DocuSign SSO - The issuing identity provider is not registered with DocuSign

Issue

This is specific to DocuSign SSO with Azure Active Directory as the IdP(Identity Provider).
The Company Login option at https://account.docusign.com, results in the error message "The issuing Identity Provider is not registered with DocuSign" and the login is unsuccessful.

User-added image

Possible Cause

Every 90 days, Azure Active Directory expires their SAML/x.509 certificate which causes the SAML authentication handshake to fail even if that certificate has not expired. Customers have informed us that Azure does not allow two active certificates at once, if a new certificate is released, this automatically invalidates any existing certificates.

Solution

A DocuSign SSO Organization Administrator must sign in to DocuSign and upload a newly generated ADFS/Azure SSO certificate in to our system.

This requires the following steps:
  1. The Organization Administrator must log in at https://account.docusign.com (Do not use the IdP/SSO to log in)
  2. Click the drop-down in the upper right hand corner
  3. Select Go to Admin
  4. Select Identity Providers
  5. Select Actions next to the Identity Provider in question
  6. Select Edit
  7. Select Add Certificate
  8. Upload the certificate from saved location on the PC.
  9. The click Save
At this time DocuSign does not support the automatic certificate rollover feature described in the Azure article below. This is being investigated for a future release.

Related

Tutorial: Azure Active Directory integration with DocuSign