DocuSign Single Sign On (SSO) Certificate Renewal (February 2018): Action May Be Required

Important

DocuSign’s Single Sign-On certificate used to sign SAML AuthN requests is about to expire. As a result, the certificate will be updated on the new following timelines. 

Demo: 2/1/2018 at 4:00:00 PM (PDT)
Production (NA1/NA2/NA3/EU): 2/21/2018 at 4:00:00 PM (PDT)

Some Identity Providers will use this certificate to verify DocuSign’s authentication request in SAML. And this certificate might be used by the Identity Provider to encrypt the SAML response to DocuSign. 

Please update your Identify Provider (IdP) to ensure no disruption in service. Failing to update this certificate could mean that your Identity Provider may not allow a user to log into DocuSign after the dates stated above. 

Recommended Action for SSO V2 (a.k.a. New SSO) Customers

These are the recommended action items to ensure no service disruption. These steps only apply to customers on new SSO (i.e. SSO V2).
Click here for recommended actions if you are on old SSO (i.e. SSO V1).

You are likely to be impacted if one (or both) of the following is true about your SSO Integration:
  1. Verifies AuthN Signatures: If this is the case, you can obtain the new certificate automatically via the metadata URL.
  2. Encrypts SAML responses to DocuSign: If this is the case, you can obtain the new certificate automatically via the metadata URL, but may need to download the new certificate from the Trust Site and update your Identity Provider manually.
Download: Renewed DocuSign SSO Certificate (1.7 KB) - https://trust.docusign.com/en-us/trust-certifications/docusign-public-certificates/

Update SAML metadata and encryption certificate

  • Update the SAML metadata in your Identity Provider. Under the actions menu beside your Identity Provider, click endpoints. The link to the SAML metadata for your DocuSign’s configuration can be found here:
 
Organization Adminstration (Go to Admin) > Identity Providers > Endpoints > Metadata URL
SAML 2_0 Endpoints.png
  • If you have also enabled SAML encryption, you will need to update DocuSign’s certificate which your Identity Provider uses to encrypt SAML responses. 

Recommended Action for SSO v1 (a.k.a. Old SSO) Customers

Please follow the recommended action items below to ensure no service disruption. This applies to any user on DocuSign SSO V1.
Click here for recommended actions if you are on old SSO (i.e. SSO V1).

If your identity provider is configured to verify the signature of incoming SAML AuthN requests, you will need to perform the below action. If you are on SSO V1 you will not be able to use the metadata URLto pull the new certificate automatically.​ You will need to download the certificate from our Trust Site and update your identity provider accordingly.


Download: Renewed DocuSign SSO Certificate (1.7 KB) - https://trust.docusign.com/en-us/trust-certifications/docusign-public-certificates/

Certificate Renewal Timelines


DocuSign Demo

On 2/1/2018 at 4:00:00 PM (PDT) the new certificate will be in place and DocuSign will start issuing authentication requests with this new certificate. If users are unable to log in after this change, you may need to update your SAML metadata so that your Identity Provider immediately recognizes the new certificate.

DocuSign Production

On 2/21/2018 at 4:00:00 PM (PDT) the new certificate will be in place and DocuSign will start issuing requests with this new certification in Production. If users are unable to log in after this change, you may need to update your SAML metadata so that your Identity Provider immediately recognizes the new certificate.

Note: DocuSign Customer Support is not familiar with every possible identity provider configuration. Therefore we cannot directly assist with the steps necessary to configure an identity provider's metadata URL nor provide specifics on how to update the SSO certificate customers currently have on file.

Resources