Adobe Sign

Before You Begin

Introduction

This document describes how to configure Oracle Identity Cloud Service to provide Single Sign-On (SSO) for Adobe Sign using SAML.

For accessing the procedures in this document as a video, see Integrating Adobe Sign with Oracle Identity Cloud Service.

About Adobe Sign

Adobe Sign is a complete, automated electronic signature and web contract solution that lets users send, e-sign, track, and file documents securely online. You can also send and e-sign using mobile devices.

After integrating Adobe Sign with Oracle Identity Cloud Service:

  • Users can access Adobe Sign using their Oracle Identity Cloud Service login credentials.
  • Users can start Adobe Sign using the Oracle Identity Cloud Service My Apps console.
  • Admins can assign and revoke user access to the Adobe Sign app using the Oracle Identity Cloud Service administration console.

What Do You Need?

  • An Oracle Identity Cloud Service account with authorization rights to manage apps and users (Identity Domain Administrator or Application Administrator).
  • An Adobe Sign account with authorization rights to configure federated authentication.
  • Make sure that the email ID of each user in Adobe Sign matches the primary email ID of the Oracle Identity Cloud Service account.
  • A verified domain name to include in Adobe Sign for registration. You may need to open an Adobe Sign support ticket or contact Adobe Sign Customer Support to register the verified domain to Adobe Sign via the backend.
  • Make sure that SAML test users are administrators with email addresses that belong to the same domain as the Adobe Sign registered domain.

Configuring the Adobe Sign App in Oracle Identity Cloud Service

Use this section to register and activate the Adobe app, and then assign users to the app.

Prerequisite Steps

A dedicated hostname is required before you can register and activate the Adobe Sign app. You obtain that hostname from Adobe Sign.

To obtain the hostname:

  1. From the home page in Adobe Sign, click Account, Account Settings, and then SAML Settings.

  2. The hostname appears in the Hostname box on that page.

    Image img1.png displays the Adobe Sign app with the hostname field highlighted.

    The hostname also appears in the Adobe Sign home URL (https://<Account_Name>.AdobeSign.com).

    Image img2.png displays the address bar of the Adobe Sign home page with the hostname highlighted in the URL.

Registering and Activating the Adobe Sign App

  1. Access the Oracle Identity Cloud Service administration console, select Applications, and then click Add.

  2. Click App Catalog.

  3. Search for Adobe Sign, and then click Add.

  4. In the App Details section, enter your account name in the Account Name field, and then click Next.

    Note: This is the hostname that you obtained while performing the steps in the "Prerequisite Steps" section.

  5. Click Download IDCS Certificate, and then click Download IDCS Metadata. Alternatively, you can use the following URL to access the metadata: https://<IDCS-Service-Instance>.identity.oraclecloud.com/fed/v1/metadata.

    Tip: You use these files later during the Adobe Sign configuration in the "Configuring SSO for Adobe Sign" section.

  6. Click Finish. Oracle Identity Cloud Service displays a confirmation message.

  7. Click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Assigning Users to the Adobe Sign App

  1. On the Adobe Sign app page in Oracle Identity Cloud Service, select the Users tab, and then click Assign. The Assign Users window appears.

  2. Select users that you want to assign to Adobe Sign, and then click OK. Oracle Identity Cloud Service displays a confirmation message stating that the Adobe Sign app is assigned to the users that you selected.

Configuring SSO for Adobe Sign

Use this section to set up SAML Mode and the hostname, and then configure SSO for Adobe Sign.

Setting up SAML Mode and the Hostname in Adobe Sign

  1. Access Adobe Sign as an administrator at: https://<Account_Name>.echosign.com/public/login, and then click Account.

  2. Select Account Settings, and then SAML Settings.

  3. Use the table to update the federated authentication attributes. Your changes are saved automatically.

    This table lists the mandatory federated authentication attributes that you must set to complete the SSO configuration.
    Attribute Setting
    SAML Mode Select SAML Allowed - users may use SAML Mode, but can also continue to use their Adobe Sign credentials.
    Hostname Enter the preferred Hostname. Note: If you make changes to this hostname after you register and activate the Adobe Sign app in Oracle Identity Cloud Service, you must update the Account Name field in Oracle Identity Cloud Service to reflect the new hostname. See the "Registering and Activating the Adobe Sign App" section.
    User Creation Optional. Select Automatically add users authenticated through SAML and Automatically make pending users in my account active.

Configuring SSO

Select SAML Settings, and then SSO Setting to add the Identity Provider (IdP) Configuration attributes. Use the table to update the federated authentication attributes. Your changes are saved automatically.

Attribute Settings
Entity ID/Issuer URL Enter the Entity ID/Issuer URL. Use the metadata file that you downloaded earlier to obtain the Entity ID/Issuer URL. The Entity ID/Issuer URL information is located in the first line of the metadata. See the "Registering and Activating the Adobe Sign App" section.
Login URL/SSO Endpoint Enter the Login URL and SSO Endpoint: https://<IDCS-Service-Instance>.identity.oraclecloud.com/fed/v1/idp/sso.
Logout URL/SLO Endpoint Enter the Logout URL/SLO Endpoint: https://<IDCS-Service-Instance>.identity.oraclecloud.com/fed/v1/idp/slo.
IdP Certificate Paste the certificate into the IdP Certificate box. You downloaded the certificate during Adobe Sign registration in Oracle Identity Cloud Service. See the "Registering and Activating the Adobe Sign App" section.

Verifying the Integration

Use this section to verify that SSO works when initiated from Oracle Identity Cloud Service (IdP Initiated SSO) and Adobe Sign (SP Initiated SSO).

Verifying Identity Provider Initiated SSO from Oracle Identity Cloud Service

  1. Access the Oracle Identity Cloud Service My Profile console: https://<IDCS-Service-Instance>.identity.oraclecloud.com/ui/v1/myconsole.

  2. Log in using credentials for a user that is assigned to the Adobe Sign app. Oracle Identity Cloud Service displays a shortcut to Adobe Sign under My Apps.

  3. Click Adobe Sign. The Adobe Sign home page appears.

  4. On the Adobe Sign home page, confirm that the user that is logged in is the same for both Adobe Sign and Oracle Identity Cloud Service.

    This confirms that SSO that is initiated from Oracle Identity Cloud Service works.

Verifying Service Provider Initiated SSO from Adobe Sign

  1. Access the Adobe Sign login page, and then click the Sign In button provided for signing in via Oracle Identity Cloud Service.

    You are redirected to the Oracle Identity Cloud Service login page.

  2. Log in using credentials for a user that is assigned to the Adobe Sign app. The Adobe Sign home page appears.

  3. On the Adobe Sign home page, confirm that the user that is logged in is the same for both Adobe Sign and Oracle Identity Cloud Service.

    This confirms that SSO that is initiated from Adobe Sign works.

Verifying Single Log-Out (SLO)

  1. On the Adobe Sign home page, click the user name on the right side of the menu bar, and then select Sign Out from the drop-down list.

  2. Access the Oracle Identity Cloud Service My Profile console, and then confirm that the login page appears.

    This confirms that SLO works and that the user is no longer logged in to Adobe Sign and Oracle Identity Cloud Service.

Troubleshooting

Use this section to locate solutions to common integration issues.

Known Issues

Adobe Sign displays the message “Corporate sign-on failed. Please contact your account administrator." during SSO.

Cause: The email attribute sent by Oracle Identity Cloud Service during SSO doesn't match any existing user in Adobe Sign.

Solution: Ensure that the user that is signed in has an account in both Oracle Identity Cloud Service and Adobe Sign with the same email address.

Oracle Identity Cloud Service Sign displays the message “You are not authorized to access the app. Contact your system administrator."

Cause 1: The SAML 2.0 integration between the Oracle Identity Cloud Service Adobe Sign app and Adobe Sign is deactivated or the administrator has revoked the user's access to Adobe Sign.

Solution 1:

  • Access the Oracle Identity Cloud Service administration console, select Applications, and then Adobe Sign.
  • Click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Cause 2: The administrator revokes access for the user at the same time that the user tries to access the Adobe Sign app using Oracle Identity Cloud Service.

Solution 2: Access the Oracle Identity Cloud Service administration console, select Applications, Adobe Sign, Users, and then click Assign to re-assign the user.

Unknown Issues

For unknown issues, contact Oracle Support:

  1. Go to https://support.oracle.com.

  2. Select Cloud Support, and then sign in with your support credentials.

  3. In the Cloud Dashboard, confirm that there are no planned outages in Oracle Identity Cloud Service, and then click Create Service Request.

  4. Select Oracle Identity Cloud Service as the service type.

  5. Complete your service request.