Within our application we provide a DocuSign integration which uses DocuSign.eSign.dll from DocuSign C# Client.
We currently use the Legacy Header Authentication to authenticate.
One of our customers, would like to enable single sign on using Azure Active Directory. They have set up their account as described on Tutorial: Azure Active Directory integration with DocuSign already (for the DocuSign App).
How do we change our integration to allow Single Sign On using SAML? What API methods do we use? Does the DocuSign C# Client support this?
Legacy Header does not support SSO Authentication. For legacy header to work, users must have a password.
You will either need to grant a Login Policy Exception (to allow them to bypass SSO) to each user that needs to authenticate via the API, or you will need to implement OAuth token authentication.
An example of OAuth token authentication in C# is available on GitHub: https://github.com/docusign/eg-03-csharp-auth-code-grant-core
Once SSO is implemented by your client and has enabled mandatory SSO in their DocuSign configuration, then you should use OAUTH either using Authorization Code Grant-User Application or JSON Web Token Grant-System Integration to generate AccessToken for your Client API user. JSON Web Token Grant is normally used when System Integration is happening in your Integration with DocuSign. In Either way, you need to ask Client API user to provide User Consent to your IntegratorKey, so that your IntegratorKey can generate AccessToken on Client API User's behalf. Obtaining Consent explains how to get User Consent for Either User Application or System Integration. In Providing the consent to your Integrator, Customers will login to DocuSign via their SSO setup, in the same way how they login to DocuSign to access DocuSign WebApp.
Related
I want to authenticate a valid Azure Directory user from my application. So the output that I want is the user is valid or not?
I use this API https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token with following urlencoded body like client_id, scope, client_secret, username, password, grant_type the for the authentication but this API is working only when the user disabled their MFA, but I want to authenticate even the user has enabled MFA.
You have hit one of the limitations of the ROPC flow.
It is not possible to authenticate a user with MFA enabled with that flow.
The solution will be to change your application to use an interactive flow like Authorization Code flow.
This will require that your app forwards the user to Azure AD to sign in, and then your application gets access tokens in exchange.
Pros:
You don't need to handle passwords
All the security features of Azure AD can be used, including MFA
Cons:
Complexity will increase (libraries help here)
Docs: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
If you have a Javascript front-end app, you can use MSAL.js to handle the authentication.
Other OpenID Connect compatible libraries can also be used.
My company (C1) has DocuSign implementation feature set up with RestApi and we use oAuth to authenticate users with email and password to create and send envelopes. This functionality works perfect.
One of our clients said they have SSO enabled in their org and would like to SSO directly to DocuSign from my company page instead of providing password option. In our current implementation, users are prompted for email address first and then the password.
If clients have SSO enabled, I assume they go directly to Docusign but to get that functionality, is there anything I need to do regarding changing the existing workflow or implementation for RestAPI.
Do we need to obtain consent for our Client (who has SSO enabled)?
Thanks in advance
You don't need to do anything differently. These clients would be able to authenticate to your integration/app using SSO. If they are already autneticated, a cookie remembers it and they would automatically be redirected back to your app. The first time, the would have to give consent to your app to enable it to do things for them, but after that - smooth sailing, without any need to login or anything.
Feel free to let me know if you run into any issues. Otherwise, you'r good.
As Inbar says, if your application uses either the OAuth Authorization Code or OAuth Implicit grant flow, then your application will automatically support SSO once the user's DocuSign account has been set for SSO.
If your application uses the OAuth JWT grant, then SSO has no bearing on your application since your application is itself authenticating with DocuSign and impersonating a user.
And the above is why Authorization Code grant or Implicit grant is preferred over JWT grant whenever there's an option to not use JWT grant.
If you're using Legacy Header authentication, your application won't be able to authenticate as users who have SSO Login enforced. Until you're able to implement one of the OAuth workflows, users who need to use your API integration will need to have their Login Policy set to allow them to login with a password. More info on Login Policy is available here: https://support.docusign.com/en/articles/How-to-exclude-specific-users-from-SSO-requirements
We have a web application where we log users in with Google's auth2.
We also have crone jobs that are used to reply to certain emails through the gmail api.
Is the authorization for signing in and for gmail's api the same? If it is, how can we sign users out of the web app while still authorizing crone jobs?
If what you meant by signing is by using Google+ Sign-in, it says from this documentation:
Why use Google for authentication?
Providing OAuth 2.0 user authentication directly or using Google+
Sign-in reduces your development overhead. It also provides a trusted
and secure login system that's familiar to users, consistent across
devices, and removes the burden of users having to remember another
username and password.
Wherein Gmail uses the OAuth 2.0 protocol for authenticating a Google account and authorizing access to user data. This will be the same.
At a high level, all apps follow the same basic authorization pattern:
During development, register the application in the Google API Console.
When the app launches, request that the user grant access to data in their Google account.
If the user consents, your application requests and receives credentials to access the Gmail API.
Refresh the credentials (if necessary).
The difference is you will need to enable Gmail API for the credentials.
Here's the details for server-side authentication.
Help me please. There are several users in the docusign account. How to send an envelope from their name? What would an envelope be sent not on behalf of the administrator, but on behalf of the user.
You need to use DocuSign's OAUTH user Application or Service Integration to implement the same. DocuSign Authentication Overview has details about each integration type.
OAuth Authorization Code Grant and OAuth Implicit Grant are suitable only for user applications because it requires an end user to authenticate with DocuSign.
Service Integration Authentication uses JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523) to create an access token. It is ideal for service integrations that do not involve a user agent like a browser or web view control. The result is an access token that represents the application or an impersonated user.
Implementing either User Application or Service Integration, you need to get consent of the user for whom you want to send the envelope and envelope will be sent from that user's account and that user will become the sender of the envelope.
I'm writing a mobile app for a DocuSign client using PhoneGap (i.e. with JavaScript, HTML5, CSS3). I created a DocuSign integration key and selected This is a mobile app. However, DocuSign is requesting a URI. My URI will be a file in a folder (e.g. /DocuSign/callback.html). When I try to enter my URI without a domain name DocuSign with not save the path to my file. Is a URI required to have a domain name for mobile apps using the OAuth2 Implicit Grant method? If so, how do I add a URI to my integration key without a domain name?
If you want to use one of the OAuth2.0 authorization flows in your integration then you will need provide an publicly accessible return URL for so the DocuSign authentication service knows where to redirect the user once they are done logging in through the standard DocuSign login flow. This way your app does not need to manage or eve ask for your users' account passwords which is one of the main advantages of OAuth.
Alternatively if you want to build a service integration where authentication is take care of in the backend and there's an account "tied" to the integration you can use the X-DocuSign-Authentication which does not require a redirect URI.
Learn more about DocuSign authentication.