SAML Settings in Adobe Sign.

 

Configuring SAML SSO with OneLogin

1. Log in to OneLogin and Adobe Sign in different browsers or in different windows within the same browser.

  • In OneLogin, log in to your account with the same administrator credentials you use for your Adobe Sign Admin Account. 
OneLogin Authentication panel
  • In Adobe Sign, log in to your account using the same admin account credentials you use for OneLogin. The passwords for these two logins do not have to be the same, but you must log in as the administrator for each account.
Adobe Sign Authentication panel

2. In OneLogin, click Add Apps.

OneLogin Add Apps link

3. Search for Adobe Sign.

OneLogin search for Adobe Sign

4. Click the row for Adobe Sign.

OneLogin click the Adobe Sign icon

5. In the Add page, under Connectors select SAML 2.0 – user provisioning, then click Save at the top.

OneLogin app Configuration page.

6. Navigate to the SAML Settings page. Note the Hostname for Adobe Sign.

Adobe Sign SAML configuration page

7. In OneLogin, click the Configuration tab. In the Subdomain field, enter your Hostname from Adobe Sign, then click Save.

OneLogin subdomain page

8. Click the SSO tab.

OneLogin SSO tab

9. In the SSO tab, click View Details to display the Standard Strength Certificate (2048-bit) page.

OneLogin SSO configuration page

10. In the Standard Strength Certificate page that displays, click the Copy to Clipboard button for the X.509 Certificate field to copy the certificate to the clipboard.

OneLogin Standard Strength Certificate page

If the certificate successfully copies, the rollover text says “Copy to Clipboard” text updates to “Copied”.

 

11. In Adobe Sign, paste the copied certificate into the IdP Certificate field. Be sure to remove any returns that may have been copied. The cursor should be at the end of the last line as shown below. 

Adobe Sign idP Certificate field

12.  In OneLogin, click the Copy to Clipboard button for the Issuer URL.

OneLogin Issuer URL

13. In Adobe Sign, paste the Issuer URL into the Entity ID/Issuer URL field.

Adobe Sign Entity ID/Issuer URL field

14. In OneLogin, click the Copy to Clipboard button for the SAML 2.0 Endpoint (HTTP) URL.

OneLogin SAML 2.0 Endpoint (HTTP) URL

15. In Adobe Sign, right click to paste the SAML 2.0 Endpoint (HTTP) URL in the IdP Login URL field. 

Adobe Sign IdP Login URL field

16. In OneLogin, click the Copy to Clipboard button next to SLO Endpoint (HTTP).

OneLogin Copy to Clipboard button next to SLO Endpoint (HTTP)

Note:

Note: The OneLogin SAML 2.0 Endpoint URL is only a suggestion. You can actually specify any valid URL (e.g., Google).

17. In Adobe Sign, copy the SLO Endpoint value into the Logout URL/SLO Endpoint field.

Adobe Sign SLO Endpoint

18. In Adobe Sign, click Save.

Adobe Sign Save button

19. In OneLogin, click the back arrow to return to the SSO page.

OneLogin back arrow

20. Click the Users tab to add users.

OneLogin User Tab

21. Click the row to add the user. The Save button is not activated until you click at least one user.

OneLogin User Tab with User Highlighted

22. When done, click Save

 

Testing Your OneLogin SAML SSO Configuration

There are two ways to test your OneLogin SAML Setup. 

Log in to Adobe Sign through OneLogin

1. If logged in, log out of Adobe Sign.

2. Log in to OneLogin.

OneLogin Authentication panel

3. On the App Home page, click the Adobe Sign app.

OneLogin App Home page

You are automatically logged into Adobe Sign.

Adobe Sign Login page

Log in to Adobe Sign using your URL

1. Enter your company login URL for Adobe Sign in the address line of your browser (such as myCompany.adobesign.com). The Adobe Sign Sign In page
displays.

2. On the Sign In page, click the second Sign In button. If you’ve entered a custom Single Sign On Login Message that message displays above this button. If you have not entered a custom message, the default message displays.

Adobe Sign Authentication panel with custom SSO message

3. You are logged into Adobe Sign.

Adobe Sign Login page

Download

Oracle Identity Federation Configuration

Guide for Configuring Oracle Identity Federation

Overview

Adobe Sign can support Security Assertion Markup Language (SAML) single sign-on (SSO) using external identity providers (IdPs) such as Oracle Identity Federation (11g). This document describes the steps for configuring Adobe Sign, acting as the SAML consumer or service provider (SP), to use OIF. This document also provides suggested steps for configuring OIF, however, please contact your OIF system administrator before making any configuration changes to your OIF Server. Before proceeding, please see the Adobe Sign Single Sign On Using SAML Guide, which describes the SAML set up process and provides detailed information on the SAML Settings in Adobe Sign.

Configuring OIF as an IdP in Adobe Sign

Your organization’s instance of OIF needs to be configured within Adobe Sign as the external SAML Identity Provider (IdP). As an administrator for your Adobe Sign Account, navigate to SAML Setting in Adobe Sign as an (Account | Account Settings | SAML Settings).

You will need metadata information from your OIF IdP
configuration. Typically, the metadata for the OIF is available as an XML
content at: http://:/fed/idp/metadata.
Please contact your OIF administrator to gather the relevant. You will need the
following configuration information.

  • Entity ID/Issuer URL—The entityID attribute on EntityDescriptor element
  • Logout URL/SLO Endpoint—When someone logs out of Adobe Sign, this URL is called to log them out of the IdP as well.
  • Login URL/SSO Endpoint—The Location attribute on SingleSignOnService element
  • IdP Certificate—Certificate information under the element EntityDescriptor -> IDPSSODescriptor -> KeyDescriptor use="signing"

 

This information should be configured in the appropriate fields in the Adobe Sign SAML configuration. See image below:

Adobe Sign SAML idP settings

Configuring Adobe Sign as a SP in OIF

Once the OIF SAML configuration is complete within the Adobe Sign UI, the next step is to configure Adobe Sign as a Service Provider within OIF. The information required for configuring Adobe Sign within OIF is available on the Adobe Sign SAML Service Provider (SP) information section under Account | Account Settings | SAML Settings

Adobe Sign SAML settings

The metadata description for Adobe Sign is shown below:

MetaData

Download

You must customize this metadata description and change the highlighted section in the XML to match the URL for your account. The Assertion Consumer URL for your specific account is shown in SAML Settings.

 

The steps for completing the configuration in OIF are as follows:

1. Go to the Federations configuration screen on the OIF Administration panel

Federations configuration screen on the OIF Administration panel

2. Create a new federation profile

Create a new federation profile

3. Create a new Service Provider (SP) listing for Adobe Sign

 

Import the Adobe Sign SP configuration XML or manually create the SP listing using the provider information from the Adobe Sign SAML settings.

Manually create the SP listing

4. Complete the configuration. Adobe Sign will appear as a new Service Provider listing in the OIF list of SPs. 

Adobe Sign appears as a new Service Provider listing

Verifying Email Address as NameID Format

Adobe Sign uses email address as the unique user identifier. Before testing the single sign-on one last step is the ensure that the email address field is mapped to the appropriate user attribute within OIF and that email address is enabled as a valid NameID format.

OIF Administration / Identity Provider
Ensure that the email address field is mapped to the appropriate user attribute within OIF

©2016 Adobe Systems Incorporated. All Rights Reserved.

Products mentioned in this document, such as the services of identity providers Microsoft Active Directory Federation, Okta, Onelogin, and Oracle Identity Federation, and Salesforce software retain all of the copyrights and trademark rights of their specific corporations.

 

Last Updated: June 23, 2016

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy