使用手冊 取消

Enable single sign-on with SAML

 

Adobe Acrobat Sign 指南

新功能

  1. 發行前說明
  2. 發行說明
  3. 重要通知

開始使用

  1. 管理員快速入門指南
  2. 使用者快速入門指南
  3. 適用於開發人員
  4. 影片教學課程資料庫
  5. 常見問題集

管理

  1. Admin Console 概觀
  2. 使用者管理
    1. 新增使用者
      1. 新增使用者
      2. 大量新增使用者
      3. 從目錄新增使用者
      4. 從 MS Azure Active Directory 新增使用者
    2. 建立以功能為導向的使用者
      1. 技術帳戶 - API 導向
      2. 服務帳戶 - 手動導向
    3. 檢查有佈建錯誤的使用者
    4. 變更姓名/電子郵件地址
    5. 編輯使用者的群組成員資格
    6. 透過群組介面編輯使用者的群組成員資格
    7. 將使用者升級為管理員角色
    8. 使用者身分類型與 SSO
    9. 切換使用者身分
    10. 使用 MS Azure 驗證使用者
    11. 使用 Google Federation 驗證使用者
    12. 產品設定檔
    13. 登入體驗
  3. 帳戶/群組設定
    1. 設定概觀
    2. 全域設定
      1. 帳戶層級與 ID
      2. 新的收件者體驗
      3. 自我簽署工作流程
      4. 大量傳送
      5. 網頁表單
      6. 自訂傳送工作流程
      7. Power Automate 工作流程
      8. 資料庫文件
      9. 透過合約收集表單資料
      10. 限制文件可見性
      11. 附加已簽署合約的 PDF 副本
      12. 在電子郵件中加入連結
      13. 在電子郵件中加入影像
      14. 附加至電子郵件的檔案將命名為
      15. 將稽核報告附加至文件
      16. 將多個文件合併為一個
      17. 下載個別文件
      18. 上傳已簽署的文件
      19. 我的帳戶中的使用者委派
      20. 允許外部收件者委派
      21. 授權簽署
      22. 授權傳送
      23. 有權新增電子印章
      24. 設定預設時區
      25. 設定預設日期格式
      26. 使用者加入多個群組 (UMG)
        1. 升級以使用 UMG
      27. 群組管理員權限
      28. 更換收件者
      29. 稽核報告
        1. 概觀
        2. 在交易驗證頁面上允許未驗證的存取
        3. 包含提醒
        4. 包括檢視事件
        5. 包含合約頁面/附件計數
      30. 交易頁尾
      31. 產品內傳送訊息和指示
      32. 無障礙 PDF
      33. 全新撰寫體驗
      34. 醫療保健客戶
    3. 帳戶設定
      1. 新增標誌
      2. 自訂公司主機名稱/URL
      3. 新增公司名稱
      4. 合約後 URL 重新導向
    4. 簽名偏好設定
      1. 格式固定的簽名
      2. 允許收件者簽署
      3. 簽署者可變更其姓名
      4. 允許收件者使用已儲存的簽名
      5. 自訂使用條款和消費者資訊披露
      6. 透過表單欄位導覽收件者
      7. 重新啟動合約工作流程
      8. 拒絕簽署
      9. 允許戳記工作流程
      10. 要求簽署者提供其職稱或公司
      11. 允許簽署者列印並置入書面簽名
      12. 在電子簽名時顯示訊息
      13. 需要簽署者使用行動裝置來建立自己的簽名
      14. 要求取得簽署者的 IP 位址
      15. 將公司名稱和職稱排除在參與戳記之外
    5. 數位簽名
      1. 概觀
      2. 使用 Acrobat 下載並簽署
      3. 以雲端簽名簽署
      4. 包括身分識別提供者的中繼資料
      5. 受限制的雲端簽名提供者
    6. 電子印章
    7. 數位身分
      1. 數位身分識別閘道
      2. 身分識別檢查原則
    8. 報告設定
      1. 全新報告體驗
      2. 傳統報告設定
    9. 安全性設定
      1. 單一登入設定
      2. 記住我設定
      3. 登入密碼原則
      4. 登入密碼強度
      5. 網頁工作階段期間
      6. PDF 加密類型
      7. API
      8. 使用者和群組資訊存取
      9. 允許的 IP 範圍
      10. 帳戶共用
      11. 帳戶共用權限
      12. 合約共用控制項
      13. 簽署者身分驗證
      14. 合約簽署密碼
      15. 文件密碼強度
      16. 依地理位置封鎖簽署者
      17. 電話驗證
      18. 知識式驗證 (KBA)
      19. 允許頁面擷取
      20. 文件連結過期
      21. 上傳 Webhook/回呼的用戶端憑證
      22. 時間戳記
    10. 傳送設定
      1. 登入後顯示「傳送」頁面
      2. 傳送時需有收件者名稱
      3. 鎖定已知使用者的名稱值
      4. 允許的收件者角色
      5. 允許電子見證人
      6. 收件者群組
      7. 副本收件者
      8. 收件者合約存取權
      9. 必填欄位
      10. 附加文件
      11. 欄位扁平化
      12. 修改合約
      13. 合約名稱
      14. 語言
      15. 私人訊息
      16. 允許的簽名類型
      17. 提醒
      18. 已簽署文件的密碼保護
      19. 傳送合約通知途徑
      20. 簽署者身分識別選項
        1. 概觀
        2. 簽署密碼
        3. 透過電子郵件傳送的一次性密碼
        4. Acrobat Sign 驗證
        5. 電話驗證
        6. 雲端型數位簽名
        7. 知識式驗證
        8. 政府核發證件
        9. 簽署者身分報告
      21. 內容保護
      22. 啟用公證交易
      23. 文件過期
      24. 預覽、定位簽名及新增欄位
      25. 簽署順序
      26. Liquid mode
      27. 自訂工作流程控制項
      28. 電子簽名頁面的上傳選項
      29. 「簽署後」確認重新導向 URL
    11. 訊息範本
    12. 生技製藥設定
      1. 概觀
      2. 強制執行身分識別驗證
      3. 簽署原因
    13. 工作流程整合
    14. 公證設定
    15. 付款整合
    16. 簽署者傳訊
    17. SAML 設定
      1. SAML 設定
      2. 安裝 Microsoft Active Directory Federation Service
      3. 安裝 Okta
      4. 安裝 OneLogin
      5. 安裝 Oracle Identity Federation
    18. 資料控管
    19. 時間戳記設定
    20. 外部封存
    21. 帳戶語言
    22. 電子郵件設定
      1. 電子郵件標題/頁尾影像
      2. 允許個別使用者電子郵件頁尾
      3. 自訂「請求簽名」電子郵件
      4. 自訂「收件者」和「副本收件者」欄位
      5. 啟用無連結通知
      6. 自訂電子郵件範本
    23. 從 echosign.com 移轉至 adobesign.com
    24. 為收件者設定選項
  4. 法規要求指引
    1. 協助工具
      1. 協助工具合規性
      2. 使用 Acrobat 桌面應用程式建立可存取的表單
      3. 建立可存取的 AcroForms
    2. HIPAA
    3. GDPR
      1. GDPR 概觀
      2. 將使用者標記密文
      3. 將使用者的合約標記密文
    4. 21 CFR part 11 和 EudraLex Annex 11
      1. 21 CRF part 11 驗證套件
      2. 21 CFR 和 EudraLex Annex 11 手冊
      3. 共同責任分析
    5. 醫療保健客戶
    6. IVES 支援
    7. 「保存」合約
    8. 歐盟/英國考量事項
      1. 歐盟/英國跨境交易與 eIDAS
      2. 以電子方式簽署之契約的 HMLR 要求
      3. 英國脫歐對英國電子簽名法的影響
  5. 大量下載合約
  6. 宣告您的網域
  7. 「回報不當使用」連結

傳送、簽署與管理合約

  1. 收件者選項
    1. 取消電子郵件提醒
    2. 電子簽名頁面上的選項
      1. 電子簽名頁面概觀
      2. 開啟以閱讀無欄位的合約
      3. 拒絕簽署合約
      4. 委派簽署權限
      5. 重新啟動合約
      6. 下載合約的 PDF
      7. 檢視合約歷史記錄
      8. 檢視合約訊息
      9. 從電子簽名轉換為書面簽名
      10. 從書面簽名轉換為電子簽名
      11. 對表單欄位進行導覽
      12. 從表單欄位中清除資料
      13. 電子簽名頁面放大倍率和導覽
      14. 變更合約工具和資訊中使用的語言
      15. 檢閱法律注意事項
      16. 調整 Acrobat Sign Cookie 偏好設定
  2. 傳送合約  
    1. 傳送頁面概述
    2. 只傳送合約給您自己
    3. 傳送合約給他人
    4. 書面簽名
    5. 收件者簽署順序
    6. 大量傳送
      1. 「大量傳送」功能的概觀
      2. 「大量傳送」- 設定父範本
      3. 「大量傳送」- 設定 CSV 檔案
      4. 取消「大量傳送」交易
      5. 在大量傳送中新增提醒
      6. 報告可供大量傳送
  3. 在文件中撰寫欄位
    1. 應用程式內撰寫環境
      1. 自動欄位偵測
      2. 使用撰寫環境拖放欄位
      3. 將表單欄位指派給收件者
      4. 預填角色
      5. 以可重複使用的欄位範本來套用欄位
      6. 將欄位轉送至新的資料庫範本
      7. 已在傳送合約時更新撰寫環境
    2. 以文字標籤建立表單
    3. 使用 Acrobat (AcroForms) 建立表單
      1. 建立 AcroForm
      2. 建立可存取的 PDF
    4. 欄位
      1. 欄位類型
        1. 常見欄位類型
        2. 內嵌影像
        3. 戳記影像
      2. 欄位內容外觀
      3. 欄位驗證
      4. 已遮罩的欄位值
      5. 設定顯示/隱藏條件
      6. 計算欄位 
    5. 撰寫常見問題集
  4. 簽署合約
    1. 簽署已傳送給您的合約
    2. 填寫和簽署
    3. 自我簽署
  5. 管理合約
    1. 管理頁面概述
    2. 委派合約
    3. 更換收件者
    4. 限制文件可見性
    5. 取消合約
    6. 建立新提醒
    7. 檢閱提醒
    8. 取消提醒
    9. 存取 Power Automate 流程
    10. 更多動作…
      1. 搜尋的運作方式
      2. 檢視合約
      3. 從合約建立範本
      4. 在檢視中隱藏/取消隱藏合約
      5. 上傳已簽署的合約
      6. 修改已傳送合約的檔案或欄位
      7. 編輯收件者的驗證方法
      8. 新增或修改到期日
      9. 將備註新增至合約
      10. 共用個別合約
      11. 取消共用合約
      12. 下載個別合約
      13. 下載合約的個別檔案
      14. 下載合約的「稽核報告」
      15. 下載合約的欄位內容
  6. 稽核報告
  7. 報告與資料匯出
    1. 概觀
    2. 授予使用者報告的存取權
    3. 報告圖表
      1. 建立新報告
      2. 合約報告
      3. 交易報告
      4. 設定活動報告
      5. 編輯報告
    4. 資料匯出 
      1. 建立新的資料匯出
      2. 網頁表單資料匯出
      3. 編輯資料匯出
      4. 重新整理資料匯出內容
      5. 下載資料匯出
    5. 重新命名報告/匯出
    6. 複製報告/匯出
    7. 排程報告/匯出
    8. 刪除報告/匯出
    9. 檢查交易使用量

進階合約功能與工作流程

  1. 網頁表單 
    1. 建立網頁表單
    2. 編輯網頁表單
    3. 停用/啟用網頁表單
    4. 隱藏/取消隱藏網頁表單
    5. 尋找 URL 或指令碼
    6. 使用 URL 參數預填網頁表單欄位
    7. 儲存網頁表單以便稍後完成
    8. 調整網頁表單大小
  2. 可重複使用的範本 (資料庫範本)
    1. 在 Acrobat Sign 資料庫中的美國政府表單
    2. 建立資料庫範本
    3. 變更資料庫範本的名稱
    4. 變更資料庫範本的類型
    5. 變更資料庫範本的權限層級
    6. 複製、編輯和儲存共用範本
    7. 下載資料庫範本的彙總欄位資料
  3. 轉移網頁表單與資料庫範本的所有權
  4. Power Automate 工作流程 
    1. Power Automate 整合與包含授權的概觀
    2. 啟用 Power Automate 整合
    3. 「管理」頁面的相關動作
    4. 追蹤 Power Automate 使用狀況
    5. 建立新的流程 (範例)
    6. 用於流程的觸發器
    7. 從 Acrobat Sign 之外匯入流程
    8. 管理流程
    9. 編輯流程
    10. 共用流程
    11. 停用或啟用流程
    12. 刪除流程
    13. 實用範本
      1. 僅限管理員
        1. 將所有完成的文件儲存至 SharePoint
        2. 將所有完成的文件儲存至商務用 OneDrive
        3. 將所有完成的文件儲存至 Google 雲端硬碟
        4. 將所有完成的文件儲存至 DropBox
        5. 將所有完成的文件儲存至 Box
      2. 合約封存
        1. 將完成的文件儲存至 SharePoint
        2. 將完成的文件儲存至商務用 OneDrive
        3. 將完成的文件儲存至 Google 雲端硬碟
        4. 將完成的文件儲存至 DropBox
        5. 將完成的文件儲存至 Box
      3. 網頁表單合約封存
        1. 將完成的網頁表單文件儲存至 SharePoint 資料庫
        2. 將完成的網頁表單文件儲存至商務用 OneDrive
        3. 將完成的文件儲存至 Google 雲端硬碟
        4. 將完成的網頁表單文件儲存至 Box
      4. 合約資料擷取
        1. 從您簽署的文件擷取表單欄位資料,並更新 Excel 表
      5. 合約通知
        1. 傳送包含合約內容和已簽署合約的自訂電子郵件通知
        2. 在 Teams 頻道中取得您的 Adobe Acrobat Sign 通知
        3. 在 Slack 中取得您的 Adobe Acrobat Sign 通知
        4. 在 Webex 中取得您的 Adobe Acrobat Sign 通知
      6. 合約產生
        1. 從 Power App 表單和 Word 範本產生文件,傳送以供簽署
        2. 從 OneDrive 的 Word 範本產生合約,並取得簽名
        3. 為所選的 Excel 列產生合約,傳送以供檢閱和簽名
  5. 自訂傳送工作流程
    1. 自訂傳送工作流程概觀
    2. 建立新的傳送工作流程
    3. 編輯傳送工作流程
    4. 啟動或停用傳送工作流程
    5. 以「傳送工作流程」傳送合約
  6. 共用使用者與合約
    1. 共用使用者
    2. 共用合約

與其他產品整合

  1.  Acrobat Sign 整合概觀
  2. 適用於 Salesforce 的 Acrobat Sign
  3. 適用於 Microsoft 的 Acrobat Sign
    1. 適用於 Microsoft 365 的 Acrobat Sign
    2. 適用於 Outlook 的 Acrobat Sign
    3. 適用於 Word/PowerPoint 的 Acrobat Sign
    4. 適用於 Teams 的 Acrobat Sign
    5. 適用於 Microsoft PowerApps 和 Power Automate 的 Acrobat Sign
    6. 適用於 Microsoft Search 的 Acrobat Sign 連接器
    7. 適用於 Microsoft Dynamics 的 Acrobat Sign
    8. 適用於 Microsoft SharePoint 的 Acrobat Sign
  4. 其他整合功能
    1. 適用於 ServiceNow 的 Acrobat Sign
    2. 適用於 HR ServiceNow 的 Acrobat Sign
    3. 適用於 SAP SuccessFactors 的 Acrobat Sign
    4. 適用於 Workday 的 Acrobat Sign
    5. 適用於 NetSuite 的 Acrobat Sign
    6. 適用於 VeevaVault 的 Acrobat Sign
    7. 適用於 Coupa BSM Suite 的 Acrobat Sign
  5. 合作夥伴管理的整合功能
  6. 如何取得整合金鑰

Acrobat Sign 開發人員

  1. REST API
    1. 方法說明文件
    2. SDK/開發人員指南
    3. API 常見問答集
  2. Webhook 
    1. Webhook 概觀
    2. 設定新的 Webhook
    3. 檢視或編輯 Webhook
    4. 停用或重新啟動 Webhook
    5. 刪除 Webhook
    6. 雙向 SSL 憑證
    7. API 中的 Webhook

支援與疑難排解

  1. 客戶支援資源
  2. 企業客戶成功資源

Adobe Acrobat Sign includes SAML authentication for customers that desire a federated log in system.

註解:

The below document pertains to customer accounts that manage their user licensing directly within the Acrobat Sign application.

Customers that manage user entitlement in the Adobe Admin Console must follow a different process found here.


Introduction

The identity federation standard Security Assertion Markup Language (SAML) 2.0 enables the secure exchange of user authentication data between web applications and identity service providers.

When you use the SAML 2.0 protocol to enable single sign-on (SSO), security tokens containing assertions pass information about an end user (principal) between a SAML authority - an identity
provider (IdP)
, and a SAML consumer - a service provider (SP)

Acrobat Sign, acting as the service provider (SP), supports single sign-on through SAML using external identity providers (IdPs) such as Okta, OneLogin, Oracle Federated Identity (OIF), and Microsoft Active Directory Federation Service. Acrobat Sign is compatible with all external IdPs that support SAML 2.0.

More information on integrating with these identity providers (IdPs), can be found in the following guides:

You can also configure Acrobat Sign for single sign-on (SSO) with other systems already used in your organization, for example, Salesforce.com, or other providers that support SAML 2.0.

Acrobat Sign uses federated authentication as opposed to delegated authentication. Federated authentication does not validate the user's actual password in Acrobat Sign. Instead, Acrobat Sign receives a SAML assertion in an HTTP POST request. Acrobat Sign also supports encrypted assertions.

The SAML assertion has a limited validity period, contains a unique identifier, and is digitally signed. If the assertion is still within its validity period, has an identifier that has not been used before, and has a valid signature from a trusted identity provider, the user is granted access to Acrobat Sign.

A summary of the Acrobat Sign authentication specification is included in the table below: 

Specification (Standard Name)

Value

Federation Protocol

SAML 2.0

Federation Profile

Browser Post

Federation Unique Identifier

Email Address

Relay State

Not Needed.  Acrobat Sign has the logic to know where to point the User after they are authenticated.  

API Chart


Prerequisites

To enable SSO, your corporate network must support the SAML 2.0 protocol. If your corporate network does not support SAML, contact Adobe Acrobat Sign Support to discuss other options to enable Single Sign On in your account.

Before beginning to set up SAML SSO, you must do the following:

  • Claim and establish your Domain Name (For the examples in this guide, this will be rrassoc.com.)
  • Enable SAML for your domain using a provider such as Microsoft Active Directory Federation, Okta, Onelogin, Oracle Identity Federation, or others. You may need to open an Acrobat Sign support ticket to get your domain enabled from the backend
  • Create or verify that you have an administrator account with your IdP using an email address
    • If you do not have an Okta account, you can create a free Okta Developer Edition organization using this link: https://www.okta.com/developer/signup/
    • If you do not have a OneLogin account, you can create a free trials account using this link: https://www.onelogin.com/ and clicking the FREE TRIAL button in the upper right corner
  • (Optional) Add an additional email id for User Provisioning in both IdP and SP. This will allow you to add more users who can log in to Acrobat Sign with their SSO credentials
  • (Required) Verify that you have an admin user for Acrobat Sign and an Admin user for the IdP
    (Optional) Create or verify that you have an Acrobat Sign administrator account that uses the same email address as the account for your IdP (For the examples in this guide, this email address will be susan@rrassoc.com.) This will make it easier for you to administer the accounts
  • In Acrobat Sign, set your SAML Mode to “SAML Allowed” (See Working with the SAML Settings
    for more information.)
註解:

When setting up SAML SSO, we recommend that you set the SAML Mode to SAML Allowed until the entire setup process is complete and you’ve verified it is working correctly. Once verified, you can change the SAML Mode to SAML Mandatory.


Enabling Single Sign On using SAML

At a high level, enabling SAML SSO between Acrobat Sign (the SP) and your IdP involves the following high-level steps:

1. If required (by your IdP), set up your IdP using the Acrobat Sign Service Provider (SP) Information

2. Set up Acrobat Sign using information from your IdP

3. Verify that the SAML SSO has been properly set up

Navigate to Account > Account Settings > SAML Settings

SAML UI

To view the options for User Creation, Login Page Customization, Identity Provider (IdP) Configuration, and Acrobat Sign Service Provider (SP) Information, scroll to the bottom of the SAML Settings page. 


SAML Mode Settings

In Acrobat Sign, there are three SAML Mode options and one additional option that works with the SAML Mandatory option.

SAML Mode Settings

  • SAML Disabled—Disables SAML authentication for the account. When selected, the rest of the SAML configuration page becomes inaccessible.
  • SAML Allowed— This option allows users to authenticate to Acrobat Sign by both SAML and the native Acrobat Sign authentication
  • SAML Mandatory—Requires that all users authenticate to Acrobat Sign with SAML SSO
    • Allow Acrobat Sign Account Administrators to log in using their Acrobat Sign Credentials - When SAML Mandatory is enabled, this option allows Acrobat Sign administrators to be an exception to the SAML rule and authenticate with Acrobat Sign native authentication.
      • Admins authenticated using their Acrobat Sign credentials will need to log out twice to log out of the service through the UI controls.  (After a successful logout, the admin is taken to their IdP, and because they are logged in to the IdP, the admin gets redirected back to Acrobat Sign and is logged in.)

It is strongly recommended that you set the SAML Mode to SAML Allowed until you’ve verified your SAML SSO is working as expected.


Hostname

The Hostname is your domain name. (See Prerequisites above.) When entered, your hostname
becomes part of the Assertion Consumer URL, the Single Log Out (SLO) URL, and Single
Sign-On (Login) URL. 

Hostname setting


User Creation Settings

Only the first of the two User Creation settings is directly connected with SAML Setup. The second setting pertains to all pending users, whether or not they are added as a result of authenticating through SAML.

User Creation settings

  • Automatically add users authenticated through SAML—If this option is enabled, users who are authenticated through your IdP are automatically added as pending users in Acrobat Sign
  • Automatically make pending users in my account active—If the Require signers in my account to log in to Acrobat Sign before signing setting (Security Settings > Signer Identity Verification), is enabled, this setting should also be enabled. When a signature is requested from a new user, this user is created as a pending user in your account. If this option is not enabled, these users are prevented from signing agreements sent to them for signature
  • Allow users who authenticate with SAML to change their email address in their profile - Enable this option to allow your users to change the email address on their Acrobat Sign profile


Login Page Customization Settings

You can customize the sign-on message that users see on the Acrobat Sign Sign In page when SAML Single Sign On is enabled. 

Login Page Customization

  • Single Sign On Login Message— Enter a message to display above the SSO Sign In button on the Acrobat Sign Sign In page
  • Place the SAML login button at the top of the page when other login options are available - When enabled, the SSO login button will be placed above any other authentication method enabled
Authentication


Identity Provider (IdP) Configuration Within Acrobat Sign

To set up most IdPs, except as noted for Okta, you must enter information from your IdP into the IdP configuration fields in Acrobat Sign.

 IdP Configuration

  • Entity ID/Issuer URL—This value is provided by the IdP to uniquely identify your domain.
  • Login URL/SSO Endpoint—The URL that Acrobat Sign will call to request a user login from the IdP.  The IdP is responsible for authenticating and logging the user in.
  • Logout URL/SLO Endpoint—When someone logs out of Acrobat Sign, this URL is called to log them out of the IdP as well.
  • IdP Certificate—The authentication certificate issued by your IdP.


Acrobat Sign SAML Service Provider (SP) Information

The SP information section displays the default information for Acrobat Sign. Once you’ve entered and saved your hostname and IdP Configuration information, the information in the SP information section is updated to include your hostname.

(In our example, https://secure.na1.adobesign.com/public/samlConsume
becomes https://caseyjonez.na1.adobesign.com/public/samlConsume.)

SAML Provider Info

The SP Information provided is as follows:

  • Entity ID/SAML Audience—A URL that describes the entity that is expected to receive the SAML message. In this case, it is the URL for Acrobat Sign
  • SP Certificate—Some providers require a certificate to be used to identify the Service Provider. The link in this view points to the Acrobat Sign Service Provider certificate
  • Assertion Consumer URL— This is the callback that the IdP will send to tell Acrobat Sign to log in a user
  • Single Log Out (SLO) URL—The URL that users are redirected to when they log out
  • Single Sign-On (Login) URL— This is the URL that the IdP will send login requests to


Microsoft Active Directory Federation Services Configuration

Overview

This document describes the process for setting up Single Sign On for Acrobat Sign using Microsoft Active Directory Federation Service. Before proceeding, please review the Acrobat Sign Single Sign On Using SAML Guide, which describes the SAML set up process and provides detailed information on the SAML Settings in Acrobat Sign.

  • The process of setting up SAML SSO includes the following:
  • Installing the Active Directory Domain Service
  • Installing the Active Directory Federation Service
  • Creating a Test User 
  • Adding Acrobat Sign as a relying party


Installing the Active Directory Domain Service

Before configuring SAML for MSAD, you must install the Active Directory Domain Service if it is not already installed. You must have system administrator privileges in Windows Server to install Active Directory Domain Services. 


Installing the Active Directory Federation Service

1. If required, launch the Server Manager, then click Dashboard.

Install the ADFS

2. In the Dashboard, click Add roles and features. The Add Roles and Features Wizard displays.

3. In the Select installation type dialog, select Rule-based or Feature-based Installation then click
Next.

Select installation type

4. In the Select destination server dialog of the wizard, leave the Select a server from the server pool option enabled, select a Server Pool, then click Next.

Select destination server

5. In the Select server roles dialog, select Active Directory Federation Services, then click Next.

Select Server Roles

6. In the Confirm installation selections dialog of the wizard, accept all the defaults by clicking Install.

7. On the post install options, select Create the first federation server in a federation server farm.

8. On the Welcome page, leave the options as is and click Next.

Welcome page

9. In the Connect to Active Directory Domain Services dialog of the wizard, select the Administrator account if not by default, then click Next.

Connect to ADDS

10. In the Specify Service Properties dialog, import the pfx file that you created using the steps defined in the Certificate Creation section, enter a Federation Service Display Name, then click Next.

Specify service properties

11. In the Specify Service Account dialog, select Use an existing domain user account or group Managed Service Account. Use Administrator as the service account and provide your administrator password, then click Next.

Specify service account

12. In the Specify Configuration Database dialog, select Create a database on this server using Windows Internal Database, then click Next.

Specify configuration database

13. In the Review Options dialog, click Next.

Review Options

14. In the Prerequisite Checks dialog, once the prerequisite check is done, click Configure.

Prerequisite checks

15. In the Results dialog, ignore the warning and click Close.

Results


Adding Acrobat Sign as a relying party

1. From the Apps menu, launch AD Federation Service Management.

Launch ADFS

2. In the AD FS console, select Authentication Policies then Edit.

Authentication Policies

3. In the Edit Global Authentication Policy dialog, under both Extranet and Intranet, enable Forms Authentication

Edit global authentication policy

4. In the AD FS console, under Trust Relationships, select Relying Party Trusts and click Add Relying Party Trust. The Add Relying Party Trust wizard displays.

5. In the Select Data Source dialog of the wizard, enable the Enter Data about the relying party manually option, then click Next.

Select data source

6. In the Specify Display Name dialog, enter a Display Name, then click Next.

Specify display name

7. In the Choose Profile dialog, enable the AD FS profile option, then click Next.

Choose Profile

8. In the Configure Certification dialog there is no certificate to configure, so click Next.

Configure certification

9. In the Configure URL dialog, select Enable support for the SAML 2.0 WebSSO protocol and enter the Assertion Consumer URL from Acrobat Sign, then click Next.

(See the Hostname section of the Single Sign On with SAML Guide for more information about the Assertion Consume URL.)

Configure URL

10. In the Configure Identifiers dialog, enter http://echosign.com for Relying party trust Identifier and click Add, then click Next.

Configure Identifiers

11. In the next screen, leave the defaults as-is, and click Next.

Leave defaults

12. In the Choose Issuance Authorization Rules dialog, confirm that the Permit all users to access the relying party option is enabled.

Choose issuance authorization rules

13. In the Ready to Add Trust dialog, click Next.

Ready to add trust

14. In the Finish dialog, click Close.

Finish

15. In the Edit Claim Rules dialog, click Add Rule.

Edit claim rules

The Add Transform Claim Rule Wizard displays.

 

16.  In the Select Rule Template dialog of the wizard, select Send LDAP Attributes as Claims from the Claim rule template drop-down.

Select rule template

17. In the Configure Rule dialog, select the options shown in the dialog and click Finish. Acrobat Sign only supports the email address as the unique identifier. You need to select E-Mail Addresses as the LDAP Attribute and E-Mail Address as the Outgoing Claim.

Configure Rule

18. When the Select Rule Template dialog of the wizard redisplays, select Send Claims Using a Custom Rule from the Claim rule template drop-down, then click Next.

Select rule template

19. In the Configure Rule dialog, enter the following:

  • Name of rule—Enter EmailToNameId
  • Custom rule description—enter the following:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]

=> issue(Type =
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value,
ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"]
= "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"]
= "");

Configure rule

20. Click Finish. The Add Transform Claim Rule Wizard closes.

21. Back in the Edit Claim Rules for Acrobat Sign dialog, click the Issuance Authorization Rules tab and Delegation Authorization rules tab and ensure that the Permit Access to All Users is enabled for both as shown below.

If not, add a rule, so that Permit Access To All Users is enabled.

Permit access

Permit access

22. Click OK to accept all changes can close the Edit Claims Rules for Acrobat Sign dialog.


Adding the Certificate from Acrobat Sign

1. In the AD FS console, under Trust Relationships, select the Acrobat Sign Relying Party click Properties.

2. Once launched, select Authentication Policies and then Edit.

Authentication policies

3. Select the Signature tab.

4. Click Add and add the SP certificate file you downloaded from Acrobat Sign.
(See the Adobe Acrobat Sign SAML Service Provider (SP) Information section of the Single Sign On with SAML Guide for more information about the SP certificate.)

5. Select the Advanced tab and change the Secure Hash Algorithm to SHA-2.

6. Select the Endpoints tab and add the Single Logout (SLO) URL from Acrobat Sign.
(See the Hostname section of the Single Sign On with SAML Guide for more information about the Single Logout (SLO) URL).

7.  Disable Claims Encryption – Open power shell on the ADFS server and type

8. Set-ADFSRelyingPartyTrust -TargetName "Adobe Sign" -EncryptClaims $false 

 


Acrobat Sign specific settings

  • The account should have SAML_AVAILABLE=true
  • Host Name
  • SAML Mode
  • ACCOUNT_USER_ADD_EMAIL_DOMAINS setting to be for example dev.com
  • Select the token signing certificate in ADFS and export it as a cer file ( do not export private key) and add it to the account admins SAML Settings page in Acrobat Sign.
Select token

Certificate

Open this certificate file in notepad, and Acrobat Sign Admin copy its contents into the IdP Certificate field in SAML Settings.

Now you should be able to test. 


Certificate Creation

1. On Windows, install openssl. On Mac , openssl is present.

2. Launch a command prompt and type:
openssl req -x509 -newkey rsa:2048 -keyout .pem -out .pem -days <#ofdays>

Enter the following:

  • Country code- US
  • State - Californiacity – San Jose
  • Enter some Organization and Organization unit
  • Common Name- This is the fully qualified name that is the same as your host system name example sjtest.es.com

3. Now create the pkcs12 key
pkcs12 -export -in <yourkeynameCer> .pem -inkey <yourkeyName> .pem -out my_pkcs12.pfx

4. Enter password when prompted

5. Click Import and select the my_pkcs12.pfx selected above and enter password that you provided at pkcs12 export time when prompted


Okta Configuration

Overview

Acrobat Sign can support Security Assertion Markup Language (SAML) single sign-on (SSO) using external identity providers (IdPs) such as Okta. This document describes the steps for configuring Acrobat Sign for SAML SSO with Okta. This document also provides information on testing your SAML SSO configuration. Before proceeding, please see the Acrobat Sign Single Sign On Using SAML Guide, which describes the SAML setup process and provides detailed information on the SAML Settings in Acrobat Sign.

註解:

Successful installation requires that your Active Directory have the GivenName (FirstName) and SN (LastName) values populated.  

If these values are empty, an Unknown User error will trigger.


Configuring SAML SSO with Okta

You must be an administrator for both your Acrobat Sign and Okta accounts to enable SAML SSO. The username for both accounts must be the same. The passwords can be different.

When enabling SAML SSO with Okta, information only needs to be entered in Acrobat Sign. Okta has developed a custom Acrobat Sign Provisioning app that makes it unnecessary to transfer the SP Information from Acrobat Sign to Okta. 

註解:

Note: For the most up-to-date instructions for Okta, see http://developer.okta.com/docs/guides/setting_up_a_saml_application_in_okta.html

1. Log in to Okta and Acrobat Sign in different browsers or in different windows within the same browser.

  • In Okta, log in to your account with the same administrator account you use for your Acrobat Sign Admin Account.
Okta sign in

  • In Acrobat Sign, log in to your account using the same admin account credentials that you use for Okta. 
Adobe Sign sign in

2. Click the blue Admin button.

Admin button

3. Click the Add Applications shortcut.

Add application

The Add Application page displays.

Add application page

4. In Search, type Acrobat Sign.

  • Click the Add button to add the Acrobat Sign Provisioning application.
Click Add

The Add Acrobat Sign Provisioning wizard launches displaying the General Setting tab.

Add Adobe Sign provisioning

5. Log in to Acrobat Sign to obtain your Hostname and Acrobat Sign server environment:

  • Log in an Acrobat Sign Account Admin
  • Navigate to: Account > Account Settings > SAML Settings
    • Scroll to the bottom of the page and find the Assertion Consumer URL
    • Copy the string between https://  and  .adobesign.com/
      • The first value is your Hostname
      • After the Hostname is the Acrobat Sign environment your account resides on (na1, na2, eu1, jp1, etc.)
      • In the below example you would copy rrassoc.na1 (include the dot between values)
Hostname

6. In Okta under General Settings, enter the Hostname.Instance for your Acrobat Sign account in the Your Acrobat Sign Sub domain field.

 

Click Next to continue. 

註解:

Note: If you don’t want users to automatically log in to Acrobat Sign when they log in to Okta, disable the Automatically log in when user lands on the login page option. 

Sign-on options

7. On the Sign-On Options tab, enable SAML 2.0.

Sign-on options

The SAML 2.0 section displays.

 

8. Under SAML 2.0, click View Setup Instructions.

View setup instructions

The Okta How to Configure SAML 2.0 for Acrobat Sign page displays in a new browser window. This page includes instructions and the IdP information that you must enter in the Acrobat Sign SAML Settings page.

How to configure

9. Copy the Entity ID/Issuer URL from the Okta page, and enter it into the Entity ID/Issuer URL field in Acrobat Sign.
(see the idP Configuration section of the How to Configure SAML 2.0 for Acrobat Sign)

註解:

Note: The "Entity ID/Issuer URL" does not need to be a well formatted URL. It can be an any unique value.

Entity ID

10. Copy the Login URL/SSO Endpoint from the Okta page, and enter it into the Login URL/SSO Endpoint field in Acrobat Sign.
(see the idP Configuration section of the How to Configure SAML 2.0 for Acrobat Sign)

註解:

Note that in Acrobat Sign, the Logout URL/SLO Endpoint is before the Login URL/SSO Endpoint.

Login URL

11. Copy the Logout URL/SLO Endpoint from the Okta page and enter it into the Logout URL/SLO Endpoint field in Acrobat Sign.
(see the idP Configuration section of the How to Configure SAML 2.0 for Acrobat Sign)

Logout URL

註解:

Note: The Logout URL/SLO Endpoint shown above is only a suggestion. You can actually specify any valid URL (e.g., Google).

12. Copy the IdP Certificate from the Okta page to the IdP Certificate field in Acrobat Sign.

  • Make sure there are no spaces or returns after “-----END CERTIFICATE-----“.

(see the idP Configuration section of the How to Configure SAML 2.0 for Acrobat Sign)

IdP Certificate

You can close the browser window that displays the Okta How to Configure SAML 2.0 for Acrobat Sign page after you copy the IdP Certificate.

 

13. In Acrobat Sign, click Save.

14. Click the browser window that displays the Okta Sign-On Options if needed.

15. In the Credential Details section of Sign-On Options (see step 8 above), select Email from the Application username format drop-down, then click Next to continue.

Credential details

16. Under Provisioning, you have the option to select the Enable provisioning features option. (See Setting up Auto-Provisioning for more information.) Click Next to continue without setting up Auto-provisioning. 

Provisioning

註解:

Note: If you enable the Enable provisioning features option, you must enable the Automatically add users authenticated through SAML in SAML settings in Acrobat Sign.

17. Under the Assign to People tab, in the People section check the box next to your name to assign at least one active user (yourself), then click Next.

Assign to People

18. Click Done.

Click Done

You can now log out of Okta and proceed with testing your SAML setup. (See Testing Your Okta SAML SSO Configuration for more information.)

 


Setting Up Auto-provisioning in Okta

If this option is enabled, and the “Automatically add users authenticated through SAML” option in Acrobat Sign is also enabled, you can automatically provision users in Acrobat Sign.

Auto-provisioning


Setting up Auto-launch for Acrobat Sign

You can automatically launch Acrobat Sign when you log in to Okta. If this feature is enabled, Acrobat Sign will open in a separate window when you log in to Okta. You must have pop-ups enabled in your browser for this feature to work.       

註解:

Note If you also enabled the “Automatically log in when user lands on login page” option, when you launch Okta two Acrobat Sign windows will open. 

1. Log in to Okta. Your Home page will display.

2. On the Acrobat Sign Provisioning app, cursor over the gear icon, then click to activate it.

Mouse over the gear

3. When the Acrobat Sign Provisioning Settings popup displays, click the General tab.

General tab

4. Enable the Launch this app when I sign into Okta option.

Launch this app

5. Click Save.

 


Testing Your Okta SAML SSO Configuration

There are two ways to test your Okta SAML setup. 


Log in to Acrobat Sign through Okta

1. If logged in, log out of Okta.

2. Log in to Okta. Your Okta Home page displays.

3. On the Home page, click the Acrobat Sign Provisioning app.

Adobe Sign provisioning

You are automatically logged into Acrobat Sign.

Adobe Sign Home page


Log in to Acrobat Sign using your URL

1.  Enter your company login URL in your browser. The Acrobat Sign Sign In page displays.

2. On the Sign In page, click the second Sign In button. If you’ve entered a custom Single Sign On Login Message that message displays above this button. If you have not entered a custom message, the default message displays.

Sign on

You are logged into Acrobat Sign.

Adobe Sign Home page


OneLogin Configuration

Overview

Acrobat Sign can support Security Assertion Markup Language (SAML) single sign-on (SSO) using external identity providers (IdPs) such as OneLogin. This document describes the steps for configuring Acrobat Sign for SAML SSO with OneLogin. This document also provides information on testing your SAML SSO configuration. Before proceeding, please see the Acrobat Sign Single Sign On Using SAML Guide, which describes the SAML setup process and provides detailed information on the SAML Settings in Acrobat Sign.


Configuring SAML SSO with OneLogin

1. Log in to OneLogin and Acrobat Sign in different browsers or in different windows within the same browser.

  • In OneLogin, log in to your account with the same administrator credentials you use for your Acrobat Sign Admin Account. 
OneLogin authentication

  • In Acrobat Sign, log in to your account using the same admin account credentials you use for OneLogin. The passwords for these two logins do not have to be the same, but you must log in as the administrator for each account.
Adobe Sign authentication

2. In OneLogin, click Add Apps.

Add apps

3. Search for Acrobat Sign.

Search for Adobe Sign

4. Click the row for Acrobat Sign.

Click Adobe Sign

5. In the Add page, under Connectors select SAML 2.0 – user provisioning, then click Save at the top.

Add and Save

6. Navigate to the SAML Settings page. Note the Hostname for Acrobat Sign.

Hostname

7. In OneLogin, click the Configuration tab. In the Subdomain field, enter your Hostname from Acrobat Sign, then click Save.

Subdomain

8. Click the SSO tab.

SSO tab

9. In the SSO tab, click View Details to display the Standard Strength Certificate (2048-bit) page.

View Details

10. In the Standard Strength Certificate page that displays, click the Copy to Clipboard button for the X.509 Certificate field to copy the certificate to the clipboard.

Copy to Clipboard

If the certificate successfully copies, the rollover text says “Copy to Clipboard” text updates to “Copied”.

 

11. In Acrobat Sign, paste the copied certificate into the IdP Certificate field. Be sure to remove any returns that may have been copied. The cursor should be at the end of the last line as shown below. 

IdP Certificate

12.  In OneLogin, click the Copy to Clipboard button for the Issuer URL.

Copy to clipboard

13. In Acrobat Sign, paste the Issuer URL into the Entity ID/Issuer URL field.

Issuer URL

14. In OneLogin, click the Copy to Clipboard button for the SAML 2.0 Endpoint (HTTP) URL.

Copy to clipboard

15. In Acrobat Sign, right click to paste the SAML 2.0 Endpoint (HTTP) URL in the IdP Login URL field. 

Login URL

16. In OneLogin, click the Copy to Clipboard button next to SLO Endpoint (HTTP).

Copy to clipboard

註解:

Note: The OneLogin SAML 2.0 Endpoint URL is only a suggestion. You can actually specify any valid URL (e.g., Google).

17. In Acrobat Sign, copy the SLO Endpoint value into the Logout URL/SLO Endpoint field.

Logout URL

18. In Acrobat Sign, click Save.

19. In OneLogin, click the back arrow to return to the SSO page.

Return to SSO

20. Click the Users tab to add users.

Users tab

21. Click the row to add the user. The Save button is not activated until you click at least one user.

Click the row

22. When done, click Save.  


Testing Your OneLogin SAML SSO Configuration

There are two ways to test your OneLogin SAML Setup. 


Log in to Acrobat Sign through OneLogin

1. If logged in, log out of Acrobat Sign.

2. Log in to OneLogin.

OneLogin authentication

3. On the App Home page, click the Acrobat Sign app.

Click Adobe Sign

You are automatically logged into Acrobat Sign.

Adobe Sign Home page


Log in to Acrobat Sign using your URL

1. Enter your company login URL for Acrobat Sign in the address line of your browser (such as myCompany.adobesign.com). The Acrobat Sign Sign In page
displays.

2. On the Sign In page, click the second Sign In button. If you’ve entered a custom Single Sign On Login Message that message displays above this button. If you have not entered a custom message, the default message displays.

Adobe Sign authentication

3. You are logged into Acrobat Sign.

Adobe Sign Home page


Oracle Identity Federation Configuration

Overview

Acrobat Sign can support Security Assertion Markup Language (SAML) single sign-on (SSO) using external identity providers (IdPs) such as Oracle Identity Federation (11g). This document describes the steps for configuring Acrobat Sign, acting as the SAML consumer or service provider (SP), to use OIF. This document also provides suggested steps for configuring OIF, however, please contact your OIF system administrator before making any configuration changes to your OIF Server. Before proceeding, please see the Acrobat Sign Single Sign On Using SAML Guide, which describes the SAML set up process and provides detailed information on the SAML Settings in Acrobat Sign.


Configuring OIF as an IdP in Acrobat Sign

Your organization’s instance of OIF needs to be configured within Acrobat Sign as the external SAML Identity Provider (IdP). As an administrator for your Acrobat Sign Account, navigate to SAML Setting in Acrobat Sign as an (Account | Account Settings | SAML Settings).

You will need metadata information from your OIF IdP
configuration. Typically, the metadata for the OIF is available as an XML
content at: http://:/fed/idp/metadata.
Please contact your OIF administrator to gather the relevant. You will need the
following configuration information.

  • Entity ID/Issuer URL—The entityID attribute on EntityDescriptor element
  • Logout URL/SLO Endpoint—When someone logs out of Acrobat Sign, this URL is called to log them out of the IdP as well.
  • Login URL/SSO Endpoint—The Location attribute on SingleSignOnService element
  • IdP Certificate—Certificate information under the element EntityDescriptor -> IDPSSODescriptor -> KeyDescriptor use="signing"

 

This information should be configured in the appropriate fields in the Acrobat Sign SAML configuration. See the image below:

Adobe Sign SAML page


Configuring Acrobat Sign as a SP in OIF

Once the OIF SAML configuration is complete within the Acrobat Sign UI, the next step is to configure Acrobat Sign as a Service Provider within OIF. The information required for configuring Acrobat Sign within OIF is available on the Acrobat Sign SAML Service Provider (SP) information section under Account | Account Settings | SAML Settings

SAML Settings

The metadata description for Acrobat Sign is shown below:

OIF Code

You must customize this metadata description and change the highlighted section in the XML to match the URL for your account. The Assertion Consumer URL for your specific account is shown in SAML Settings.

 

The steps for completing the configuration in OIF are as follows:

1. Go to the Federations configuration screen on the OIF Administration panel

OIF Admin

2. Create a new federation profile

New Profile

3. Create a new Service Provider (SP) listing for Acrobat Sign.

 

Import the Acrobat Sign SP configuration XML or manually create the SP listing using the provider information from the Acrobat Sign SAML settings.

Import the SP config

4. Complete the configuration. Acrobat Sign will appear as a new Service Provider listing in the OIF list of SPs. 

Complete the config


Verifying Email Address as NameID Format

Acrobat Sign uses email addresses as the unique user identifier. Before testing the single sign-on one last step is the ensure that the email address field is mapped to the appropriate user attribute within OIF and that the email address is enabled as a valid NameID format.

Verify Email

Verify email


Known Issues

Redhat IdP has a setting called Encrypt Assertions that adds an additional layer of encryption.

This additional encryption is incompatible with the Acrobat Sign SAML configuration, and should not be enabled for Acrobat Sign.

Redhat IdP Encrypt Assertions

 

©2022 Adobe Systems Incorporated. All Rights Reserved.

Products mentioned in this document, such as the services of identity providers Microsoft Active Directory Federation, Okta, Onelogin, and Oracle Identity Federation, and Salesforce software retain all of the copyrights and trademark rights of their specific corporations.

更快、更輕鬆地獲得協助

新的使用者?