DocuSign SSO - The issuing identity provider is not registered with DocuSign
The Company Login option at https://account.docusign.com, results in the error message "The issuing Identity Provider is not registered with DocuSign" and the login is unsuccessful.
Possible CauseThe x.509 certificate being passed from your Identity Provider in the SAMLResponse does not match the x.509 certificate uploaded to your SSO configuration within DocuSign.
As an example, Azure Active Directory expires their SAML/x.509 certificate every 90 days, which causes the SAML authentication handshake to fail even if that certificate has not expired. Customers have informed us that Azure does not allow two active certificates at once, if a new certificate is released, this automatically invalidates any existing certificates.
To confirm the root cause of this error, you should pull a SAML trace from your browser and view the SAMLResponse. Within the SAMLResponse is the certificate being passed from your Identity Provider as encoded text. Save the text as a certificate file to validate if the certificate details (issuer, thumbprint, etc) match what has been uploaded to your SSO configuration within DocuSign.
SolutionA DocuSign Administrator with full rights to manage the organization must sign in to DocuSign and upload a newly generated SSO certificate in to our system.
This requires the following steps:
- The DocuSign Administrator must log in at https://account.docusign.com (Do not use the IdP/SSO to log in)
- Click the app switcher waffle icon in the upper left hand corner
- Select Admin
- Select Identity Providers
- Select Actions next to the Identity Provider in question
- Select Edit
- Select Add Certificate
- Upload the certificate from saved location on the PC.
- The click Save
At this time DocuSign does not support the automatic certificate rollover feature offered by Azure for custom SAML configurations. This is being investigated for a future release. Please ensure you have configured Azure to use the DocuSign Azure AD connector per the below article to obtain a certificate which is valid for 3 years. If you use a custom SAML configuration instead, the certificate will expire within 6 weeks.
For customers using Azure/ADFS as their Identity Provider
RelatedTutorial: Azure Active Directory integration with DocuSign
DocuSign Organization Administration Guide (PDF)