Authenticate your signers using your SSO solution (and optionally entitle them to use the Acrobat Sign product)

Overview

"Just in time" (JIT) user provisioning refers to a configuration in the Adobe Admin Console that automatically creates a new user profile in the configured organization as the result of some configured trigger.

The below documentation describes the configuration process for requiring your signers to authenticate using your federated SSO solution when accessing an agreement for their participation. This allows for the Acrobat Sign authentication method to be used without the recipient being a licensed user in the Acrobat Sign system.

An optional configuration can automatically add the recipient to the Acrobat Sign product profile, entitleing them to use of the Acrobat Sign solution.

Prerequisites

Steps to configure the Admin Console:

  1. Claim the domains to be used in your Admin Console organization.

    The domain of the user's email address is the validation check to affirm that the Admin Console organization may create the user.

  2. Configure your Admin Console organization to use a federated SSO solution.

    The SSO solution provides the identity validation that approves the creation of the user. 

  3. Enable automatic account creation in the Admin Console organization.

    • This core account creation method adds the user to the Admin Console organization as a known user.   
  4. (Optionally) Configure the Admin Console to add the requesting user to the Acrobat Sign product profile.

    This optional configuration adds the user to the selected product profile, entitling the user to access a service (in this case, Acrobat Sign):

    • Select the Acrobat Sign Solutions product.
    • Select the product profile defined for the Acrobat Sign product:
       
    Select the Acrobat sign profile and associated product profile

    Note:

    Entitling a user to the Acrobat Sign product profile consumes a license to use the product. Customers that have a limited number of licenses may want to skip this step.

    If you do not configure the console to add users to the product profile, the user is still created in the org, but they are not provisioned an Acrobat Sign license.
    This allows internal use of the Acrobat Sign authentication method without requiring an Acrobat Sign license.

  5. Enable the Signer Identity Verification feature in the Acrobat Sign interface.

    • Navigate to Account Settings > SecuritySettings > Signer Identity Verification
    • Check both options.
    • Save the configuration.
    Navigate to the Signer Identity Verification controls

The user experience

Once the Admin Console is configured, users in the claimed domain trigger automatic user creation by attempting to access an agreement for participation or by use of the Acrobat Sign authentication method.

Both options prompt the user to enter an email address, which triggers the authentication process.

The authentication system:

  1. Parses the domain out of the email address.
  2. Identifies the Admin Console organization the user should be in (based on the claimed domain).
  3. Retrieves the SSO configuration information.
  4. Redirects the user to authenticate against the configured SSO solution.

Upon successful validation from the SSO, the user is:

  1. Created in the account (if the user does not already exist).
  2. Added to the product profile (if the Admin Console is configured to do so (Step 4) and the user is not already a member).
  3. Authenticated to view and interact with the agreement.

After the user is created, they can authenticate to the Admin Console and interact with any entitled product profiles they are assigned to.

Get help faster and easier

New user?