What's New
Get Started
Administer
- Admin Console Overview
-
User Management
- Adding users
- Create function-focused users
- Check for users with provisioning errors
- Change Name/Email Address
- Edit a user's group membership
- Promote a user to an admin role
- User Identity Types and SSO
- Switch User Identity
- Authenticate Users with MS Azure
- Authenticate Users with Google Federation
- Product Profiles
- Login Experience
-
Guidance for regulatory requirements
- Accessibility
- HIPAA
- GDPR
- 21 CFR part 11 and EudraLex Annex 11
- Healthcare customers
- IVES support
- "Vaulting" agreements
- EU/UK considerations
- Claim your domain
- Report Abuse links
Send, Sign, and Manage Agreements
-
Recipient Options
- Cancel an email reminder
-
Options on the e-signing page
- Overview of the e-sign page
- Open to read the agreement without fields
- Decline to sign an agreement
- Delegate signing authority
- Download a PDF of the agreement
- View the agreement history
- View the agreement messages
- Convert from an electronic to a written signature
- Convert from a written to an electronic signature
- Navigate the form fields
- Clear the data from the form fields
- E-sign page magnification and navigation
- Change the language used in the agreement tools and information
- Review the Legal Notices
- Adjust Acrobat Sign Cookie Preferences
-
Send Agreements
- Send (Compose) page
- Send an agreement only to yourself
- Send an agreement to others
- Written Signatures
- Recipient signing order
- Send in Bulk
-
Authoring fields into documents
- In-app authoring environment
- Create forms with text tags
- Create forms using Acrobat (AcroForms)
- Fields
- Authoring FAQ
- Sign Agreements
-
Manage Agreements
- Manage page overview
- Delegate agreements
- Replace Recipients
- Limit Document Visibility
- Cancel an Agreement
- Create new reminders
- Review reminders
- Cancel a reminder
- Access Power Automate flows
-
More Actions...
- How search works
- View an agreement
- Create a template from an agreement
- Hide/Unhide agreements from view
- Upload a signed agreement
- Modify a sent agreement's files and fields
- Edit a recipient's authentication method
- Add or modify an expiration date
- Add a Note to the agreement
- Share an individual agreement
- Unshare an agreement
- Download an individual agreement
- Download the individual files of an agreement
- Download the Audit Report of an agreement
- Download the field content of an agreement
- Audit Report
- Reporting and Data exports
Advanced Agreement Capabilities and Workflows
- Webforms
- Reusable Templates
- Transfer ownership of web forms and library templates
-
Power Automate Workflows
- Overview of the Power Automate integration and included entitlements
- Enable the Power Automate integration
- In-Context Actions on the Manage page
- Track Power Automate usage
- Create a new flow (Examples)
- Triggers used for flows
- Importing flows from outside Acrobat Sign
- Manage flows
- Edit flows
- Share flows
- Disable or Enable flows
- Delete flows
-
Useful Templates
- Administrator only
- Agreement archival
- Webform agreement archival
- Agreement data extraction
- Agreement notifications
- Agreement generation
- Custom Send workflows
- Share users and agreements
Integrate with other products
- Acrobat Sign for Salesforce
- Acrobat Sign for Microsoft
- Other Integrations
- Partner managed integrations
- How to obtain an integration key
Acrobat Sign Developer
- REST APIs
- Webhooks
Support and Troubleshooting
Overview
The Adobe Acrobat Sign Digital Identity Gateway allows organizations to select from a wide variety of pre-configured third-party digital identity providers (IDP) and leverage the type of identity verification that best suits their functional, security, or compliance needs. IDP services for user authentication, signer identity verification, and identity federation solutions utilize the standard OpenID Connect (OIDC) authentication protocol to integrate with Acrobat Sign. Depending on the IDP selected, the service may include:
- Video identity verification
- Electronic identity (eID) authentication
- Identity document confirmation
- Knowledge-based authentication (KBA)
- Biometric identification, authentication
Many of the IDP services meet NIST 800-63A/B/C standards for multi-factor authentication solutions up to AAL3, identity verification options up to IAL3, as well as federation assertion up to FAL3. Some IDP services also meet up to ISO 29115 LoA4 and/or EU Regulation 910/2014 (eIDAS) up to LoA High.
All IDP services require a commercial contract and configuration with the provider prior to use along with ongoing monitoring to ensure that your organization maintains a sufficient volume of IDP service transactions for your use cases.
Procurement, consumption, and reporting of authentication transactions
Identity providers are not included in the Acrobat Sign licensing, and Adobe does not provide a commercial channel to procure identification services from the various IDPs that can be configured.
It is incumbent upon the customer to acquire and maintain a sufficient volume of identity transactions with the IDP of their choice.
The IDP will provide clear guidance on how transactions are consumed and billed and report consumption/availability directly to the customer.
Recipient experience
Through the Acrobat Sign signature process, the customer is delivered a Review and Sign email like any other agreement.
When the recipient selects the Review and sign button to open the agreement, they are presented with an information dialogue indicating that identity verification is required to access the document. Depending on the configured settings, the customer will see:
- A high-level summary of the verification process.
- The name and logo of the IDP that performs the identity verification.
- An email and phone number to contact the IDP's Support if there is an issue with the verification process.
- The email address of the Acrobat Sign user that sent the agreement, in case the recipient needs to contact them.
- A statement that the recipient's identity data will be stored in the Signer Identity Report (if the Sender's account is configured to do so).
- A warning message about the number of remaining verification attempts available to the recipient before the agreement is canceled. This message appears only after the recipient has tried the identification process and failed.
- The Verify Identity button triggers the verification process by opening a pop-up screen and handing the process over to the IDP.
- The recipient's experience of the verification process and the type of verification to be done are dependent on the identity provider the Sender selected.
Once the verification process is completed successfully, the recipient is returned to the Acrobat Sign window, and the agreement is presented to their attention.
Sender experience
Choosing the Identity Provider when composing a new agreement
When one or more IDPs are configured and enabled for the Sender’s account or group, users will see the option to select the IDP in the drop-down menu that contains all the authentication methods available to the recipient. Enabled IDPs will be listed under the Digital Identity Gateway section. If no IDPs are enabled, then the Digital Identity Gateway section will not be present, and the user will not see any IDPs.
Mousing over an IDP in the menu list shows a tooltip that provides a short description of the IDP service.
Updating the IDP after the agreement is sent
If a user needs to update the authentication to select a different IDP (or any other authentication method), the user can use the same process to edit the authentication method.
The user is not constrained to select another IDP from the Digital Identity Gateway. Any other enabled authentication method may be selected.
Audit Report
The audit report clearly indicates that the recipient was verified by an Identity Provider from the Digital Identity Gateway and specifies which IDP was involved and a description of their service:
Signer Identity Report (SIR)
By default, Acrobat Sign does not retain the identity information returned by the IDP. However, account and group administrators can enable the option to save the identity information on Acrobat Sign servers.
Additionally, admins can configure, at the account and group level, the option for users to download the Identity Report on the Manage page from the list of available actions.
The Signer Identity Report contains all of the identity information returned by the IDP when the identity verification transaction succeeds, as well as relevant data when a transaction fails. Content varies depending on the vendor and authentication method. Common data includes:
- Reference ID: A unique identifier of the transaction that occurred at the IDP end. Useful for Support requests as well as forensic analysis.
- sub (Subject Identifier): Provides a unique identifier for the recipient in the context of the IDP system.
- ID Token Raw value: Provides an assertion signed by the IDP containing the result of the identification process. Proof that the identity was verified in the context of the current transaction.
For more information on the Signer Identity Report, consult this page >
Configuration access to use IDPs as identity verification
Enable the authentication method under the Digital Identity tab in the admin menu.
There are three high-level settings in this view, with the full list of available IDPs populating at the bottom of the page.
- Digital Identity Gateway - This setting is the gate that allows access to digital identity services.
- Allow signers X attempts to validate their signature before canceling the agreement - Any recipient that violates the maximum number of attempts to validate their identity cancels the agreement automatically.
- The maximum number of attempts is ten
- Understand the nature of your IDP's transaction consumption policy when setting this value. Some vendors charge per attempt.
- Store verified identity data to allow Signer Identity Reports
- When enabled, the identity verification information is stored on Acrobat Sign servers and can be retrieved using the SIR.
- When disabled, the identity information is not stored on the Acrobat Sign servers.
- Data collection starts as soon as the setting is enabled and saved. Likewise, data collection stops as soon as the setting is disabled and saved.
- Data that is not collected at the time the recipient is vetted cannot be gathered at a later time.
- Allow signers X attempts to validate their signature before canceling the agreement - Any recipient that violates the maximum number of attempts to validate their identity cancels the agreement automatically.
When the Digital Identity Gateway is enabled, the identity authentication method for internal recipients via the Digital Identity Gateway is enabled also. This option may not be disabled while the Digital Identity Gateway is enabled.
It is not possible to configure different IDPs for external and internal recipients. All options available in the Digital Identity interface are available for both types of recipients.
Related controls
There are two additional settings to review if you intend to allow users to download the Signer Identity Report:
Configuring the individual IDPs
At the bottom of the Digital Identity page are the IDP "cards." Each card represents one or more authentication methods from the IDP.
To enable an IDP card, click the gear icon:
The Adobe Okta IDP is used in this documentation for example purposes only. Customers do not have access to this IDP.
One IDP can be configured at the account and/or group level, depending on your needs. The interface changes slightly to provide context about the inheriting status of the group level setting:
The IDP configuration requirements depend on the authentication method the IDP uses:
Disable/Enable a configured IDP
The IdP service can be disabled without deleting the configuration information on the IDP card by pressing the checkbox icon in the upper left corner and saving the page configuration. Disabling an IDP service this way preserves the configuration information in the event that you need to re-enable the IDP at a later time.
Disabling an IDP service this way does not produce a challenge since information is lost, and the service can quickly be re-enabled by pressing the checkbox again and saving the page configuration.
Deleting the IDP configuration
An IdP configuration can be deleted directly from the Digital Identity panel by pressing the trashcan icon on the IdP card.
A dialog will challenge the administrator to confirm that the configuration should be deleted.
This dialog also warns about the impact on recipients that have not yet completed their authentication with the IDP.
If the IDP configuration is deleted or the service is disabled, an error will be shown to the recipient when they try to verify their identity.
Things to know
If the IDP service is disabled for any reason when a recipient attempts to verify their identity, an error is produced that provides a basic message that the service is disabled and instruction to contact the agreement sender. The sender's email address is provided.
Senders that are notified of a problem with the IDP service may need to change the authentication method to a new IDP or some other acceptable method.