DocuSign SSO - The issuing identity provider is not registered with DocuSign

Issue

The Company Login option at https://account.docusign.com, results in the error message "The issuing Identity Provider is not registered with DocuSign" and the login is unsuccessful.


Possible Causes

Certificate Mis-Match

The x.509 certificate being passed from your Identity Provider in the SAMLResponse does not match the x.509 certificate uploaded to your SSO configuration within DocuSign.

As an example, Azure Active Directory expires their SAML/x.509 certificate every 90 days by default for a custom SAML application, which causes the SAML authentication handshake to fail even if that certificate has not expired. Customers have informed us that Azure does not allow two active certificates at once, if a new certificate is released, this automatically invalidates any existing certificates.
 

Assertion Consumer Service URI Issue

DocuSign has updated the format for the Service Provider Assertion Consuer Service (ACS) URI for newly-created Identity Provider configurations. This update appends an Identity Provider ID (IDPID) GUID to the ACS URI.
  • Legacy format: https://account.docusign.com/organizations/[OrganizationID]/saml2/login
  • Current format: https://account.docusign.com/organizations/[OrganizationID]/saml2/login/[IDPID]
As the new format only applies to newly-created Identity Provider configurations, the Endpoints for each Identity Provider configuration within DocuSign Admin will display the correct format for each Identity Provider's ACS URI. If your Identity Provider is sending the request to the legacy-formatted URI but your Identity Provider configuration requires the new format, users will receive "The issuing Identity Provider is not registered with DocuSign" even if the x.509 certificate matches.
 

Troubleshooting

To confirm the root cause of this error, you should pull a SAML trace from your browser and view the SAMLResponse. Within the SAMLResponse is the certificate being passed from your Identity Provider as encoded text. Save the text as a certificate file to validate if the certificate details (issuer, thumbprint, etc) match what has been uploaded to your SSO configuration within DocuSign. You can also review the Response Destination value in the SAMLResponse to determine if the value/format exactly matches the Service Provider Assertion Consumer Service URL value from your Identity Provider configurations' Endpoints.


Solutions

Certificate Mis-Match

A DocuSign Administrator with full rights to manage the organization must sign in to DocuSign and upload a newly generated SSO certificate in to our system.

This requires the following steps:
  1. The DocuSign Administrator must log in at https://account.docusign.com (Do not use the IdP/SSO to log in)
  2. Click the app switcher waffle icon in the upper left hand corner
  3. Select Admin
  4. Select Identity Providers
  5. Select Actions next to the Identity Provider in question
  6. Select Edit
  7. Select Add Certificate
  8. Upload the certificate from saved location on the PC.
  9. The click Save


For customers using Azure/ADFS as their Identity Provider

At this time DocuSign does not support the automatic certificate rollover feature offered by Azure for custom SAML configurations. This is being investigated for a future release. Please ensure you have configured Azure to use the DocuSign Azure AD connector per the below article to obtain a certificate which is valid for 3 years. If you use a custom SAML configuration instead, the certificate expiration defaults to 90 days but can be configured manually. Refer to Azure documentation for more information on custom SAML app certificate expiration.
 

Assertion Consumer Service URI Issue

A DocuSign Administrator with full rights to manage the organization must sign in to DocuSign and obtain the correct Service Provider Assertion Consumer Service URI, then update this value in the DocuSign configuration within their Identity Provider.

This requires the following steps:
  1. The DocuSign Administrator must log in at https://account.docusign.com (Do not use the IdP/SSO to log in)
  2. Click the app switcher waffle icon in the upper left hand corner
  3. Select Admin
  4. Select Identity Providers
  5. Select Actions next to the Identity Provider in question
  6. Select Endpoints
  7. Copy the value in the Service Provider Assertion Consumer Service URL field
The steps to update this value within the Identity Provider vary by each Identity Provider. Refer to your Identity Provider's documentation or support team for assistance in updating this value within the Identity Provider.
 

    Related

    Tutorial: Azure Active Directory integration with DocuSign
    DocuSign Organization Administration Guide (PDF)