User Guide

Connecting federated authentication to Okta

Search
Adobe Acrobat Sign

Adobe Acrobat Sign

Open app
  1. Welcome to Adobe Acrobat Sign for Government
    1. First steps for new accounts
    2. Claiming an email domain
    3. Connecting Okta to a federated identity solution
    4. Manually create/edit users in Okta
      1. Creating individual users manually
      2. Creating multiple users via CSV import
      3. Add or Remove a group from a user profile
      4. Elevating a user to Account/Privacy administrator status
      5. Revoking a user's admin status
      6. Changing your Okta password
  2. Administrator processes
    1. Admin guide overview
    2. Users
      1. Manage users in the Gov CloudCreating users
      2. Add users to a group
      3. Remove a user from group membership
      4. Update users in bulk
    3. Users in Multiple Groups (UMG)
      1. Overview
      2. Differences in UMG enabled accounts
  3. Configure your User profile
    1. "My Profile" overview
    2. Change your email address
    3. Define your signature
    4. Configure your event and alert notifications
    5. Define your language preferences
    6. Define your personal email footer
    7. Review account sharing
    8. Configure auto delegation
  4. Support resources
  5. Transaction limits

 

Connecting Okta to a federated authentication system

Okta allows for other federated identity solutions to maintain the source of truth around their users and function purely as access control for shared applications.

Below are direct links to the Okta documentation for their primary directory integrations.  

Note that configuring an external identity solution requires that you have a user in Okta with the appropriate Okta admin authority (configured in the Okta user profile).
Okta admin authority

Okta also permits external identity providers to be configured.

Log in to the Okta admin console and navigate to Security > Identity Providers  > Add Identity Provider to see a list of options:

Okta list of IdPs

Note

Notice that a generic SAML 2.0 IdP option exists for any SAML 2.0 compliant identity provider that isn't listed.

Adding the Acrobat Sign Administrative Roles to your directory or IdP configuration

Managing your users via directory or IdP will prevent the option to edit the user profile in the Okta admin console directly.

This means you must customize your identity solution to update the Acrobat Sign admin roles.

Each solution will have differences, but below are a couple of suggestions for some of the more common solutions that may help in your configuration.

Contact your onboarding/professional services team if you need assistance with your particular solution.

LDAP and Active Directory admins can use membership in a group to map the admin roles:

  • String.stringContains(appuser.group, "signAdmins")? {"Account Admin"} : {}  can be used to map the account admins.
  • String.stringContains(appuser.group, "privacyAdmins")? {"Privacy Admin"} : {}  can be used to map the privacy admins.

Configure the SAML 2.0 provider:

All SAML providers will have different interfaces and processes, so the below idea should be understood conceptually and followed to the best of your ability. Contact the Adobe professional services team if you have any trouble or concerns.

We are using OneLogin in this example. Both the SAML provider and the Okta admin console have configuration steps.

  1. Log in to the SAML provider as an Admin

  2. Navigate to Users > Roles

    Select New Role

    NAvigate to Roles

  3. Enter the role name: PRIVACY_ADMIN and select the green checkmark.

    Click Save

    Define the role

  4. Click New Role

  5. Enter the role name: ACCOUNT_ADMIN and select the green checkmark.

    Click Save

  6. Navigate to Applications > Applications. 

    Search for your SAML Test Connector (Advanced) App.

    Navigate to parameters

  7. Select the Parameters tab and click on the + button (marked with the red circle) to add a new parameter.

  8.  Add parameter name: SignRoles. 

    • Enable Include in SAML Assertion
    • Enable Multi-value parameter
    • Click Save
    Add parameter

  9. In the Default if no value selected field, select User Roles from the drop-down list.

    Select Semicolon Delimited input from the next drop-down list.

    Click Save.

    Edit field properties

  10. Click on the Save button in the top right corner.

    SAML

Configure the Okta admin console:

  1. In Okta the admin console, navigate to Directory > Profile Editor

  2. Select your SAML 2.0 IdP from the list.

    Select your SAML IdP

  3.  In the Profile Editor of your IdP, click on the Add Attribute button.

  4. Configure the attribute as follows:

    • Data Type: string array
    • Display name: Sign Roles
    • Variable name: signRoles
    • External name: signRoles

    Click Save

    Configure attribute

  5. In the Profile Editor of your IdP, click on Mappings button.

  6. Select signRoles (appuser.signRoles) from the drop-down list and map it to signRoles in Okta.

    Click on the Save Mappings button.

    Select Apply Updates now.

    Save mappings

  7. In the Profile Editor of your IdP, click on Mappings button (again).

  8. Click on Okta User to SAML 2.0 IdP

    Click on Okta user

  9. Choose signRoles from the drop-down list and map it to signRoles in SAML 2.0 IdP

    Click on the Save Mappings button.

    Select Apply Updates now.

    Apply mappings now

Adobe, Inc.

Get help faster and easier

New user?

Quick links

View all your plans Manage your plans
View quick links
Hide quick links

Legal Notices    |    Online Privacy Policy