Enable single sign-on with SAML

Overview

Acrobat Sign can support Security Assertion Markup Language (SAML) single sign-on (SSO) using external identity providers (IdPs) such as Okta. This document describes the steps for configuring Acrobat Sign for SAML SSO with Okta. This document also provides information on testing your SAML SSO configuration. Before proceeding, please see the Acrobat Sign Single Sign On Using SAML Guide, which describes the SAML setup process and provides detailed information on the SAML Settings in Acrobat Sign.

Configuring SAML SSO with Okta

You must be an administrator for both your Acrobat Sign and Okta accounts to enable SAML SSO. The username for both accounts must be the same. The passwords can be different.

When enabling SAML SSO with Okta, information only needs to be entered in Acrobat Sign. Okta has developed a custom Acrobat Sign Provisioning app that makes it unnecessary to transfer the SP Information from Acrobat Sign to Okta. 

1. Log in to Okta and Acrobat Sign in different browsers or in different windows within the same browser.

• In Okta, log in to your account with the same administrator account you use for your Acrobat Sign Admin Account.

• In Acrobat Sign, log in to your account using the same admin account credentials that you use for Okta. 

2. Click the blue Admin button.

3. Click the Add Applications shortcut.

The Add Application page displays.

4. In Search, type Acrobat Sign.

• Click the Add button to add the Acrobat Sign Provisioning application.

The Add Acrobat Sign Provisioning wizard launches displaying the General Setting tab.

5. Log in to Acrobat Sign to obtain your Hostname and Acrobat Sign server environment:

• Log in an Acrobat Sign Account Admin
• Navigate to: Account > Account Settings > SAML Settings
  
  • Scroll to the bottom of the page and find the Assertion Consumer URL
  • Copy the string between https://  and  .adobesign.com/
    
    • The first value is your Hostname
    • After the Hostname is the Acrobat Sign environment your account resides on (na1, na2, eu1, jp1, etc.)
    • In the below example you would copy rrassoc.na1 (include the dot between values)

6. In Okta under General Settings, enter the Hostname.Instance for your Acrobat Sign account in the Your Acrobat Sign Sub domain field.

Click Next to continue. 

7. On the Sign-On Options tab, enable SAML 2.0.

The SAML 2.0 section displays.

8. Under SAML 2.0, click View Setup Instructions.

The Okta How to Configure SAML 2.0 for Acrobat Sign page displays in a new browser window. This page includes instructions and the IdP information that you must enter in the Acrobat Sign SAML Settings page.

9. Copy the Entity ID/Issuer URL from the Okta page, and enter it into the Entity ID/Issuer URL field in Acrobat Sign.
(see the idP Configuration section of the How to Configure SAML 2.0 for Acrobat Sign)

10. Copy the Login URL/SSO Endpoint from the Okta page, and enter it into the Login URL/SSO Endpoint field in Acrobat Sign.
(see the idP Configuration section of the How to Configure SAML 2.0 for Acrobat Sign)

11. Copy the Logout URL/SLO Endpoint from the Okta page and enter it into the Logout URL/SLO Endpoint field in Acrobat Sign.
(see the idP Configuration section of the How to Configure SAML 2.0 for Acrobat Sign)

12. Copy the IdP Certificate from the Okta page to the IdP Certificate field in Acrobat Sign.

• Make sure there are no spaces or returns after “-----END CERTIFICATE-----“.

(see the idP Configuration section of the How to Configure SAML 2.0 for Acrobat Sign)

You can close the browser window that displays the Okta How to Configure SAML 2.0 for Acrobat Sign page after you copy the IdP Certificate.

13. In Acrobat Sign, click Save.

14. Click the browser window that displays the Okta Sign-On Options if needed.

15. In the Credential Details section of Sign-On Options (see step 8 above), select Email from the Application username format drop-down, then click Next to continue.

16. Under Provisioning, you have the option to select the Enable provisioning features option. (See Setting up Auto-Provisioning for more information.) Click Next to continue without setting up Auto-provisioning. 

17. Under the Assign to People tab, in the People section check the box next to your name to assign at least one active user (yourself), then click Next.

18. Click Done.

You can now log out of Okta and proceed with testing your SAML setup. (See Testing Your Okta SAML SSO Configuration for more information.)

Setting Up Auto-provisioning in Okta

If this option is enabled, and the “Automatically add users authenticated through SAML” option in Acrobat Sign is also enabled, you can automatically provision users in Acrobat Sign.

Setting up Auto-launch for Acrobat Sign

You can automatically launch Acrobat Sign when you log in to Okta. If this feature is enabled, Acrobat Sign will open in a separate window when you log in to Okta. You must have pop-ups enabled in your browser for this feature to work.       

1. Log in to Okta. Your Home page will display.

2. On the Acrobat Sign Provisioning app, cursor over the gear icon, then click to activate it.

3. When the Acrobat Sign Provisioning Settings popup displays, click the General tab.

4. Enable the Launch this app when I sign into Okta option.

5. Click Save.

Testing Your Okta SAML SSO Configuration

There are two ways to test your Okta SAML setup. 

Log in to Acrobat Sign through Okta

1. If logged in, log out of Okta.

2. Log in to Okta. Your Okta Home page displays.

3. On the Home page, click the Acrobat Sign Provisioning app.

You are automatically logged into Acrobat Sign.

Log in to Acrobat Sign using your URL

1.  Enter your company login URL in your browser. The Acrobat Sign Sign In page displays.

2. On the Sign In page, click the second Sign In button. If you’ve entered a custom Single Sign On Login Message that message displays above this button. If you have not entered a custom message, the default message displays.

You are logged into Acrobat Sign.

Overview

Acrobat Sign can support Security Assertion Markup Language (SAML) single sign-on (SSO) using external identity providers (IdPs) such as OneLogin. This document describes the steps for configuring Acrobat Sign for SAML SSO with OneLogin. This document also provides information on testing your SAML SSO configuration. Before proceeding, please see the Acrobat Sign Single Sign On Using SAML Guide, which describes the SAML setup process and provides detailed information on the SAML Settings in Acrobat Sign.

Configuring SAML SSO with OneLogin

1. Log in to OneLogin and Acrobat Sign in different browsers or in different windows within the same browser.

• In OneLogin, log in to your account with the same administrator credentials you use for your Acrobat Sign Admin Account. 

• In Acrobat Sign, log in to your account using the same admin account credentials you use for OneLogin. The passwords for these two logins do not have to be the same, but you must log in as the administrator for each account.

2. In OneLogin, click Add Apps.

3. Search for Acrobat Sign.

4. Click the row for Acrobat Sign.

5. In the Add page, under Connectors select SAML 2.0 – user provisioning, then click Save at the top.

6. Navigate to the SAML Settings page. Note the Hostname for Acrobat Sign.

7. In OneLogin, click the Configuration tab. In the Subdomain field, enter your Hostname from Acrobat Sign, then click Save.

8. Click the SSO tab.

9. In the SSO tab, click View Details to display the Standard Strength Certificate (2048-bit) page.

10. In the Standard Strength Certificate page that displays, click the Copy to Clipboard button for the X.509 Certificate field to copy the certificate to the clipboard.

If the certificate successfully copies, the rollover text says “Copy to Clipboard” text updates to “Copied”.

11. In Acrobat Sign, paste the copied certificate into the IdP Certificate field. Be sure to remove any returns that may have been copied. The cursor should be at the end of the last line as shown below. 

12.  In OneLogin, click the Copy to Clipboard button for the Issuer URL.

13. In Acrobat Sign, paste the Issuer URL into the Entity ID/Issuer URL field.

14. In OneLogin, click the Copy to Clipboard button for the SAML 2.0 Endpoint (HTTP) URL.

15. In Acrobat Sign, right click to paste the SAML 2.0 Endpoint (HTTP) URL in the IdP Login URL field. 

16. In OneLogin, click the Copy to Clipboard button next to SLO Endpoint (HTTP).

17. In Acrobat Sign, copy the SLO Endpoint value into the Logout URL/SLO Endpoint field.

18. In Acrobat Sign, click Save.

19. In OneLogin, click the back arrow to return to the SSO page.

20. Click the Users tab to add users.

21. Click the row to add the user. The Save button is not activated until you click at least one user.

22. When done, click Save.  

Testing Your OneLogin SAML SSO Configuration

There are two ways to test your OneLogin SAML Setup. 

Log in to Acrobat Sign through OneLogin

1. If logged in, log out of Acrobat Sign.

2. Log in to OneLogin.

3. On the App Home page, click the Acrobat Sign app.

You are automatically logged into Acrobat Sign.

Log in to Acrobat Sign using your URL

1. Enter your company login URL for Acrobat Sign in the address line of your browser (such as myCompany.adobesign.com). The Acrobat Sign Sign In page
displays.

2. On the Sign In page, click the second Sign In button. If you’ve entered a custom Single Sign On Login Message that message displays above this button. If you have not entered a custom message, the default message displays.

3. You are logged into Acrobat Sign.

Overview

Acrobat Sign can support Security Assertion Markup Language (SAML) single sign-on (SSO) using external identity providers (IdPs) such as Oracle Identity Federation (11g). This document describes the steps for configuring Acrobat Sign, acting as the SAML consumer or service provider (SP), to use OIF. This document also provides suggested steps for configuring OIF, however, please contact your OIF system administrator before making any configuration changes to your OIF Server. Before proceeding, please see the Acrobat Sign Single Sign On Using SAML Guide, which describes the SAML set up process and provides detailed information on the SAML Settings in Acrobat Sign.

Configuring OIF as an IdP in Acrobat Sign

Your organization’s instance of OIF needs to be configured within Acrobat Sign as the external SAML Identity Provider (IdP). As an administrator for your Acrobat Sign Account, navigate to SAML Setting in Acrobat Sign as an (Account | Account Settings | SAML Settings).

You will need metadata information from your OIF IdP
configuration. Typically, the metadata for the OIF is available as an XML
content at: http://:/fed/idp/metadata.
Please contact your OIF administrator to gather the relevant. You will need the
following configuration information.

• Entity ID/Issuer URL—The entityID attribute on EntityDescriptor element
• Logout URL/SLO Endpoint—When someone logs out of Acrobat Sign, this URL is called to log them out of the IdP as well.
• Login URL/SSO Endpoint—The Location attribute on SingleSignOnService element
• IdP Certificate—Certificate information under the element EntityDescriptor -> IDPSSODescriptor -> KeyDescriptor use="signing"

This information should be configured in the appropriate fields in the Acrobat Sign SAML configuration. See the image below:

Configuring Acrobat Sign as a SP in OIF

Once the OIF SAML configuration is complete within the Acrobat Sign UI, the next step is to configure Acrobat Sign as a Service Provider within OIF. The information required for configuring Acrobat Sign within OIF is available on the Acrobat Sign SAML Service Provider (SP) information section under Account | Account Settings | SAML Settings. 

The metadata description for Acrobat Sign is shown below:

You must customize this metadata description and change the highlighted section in the XML to match the URL for your account. The Assertion Consumer URL for your specific account is shown in SAML Settings.

The steps for completing the configuration in OIF are as follows:

1. Go to the Federations configuration screen on the OIF Administration panel

2. Create a new federation profile

3. Create a new Service Provider (SP) listing for Acrobat Sign.

Import the Acrobat Sign SP configuration XML or manually create the SP listing using the provider information from the Acrobat Sign SAML settings.

4. Complete the configuration. Acrobat Sign will appear as a new Service Provider listing in the OIF list of SPs. 

Verifying Email Address as NameID Format

Acrobat Sign uses email addresses as the unique user identifier. Before testing the single sign-on one last step is the ensure that the email address field is mapped to the appropriate user attribute within OIF and that the email address is enabled as a valid NameID format.

Redhat IdP has a setting called Encrypt Assertions that adds an additional layer of encryption.

This additional encryption is incompatible with the Acrobat Sign SAML configuration, and should not be enabled for Acrobat Sign.