DocuSign SSO with Microsoft Entra ID

Owned by Peeracha Jarupornchai
Last updated: Nov 29, 2024
6 min read

Requirements

  1. DocuSign Business Pro + SSO add-on หรือ DocuSign Enterprise Pro

  2. Administrator Account ของ

    1. DocuSign Admin

    2. Microsoft Entra ID

การตั้งค่า DocuSign SSO ประกอบด้วย 2 ขั้นตอนหลัก

  1. Domain Claim

  2. SAML Configuration

SAML Configuration

  1. ในหน้าจอ Microsoft Entra ID → Enterprise Application ให้ Add “DocuSign”

  2. Add User/Group ที่ต้องการให้ใช้งาน DocuSign ใน Microsoft Entra ID → DocuSign Enterprise Application → Users and Groups
    - ให้ Add User ของ Microsoft Entra ID Admin ที่ใช้ตั้งค่าลงไปด้วยเพื่อทดสอบในขั้นตอนสุดท้าย

     

  3. ตั้งค่าให้ DocuSign Admin สามารถ Sign in ได้จากทั้ง DocuSign credential และ Microsoft Entra ID credential ไม่เช่นนั้นหาก SSO มีปัญหา จะไม่สามารถเข้าใช้งาน DocuSign ได้ โดยการไปยัง DocuSign Admin → Users → Account Users → เลือก View User ที่ต้องการ → Security และตั้งค่าดังนี้

     

  4. Add new Identity Provider ใน DocuSign Admin โดยใช้ค่าจาก Microsoft Entra ID → DocuSign Enterprise Application -> Single Sign-On → SAML

     

  5. Download Certificate (base64) และนำไป upload ใน Identity Provider ที่สร้างในขั้นตอนที่ 2

     

  6. เมื่อตั้งค่า Identity Provider ในฝั่ง DocuSign Admin เสร็จสิ้น จะได้ Endpoints ให้นำกลับไปกรอกใน Microsoft Entra ID

     

  7. ทดสอบ SSO ถ้าการตั้งค่าถูกต้อง จะสามารถ Sign in DocuSign ด้วย username/password ของ Microsoft Entra ID

Appendix

DocuSign Single Sign-On Overview

https://support.docusign.com/en/guides/org-admin-guide-create-org

https://support.docusign.com/en/guides/org-admin-guide-single-sign-on-overview

 

What is just-in-time provisioning

https://support.docusign.com/en/articles/How-do-I-utilize-just-in-time-provisioning-as-an-Organization-Administrator

 

Single Sign-On - DocuSign Solution Engineering Video

https://www.youtube.com/watch?v=iNA7QinI6Ik

 

Production Go Live Checklist:

(To go live you will enable “Require all users to authenticate with Identity Provider" on your domain in org admin)

Before you enforce SSO there are a few top level items you want to make sure you have taken care of

  1. Tested your Identity Provider configurations between your Identity Provider and Docusign (Performed a successful SSO login)

  2. Grant access to all users you want to login to DocuSign via Single Sign On

  3. If you have any service users for a 3rd party integration you want to make sure you have set the login policy to “Identity Provider or username/password”

  4. It is recommended to make sure at least one of your org admins Login Policy is set to “Identity Provider or username/password” in case SSO is not functioning It is recommended to have more than one Organization Admin.

  5. Take care of any external users prior to enforcing SSO. See below for details

  6. Ensure you have linked all your corporate accounts to the organization

  7. Enable the following feature at the domain level “Prevent unmanaged signups” this will prevent users from creating accounts outside of your corporate account.

  8. Enable “Require all users to authenticate with Identity Provider” on the domain. (This removes the “Use company Login” button and automatically redirects your users to the Identity Provider.

 

Enforcing SSO on the domain:

https://support.docusign.com/en/guides/org-admin-guide-change-domain-settings

 

How to exclude users from SSO

https://support.docusign.com/en/articles/How-to-exclude-specific-users-from-SSO-requirements

 

When to Create another account within Docusign

https://view.highspot.com/viewer/5fa5c231a4dfa01774e9df7a

 

Dealing with External Users

Please reference the following document.

https://support.docusign.com/en/guides/Establish-Control-of-Your-Companys-DocuSign-Agreements

 

There are two options in dealing with external domain users that have personal accounts that were created outside of your corporate account.

Option #1

Have them back up the docs in those accounts and then close* them out. (If you have the Org Management Feature pack you as the administrator can close these accounts. If you only have Access Management w/SSO then you will need to have the end user close their account via the instructions provided in the following document.)

                Please refer to the External_User_Communication.docx https://view.highspot.com/viewer/61250cf54901ff55266d496f

 

Option #2

Take no action

                Grant the user access to DocuSign via the Identity Provider.

Do not grant the user access to DocuSign via the Identity Provider, If you do grant them access via SSO then those users will be provisioned into your default account and the two memberships will be linked at the user level where the user can switch between the personal external account and the corporate account.

                Please refer to the Switch_between_accounts.docx file  https://view.highspot.com/viewer/5fa5c1ecc714336027699d10

 

If you do not grant them access via SSO when you enforce SSO those users will lose access to those accounts and documents. Nothing will be deleted or closed they will just lose access.

 

 

Automatically verify sub-domains – This allows you to claim additional child domains off from the parent domain with no requirement for a DNS TXT record e.g. example.wikisavage.com this setting is NOT a wildcard solution.

 

Always require login when opening envelopes – This is the most strict setting within the domain section, this will require all users to authenticate against your Identity Provider before being able to view or sign documents.

 

Prevent unmanaged signups – Arguably the most important feature within the domain section. This prevents users from creating accounts outside of your organization. This includes freemium, credit card, corporate accounts, this will also prevent 3rd parties from creating your employees as users within their third party account. Highly recommended for Production, less important for Demo

 

Require all users to authenticate with Identity Provider – This is the go live button for SSO. This will enforce SSO for all users at the claimed domain. The way this checkbox works is by changing the behavior of the “default” login policy. When this checkbox is unchecked users have the ability to login via their DocuSign credentials or via SSO (if they are granted the access via the Identity Provider). When it is checked then users with the default login policy will be required to authenticate against the Identity Provider

 

Auto-activate memberships by default for Organization accounts – This allows you to create SSO users manually from the Organization level. Creating users after you have enabled this will not receive and activation email and in turn will not be asked to generate a DocuSign password. This is a good thing since SSO Enforcement is required before enabling this. you will have enforced SSO before enabling this hence users will not be using DocuSign passwords. Many customers enable this feature but simply rely on Just in Time provisioning to provision new users.

 

 

Demo Account Information:

In addition to your production environment we recommend each customer Setup SSO against DocuSign’s Sandbox/Demo environment.  This permits safe testing of the configuration without impacting your Production account.

If you do not have a sandbox/demo account, please create one here: 

https://secure.docusign.com/signup/developer

 

Once you have created your demo account you can feel free to create your organization and SSO items there as well.

 

 

Direct links for accessing DocuSign Demo and Production

Production:

Login: https://account.docusign.com

Admin Login: https://admin.docusign.com

 

Demo:

Login: https://account-d.docusign.com

Admin Login: https://admindemo.docusign.com

 

DocuSign Public Certificates

This is our current list of certificates

https://trust.docusign.com/en-us/trust-certifications/docusign-public-certificates/

 

DocuSign AllowList Addresses

It's DocuSign's intention to provide the most robust and reliable service possible to enable your business transactions. We recommend that if you are using any type of proxy or web filtering products/services and find your services are blocking any of the DocuSign addresses for content delivery you add our addresses to your whitelist.

https://www.docusign.com/trust/security/esignature

(Please note addresses can change over time - please reference this page for updates)

 

DocuSign Release Notes 

Keep up to date with DocuSign release notes and features. You can either periodically check this page for current and past release notes or if you want to be notified when new notes are released you can have your account manager put you on the distribution list for announcements. 

https://support.docusign.com/en/releasenotes

 

DocuSign Trust Center 

You can find additional information regarding DocuSign’s commitment to rigorous security standards within the link below.

https://trust.docusign.com/en-us/