This article will show you how to configure SAML for DocuSign application in Teamstack.
Once this is done, your users will be able to access DocuSign using Teamstack via SAML. Your users will use their Teamstack credentials when accessing DocuSign.
Features:
DocuSign (SP) initiated Single Sign-On
Teamstack (IdP) initiated Single Sign-On
JIT (Just In Time) Provisioning
Set up SSO via SAML for DocuSign
To set up SSO you first need to add DocuSign app to Teamstack, assign it to yourself and then configure DocuSign SSO with the SAML metadata from Teamstack.
Step 1: Add DocuSign app to Teamstack
Go to your Applications in Teamstack.
Click "Add Application" in the top right corner.
Search for "DocuSign" and click "Add".
Select this app to be a "SAML" app and leave the "Service Provider Issuer URL" and "Relay State" inputs empty, we will configure it later.
In Organization's Applications overview, click on the newly created DocuSign app. You will see all the details about this app.
Click on "Users" and assign this app to yourself. You will need this in order to test whether SAML is working correctly for DocuSign.
Click on the "SAML Configurations" tab. Keep this page open, you will need these values once you configure the SAML settings in DocuSign. You also need to download the certificate file by clicking on the "SAML Certificate" button.
Step 2: Set up SAML in DocuSign
DocuSign supports JIT provisioning with the domain that you registered. If you own a domain, go to domain settings in DocuSign and claim it. So new users with this domain will be able to create new accounts in DocuSign.
Log in to your DocuSign Admin Panel. In the top left menu, click on "Admin".
In the left side bar, click on "Identity Providers"
Click on "ADD IDENTITY PROVIDER", to add a new SAML connection.
Choose "Teamstack" for the "Name" input.
For "Identity Provider Issuer", copy the value "Issuer (Idp Entity ID)" from Teamstack (Step 1.7 above)
For "Identity Provider Login URL", copy the value "Sign-in Page URL" from Teamstack.
If you want your users to be able to log in via SAML using an email domain other than the one you set up in DocuSign, check "Enable Third-Party Login".
Under "Custom Attribute Mapping", click "ADD NEW MAPPING" and add custom attributes.
- Select Field "givenname" and fill in Attribute Name "givenname".
- Select Field "surname" and fill in Attribute Name "surname".
- Select Field emailaddress and fill in Attribute Name "emailaddress".Click Save.
Now, you have to add a new certificate. Click on "Add New Certificate" and upload the file that you downloaded in the step 1.7 above.
Click "Save"
After that, you will be redirected back to "Identity Providers" settings page.
Click on the "ACTIONS" button and select "Endpoints".
Copy the value "Service Provider Issuer URL" and go back to the Teamstack app settings.
In Teamstack DocuSign app settings add this value to the "Service Provider Issuer URL" input that you left empty earlier and click "Save".
Test:
You can now test the login from Teamstack to DocuSign. You need to have DocuSign assigned to yourself in Teamstack. To test the connection, do the following:
Open a new incognito window.
Log into Teamstack.
Click on the DocuSign app on your dashboard.
You will be redirected to DocuSign and will be logged in without the need to enter a password at DocuSign.
Note: If users try to log in by using an email address with a domain that is not claimed in DocuSign, users will have to create an account first and verify their email in order to be able to log in via SAML.