DocuSign SSO with Azure Active Directory - The issuing identity provider is not registered with DocuSign
This is specific to DocuSign SSO with Azure Active Directory as the IdP(Identity Provider).
The Company Login option at https://account.docusign.com, results in the error message "The issuing Identity Provider is not registered with DocuSign" and the login is unsuccessful.
Every 90 days, Azure Active Directory expires their SAML/x.509 certificate which causes the SAML authentication handshake to fail even if that certificate has not expired. Customers have informed us that Azure does not allow two active certificates at once, if a new certificate is released, this automatically invalidates any existing certificates.
A DocuSign SSO Organization Administrator must sign in to DocuSign and upload a newly generated ADFS/Azure SSO certificate in to our system.
This requires the following steps:
At this time DocuSign does not support the automatic certificate rollover feature offered by Azure for custom SAML configurations. This is being investigated for a future release. Please ensure you have configured Azure to use the DocuSign Azure AD connector per the below article to obtain a certificate which is valid for 3 years. If you use a custom SAML configuration instead, the certificate will expire within 6 weeks.
- The Organization Administrator must log in at https://account.docusign.com (Do not use the IdP/SSO to log in)
- Click the drop-down in the upper right hand corner
- Select Go to Admin
- Select Identity Providers
- Select Actions next to the Identity Provider in question
- Select Edit
- Select Add Certificate
- Upload the certificate from saved location on the PC.
- The click Save
Tutorial: Azure Active Directory integration with DocuSign