What's New
Get Started
- Quick start guide for administrators
- Quick start guide for users
- For Developers
- Video tutorial library
- FAQ
Administer
- Admin Console Overview
- User Management
- Adding users
- Create function-focused users
- Check for users with provisioning errors
- Change Name/Email Address
- Edit a user's group membership
- Edit a user's group membership through the group interface
- Promote a user to an admin role
- User Identity Types and SSO
- Switch User Identity
- Authenticate Users with MS Azure
- Authenticate Users with Google Federation
- Product Profiles
- Login Experience
- Account/Group Settings
- Settings Overview
- Global Settings
- Account tier and ID
- New Recipient Experience
- Self Signing Workflows
- Send in Bulk
- Web Forms
- Custom Send Workflows
- Power Automate Workflows
- Library Documents
- Collect form data with agreements
- Limited Document Visibility
- Attach a PDF copy of the signed agreement
- Include a link in the email
- Include an image in the email
- Files attached to email will be named as
- Attach audit reports to documents
- Merge multiple documents into one
- Download individual documents
- Upload a signed document
- Delegation for users in my account
- Allow external recipients to delegate
- Authority to sign
- Authority to send
- Power to add Electronic Seals
- Set a default time zone
- Set a default date format
- Users in Multiple Groups (UMG)
- Group Administrator Permissions
- Replace recipient
- Audit Report
- Transaction Footer
- In Product Messaging and Guidance
- Accessible PDFs
- New authoring experience
- Healthcare customer
- Account Setup
- Add logo
- Customize company Hostname/URL
- Add company name
- Post agreement URL redirect
- Signature Preferences
- Well formatted signatures
- Allow recipients to sign by
- Signers can change their name
- Allow recipients to use their saved signature
- Custom Terms of Use and Consumer Disclosure
- Navigate recipients through form fields
- Restart agreement workflow
- Decline to sign
- Allow Stamps workflows
- Require signers to provide their Title or Company
- Allow signers to print and place a written signature
- Show messages when e-signing
- Require signers to use a mobile device to create their signature
- Request IP address from signers
- Exclude company name and title from participation stamps
- Digital Signatures
- Electronic Seals
- Digital Identity
- Report Settings
- New report experience
- Classic report settings
- Security Settings
- Single Sign-on settings
- Remember-me settings
- Login password policy
- Login password strength
- Web session duration
- PDF encryption type
- API
- User and group info access
- Allowed IP Ranges
- Account Sharing
- Account sharing permissions
- Agreement sharing controls
- Signer identity verification
- Agreement signing password
- Document password strength
- Block signers by Geolocation
- Phone Authentication
- Knowledge-Based Authentication (KBA)
- Allow page extraction
- Document link expiration
- Upload a client certificate for webhooks/callbacks
- Timestamp
- Send settings
- Show Send page after login
- Require recipient name when sending
- Lock name values for known users
- Allowed recipient roles
- Allow e-Witnesses
- Recipient groups
- Required fields
- Attaching documents
- Field flattening
- Modify Agreements
- Agreement name
- Languages
- Private messages
- Allowed signature types
- Reminders
- Signed document password protection
- Send Agreement Notification through
- Signer identification options
- Content Protection
- Enable Notarize transactions
- Document Expiration
- Preview, position signatures, and add fields
- Signing order
- Liquid mode
- Custom workflow controls
- Upload options for the e-sign page
- Post-sign confirmation URL redirect
- Message Templates
- Bio-Pharma Settings
- Workflow Integration
- Notarization Settings
- Payments Integration
- Signer Messaging
- SAML Settings
- SAML Configuration
- Install Microsoft Active Directory Federation Service
- Install Okta
- Install OneLogin
- Install Oracle Identity Federation
- SAML Configuration
- Data Governance
- Time Stamp Settings
- External Archive
- Account Languages
- Email Settings
- Migrating from echosign.com to adobesign.com
- Configure Options for Recipients
- Guidance for regulatory requirements
- Accessibility
- HIPAA
- GDPR
- 21 CFR part 11 and EudraLex Annex 11
- Healthcare customers
- IVES support
- "Vaulting" agreements
- EU/UK considerations
- Download Agreements in Bulk
- Claim your domain
- Report Abuse links
Send, Sign, and Manage Agreements
- Recipient Options
- Cancel an email reminder
- Options on the e-signing page
- Overview of the e-sign page
- Open to read the agreement without fields
- Decline to sign an agreement
- Delegate signing authority
- Restart the agreement
- Download a PDF of the agreement
- View the agreement history
- View the agreement messages
- Convert from an electronic to a written signature
- Convert from a written to an electronic signature
- Navigate the form fields
- Clear the data from the form fields
- E-sign page magnification and navigation
- Change the language used in the agreement tools and information
- Review the Legal Notices
- Adjust Acrobat Sign Cookie Preferences
- Send Agreements
- Authoring fields into documents
- In-app authoring environment
- Create forms with text tags
- Create forms using Acrobat (AcroForms)
- Fields
- Authoring FAQ
- Sign Agreements
- Manage Agreements
- Manage page overview
- Delegate agreements
- Replace Recipients
- Limit Document Visibility
- Cancel an Agreement
- Create new reminders
- Review reminders
- Cancel a reminder
- Access Power Automate flows
- More Actions...
- How search works
- View an agreement
- Create a template from an agreement
- Hide/Unhide agreements from view
- Upload a signed agreement
- Modify a sent agreement's files and fields
- Edit a recipient's authentication method
- Add or modify an expiration date
- Add a Note to the agreement
- Share an individual agreement
- Unshare an agreement
- Download an individual agreement
- Download the individual files of an agreement
- Download the Audit Report of an agreement
- Download the field content of an agreement
- Audit Report
- Reporting and Data exports
- Overview
- Grant users access to reporting
- Report charts
- Data Exports
- Rename a report/export
- Duplicate a report/export
- Schedule a report/export
- Delete a report/export
- Check Transaction Usage
Advanced Agreement Capabilities and Workflows
- Webforms
- Reusable Templates (Library templates)
- Transfer ownership of web forms and library templates
- Power Automate Workflows
- Overview of the Power Automate integration and included entitlements
- Enable the Power Automate integration
- In-Context Actions on the Manage page
- Track Power Automate usage
- Create a new flow (Examples)
- Triggers used for flows
- Importing flows from outside Acrobat Sign
- Manage flows
- Edit flows
- Share flows
- Disable or Enable flows
- Delete flows
- Useful Templates
- Administrator only
- Agreement archival
- Webform agreement archival
- Save completed web form documents to SharePoint Library
- Save completed web form documents to OneDrive for Business
- Save completed documents to Google Drive
- Save completed web form documents to Box
- Agreement data extraction
- Agreement notifications
- Send custom email notifications with your agreement contents and signed agreement
- Get your Adobe Acrobat Sign notifications in a Teams Channel
- Get your Adobe Acrobat Sign notifications in Slack
- Get your Adobe Acrobat Sign notifications in Webex
- Agreement generation
- Generate document from Power App form and Word template, send for signature
- Generate agreement from Word template in OneDrive, and get signature
- Generate agreement for selected Excel row, send for review and signature
- Custom Send workflows
- Share users and agreements
Integrate with other products
- Acrobat Sign integrations overview
- Acrobat Sign for Salesforce
- Acrobat Sign for Microsoft
- Other Integrations
- Partner managed integrations
- How to obtain an integration key
Acrobat Sign Developer
- REST APIs
- Webhooks
Support and Troubleshooting
Overview
The Adobe Acrobat Sign Digital Identity Gateway allows organizations to select from a wide variety of pre-configured third-party digital identity providers (IDP) and leverage the type of identity verification that best suits their functional, security, or compliance needs. IDP services for user authentication, signer identity verification, and identity federation solutions utilize the standard OpenID Connect (OIDC) authentication protocol to integrate with Acrobat Sign. Depending on the IDP selected, the service may include:
- Video identity verification
- Electronic identity (eID) authentication
- Identity document confirmation
- Knowledge-based authentication (KBA)
- Biometric identification, authentication
Many of the IDP services meet NIST 800-63A/B/C standards for multi-factor authentication solutions up to AAL3, identity verification options up to IAL3, as well as federation assertion up to FAL3. Some IDP services also meet up to ISO 29115 LoA4 and/or EU Regulation 910/2014 (eIDAS) up to LoA High.
All IDP services require a commercial contract and configuration with the provider prior to use along with ongoing monitoring to ensure that your organization maintains a sufficient volume of IDP service transactions for your use cases.
Procurement, consumption, and reporting of authentication transactions
Identity providers are not included in the Acrobat Sign licensing, and Adobe does not provide a commercial channel to procure identification services from the various IDPs that can be configured.
It is incumbent upon the customer to acquire and maintain a sufficient volume of identity transactions with the IDP of their choice.
The IDP will provide clear guidance on how transactions are consumed and billed and report consumption/availability directly to the customer.
Recipient experience
Through the Acrobat Sign signature process, the customer is delivered a Review and Sign email like any other agreement.
When the recipient selects the Review and sign button to open the agreement, they are presented with an information dialogue indicating that identity verification is required to access the document. Depending on the configured settings, the customer will see:
- A high-level summary of the verification process.
- The name and logo of the IDP that performs the identity verification.
- An email and phone number to contact the IDP's Support if there is an issue with the verification process.
- The email address of the Acrobat Sign user that sent the agreement, in case the recipient needs to contact them.
- A statement that the recipient's identity data will be stored in the Signer Identity Report (if the Sender's account is configured to do so).
- A warning message about the number of remaining verification attempts available to the recipient before the agreement is canceled. This message appears only after the recipient has tried the identification process and failed.
- The Verify Identity button triggers the verification process by opening a pop-up screen and handing the process over to the IDP.
- The recipient's experience of the verification process and the type of verification to be done are dependent on the identity provider the Sender selected.
Once the verification process is completed successfully, the recipient is returned to the Acrobat Sign window, and the agreement is presented to their attention.
Sender experience
Choosing the Identity Provider when composing a new agreement
When one or more IDPs are configured and enabled for the Sender’s account or group, users will see the option to select the IDP in the drop-down menu that contains all the authentication methods available to the recipient. Enabled IDPs will be listed under the Digital Identity Gateway section. If no IDPs are enabled, then the Digital Identity Gateway section will not be present, and the user will not see any IDPs.
Mousing over an IDP in the menu list shows a tooltip that provides a short description of the IDP service.
Updating the IDP after the agreement is sent
If a user needs to update the authentication to select a different IDP (or any other authentication method), the user can use the same process to edit the authentication method.
The user is not constrained to select another IDP from the Digital Identity Gateway. Any other enabled authentication method may be selected.
Audit Report
The audit report clearly indicates that the recipient was verified by an Identity Provider from the Digital Identity Gateway and specifies which IDP was involved and a description of their service:
Signer Identity Report (SIR)
By default, Acrobat Sign does not retain the identity information returned by the IDP. However, account and group administrators can enable the option to save the identity information on Acrobat Sign servers.
Additionally, admins can configure, at the account and group level, the option for users to download the Identity Report on the Manage page from the list of available actions.
The Signer Identity Report contains all of the identity information returned by the IDP when the identity verification transaction succeeds, as well as relevant data when a transaction fails. Content varies depending on the vendor and authentication method. Common data includes:
- Reference ID: A unique identifier of the transaction that occurred at the IDP end. Useful for Support requests as well as forensic analysis.
- sub (Subject Identifier): Provides a unique identifier for the recipient in the context of the IDP system.
- ID Token Raw value: Provides an assertion signed by the IDP containing the result of the identification process. Proof that the identity was verified in the context of the current transaction.
For more information on the Signer Identity Report, consult this page >
Configuration access to use IDPs as identity verification
Enable the authentication method under the Digital Identity tab in the admin menu.
There are three high-level settings in this view, with the full list of available IDPs populating at the bottom of the page.
- Digital Identity Gateway - This setting is the gate that allows access to digital identity services.
- Allow signers X attempts to validate their signature before canceling the agreement - Any recipient that violates the maximum number of attempts to validate their identity cancels the agreement automatically.
- The maximum number of attempts is ten
- Understand the nature of your IDP's transaction consumption policy when setting this value. Some vendors charge per attempt.
- Store verified identity data to allow Signer Identity Reports
- When enabled, the identity verification information is stored on Acrobat Sign servers and can be retrieved using the SIR.
- When disabled, the identity information is not stored on the Acrobat Sign servers.
- Data collection starts as soon as the setting is enabled and saved. Likewise, data collection stops as soon as the setting is disabled and saved.
- Data that is not collected at the time the recipient is vetted cannot be gathered at a later time.
- Allow signers X attempts to validate their signature before canceling the agreement - Any recipient that violates the maximum number of attempts to validate their identity cancels the agreement automatically.
When the Digital Identity Gateway is enabled, the identity authentication method for internal recipients via the Digital Identity Gateway is enabled also. This option may not be disabled while the Digital Identity Gateway is enabled.
It is not possible to configure different IDPs for external and internal recipients. All options available in the Digital Identity interface are available for both types of recipients.
Related controls
There are two additional settings to review if you intend to allow users to download the Signer Identity Report:
Configuring the individual IDPs
At the bottom of the Digital Identity page are the IDP "cards." Each card represents one or more authentication methods from the IDP.
To enable an IDP card, click the gear icon:
The Adobe Okta IDP is used in this documentation for example purposes only. Customers do not have access to this IDP.
One IDP can be configured at the account and/or group level, depending on your needs. The interface changes slightly to provide context about the inheriting status of the group level setting:
At the account level, the interface only requires the Enable this service for verification checkbox to be enabled:
If the Enable this service for verification checkbox is unchecked and the line is greyed out when viewing an IDP configuration at the group level, the account level IDP service is unconfigured.
The group-level configuration can be enabled by checking the Override account settings with group level configuration checkbox.
If the Enable this service for verification checkbox is unchecked when viewing an IDP configuration at the group level, the account level IDP service is configured.
The group-level configuration can be enabled and defined with group-specific parameters by checking the Override account settings with group level configuration checkbox.
When the Enable this service for verification and Override account settings with group level configuration checkboxes are checked, the IDP service is configured explicitly for the group.
The IDP configuration requirements depend on the authentication method the IDP uses:
Basic Authentication requires two elements that your IDP will provide to you:
- The Client ID
- The Client Secret
Save the configuration when done.
Private Key JWT requires three elements that will be provided to you by your IDP:
- The Client ID
- The signing certificate (in .p12 or .pfx format).
- The password used to secure the signing certificate.
Save the configuration when done.
Client Secret Post Authentication requires two elements that your IDP will provide to you:
- The Client ID
- The Client Secret
Save the configuration when done.
Client Secret JWT Authentication requires two elements that your IDP will provide to you:
- The Client ID
- The Client Secret
Save the configuration when done.
Disable/Enable a configured IDP
The IdP service can be disabled without deleting the configuration information on the IDP card by pressing the checkbox icon in the upper left corner and saving the page configuration. Disabling an IDP service this way preserves the configuration information in the event that you need to re-enable the IDP at a later time.
Disabling an IDP service this way does not produce a challenge since information is lost, and the service can quickly be re-enabled by pressing the checkbox again and saving the page configuration.
Deleting the IDP configuration
An IdP configuration can be deleted directly from the Digital Identity panel by pressing the trashcan icon on the IdP card.
A dialog will challenge the administrator to confirm that the configuration should be deleted.
This dialog also warns about the impact on recipients that have not yet completed their authentication with the IDP.
If the IDP configuration is deleted or the service is disabled, an error will be shown to the recipient when they try to verify their identity.
Things to know
If the IDP service is disabled for any reason when a recipient attempts to verify their identity, an error is produced that provides a basic message that the service is disabled and instruction to contact the agreement sender. The sender's email address is provided.
Senders that are notified of a problem with the IDP service may need to change the authentication method to a new IDP or some other acceptable method.