docusign recipient authentication using saml using Admin Console/api - docusignapi

On docusign admin console, I was able to setup docusign recipient authentication using access-code, SMS and phone.
While trying for SAML, I received error message:
"Your envelope is incomplete. Recipient XXXX does not have SAML authentication setup adequately (missing assertion attribute values)".
Please share any information pertaining to how we may overcome this error message.

This is no longer a supported feature for DocuSign. If wanting to use SAML, you must purchase SSO. Here is the latest implementation guide: https://support.docusign.com/en/guides/single-sign-on-implementation-guide

Related

DocuSign authentication service for applications

I'm working on an integration with the DocuSign API. I want the users to log in to my app and then initiate the signing process from there. The users must not have a DocuSign account, they should be able to sign without log in to DocuSign. As I understand the JWT Grant flow is the best choice for this scenario by impersonating a system user and create envelopes and recipient view requests for the users who will sign. Please, correct me if I'm doing this wrong.
Many companies who offer electronic signature services also offer authentication services. For example OTP via email, SMS or some other eID. I would like that if the user could authenticate with DocuSign first before accessing my application. I haven't find a service like that at DocuSign. Is there a way to authenticate users without DocuSign accounts for my application with their service?
You first write:
The users must not have a DocuSign account
You later write:
I would like that if the user could authenticate with DocuSign first
before accessing my application
These two statement conflict. You can only authenticate if you have an account.
However, if what you mean is just get an SMS text there are two features you can use:
Send with SMS - sending the SMS as the means of obtaining a signature from user. User doesn't have to have an account with DocuSign.
SMS authentication - envelope is sent via email, SMS is used as a second factor auth. User doesn't have to have an account with DocuSign.
JWT or Auth Code Grant can either be used for the one user/account that does have the ability to send envelopes from DocuSign. Either one would work.

No Docusign Admin on live docusign account

Error are coming on live integration key of docusign
Error while requesting server, received a non successful HTTP code [400] with response Body: O:8:"stdClass":1:{s:5:"error";s:16:"consent_required";}
I was faced issue on demo docusign then i was enable SSO for my DocuSign organization on demo Docusign
Then solved this issue(Error) and working properly on demo docusign .
Because there was Docusign Admin to enable SSO.
But Docusign Admin not available on live docusign account.
How to solved this Error on live Docusign
Error s:5:"error";s:16:"consent_required";
I have done already contact with support team
In order to grant consent, you'll either need to do an Individual Consent workflow for each user, or contact the Sales team to purchase the Admin module.
A more in-depth look at the JWT Consent options is available on the DocuSign blog - https://www.docusign.com/blog/developers/oauth-jwt-granting-consent
The short answer is that Individual Consent is always available, but requires action by each individual user (Access the consent URL, authenticate, grant consent). Admin Consent is only available if you have the Admin module and a claimed domain, but allows an Organization Admin to grant consent on behalf of everyone under that claimed domain.
Is it perhaps because the DocuSign user you use to log into the live system is not (yet) an administrator.

Is full_access_as_app mandatory for to send email using EWS application by using OAuth

I have application which uses EWS with basic authentication. As mentioned here. I'm trying to get away from basic authentication and use OAuth.
I want to know if it is mandatory to have full_access_as_app or I would be able to send emails if only Mail.Send permission is granted in azure?
Note : My application just wants to send email. Right now I'm getting 401 error and azure have only Mail.Send permission
Yes it is, EWS is a legacy API so doesn't support the more constrained permission that the Graph supports. If your app only sends email why not just migrate it to the Graph the Auth will be same and its really just one API call to send an email and you app will be a lot more secure.

OAuth Flow for Sender Using Apex Toolkit

I've developed an invokable Apex method that leverages the DocuSign Apex Toolkit for preparing and sending an envelope via a Salesforce flow.
The only issue I'm having is when it is invoked by a Salesforce user, that has been added as a DocuSign user, but has not yet gone through the OAuth flow to connect Salesforce to DocuSign for their user account.
A workaround is that I have that new user click a standard "Send with DocuSign" button an any record, which then shows the "Before you can use DocuSign, you must grant consent for this application to make requests on your behalf." message and a button to start and complete the OAuth flow. Once this is done I can go back to my flow and it will successfully complete as that user.
Any ideas how I can "pre-authorize" users, or check for authorization as part of the flow (is this data stored in Salesforce), or at least find a way to get to this "Authorize" screen in Salesforce without needing to begin the process of sending an envelope?
Thanks
Matt
Yes, the administrator for the account can grant "blanket" consent, known as administrative consent, for the relevant integration key (client id) and scope(s) needed by your application.
To do so:
The account needs the Admin feature Access Management with SSO You can have this feature enabled for your developer sandbox account by email request to go-live#docusign.com. Contact your DocuSign account manager for adding the feature to a production account.
You need to claim the email domain for your users.
Use the Admin tool's Connected Apps tile to grant administrative consent to your users in the claimed to domain to the application.
The above assumes that you are supplying the integration key to your Apex application.
If you're using an integration key supplied by DocuSign, then you also need to use the Admin consent for external applications API.
If you're using an integration key supplied by DocuSign as part of a DocuSign for Salesforce product, then I would first ensure that the product is enabled for everyone in your account; that may take care of your app's consent issue.
Re: detecting if consent is required
DocuSign responds with a specific consent_required error if consent is needed. So check the error response of your call. See APIError

DocuSign SSO Authentication using SAML / AD

Within our application we provide a DocuSign integration which uses DocuSign.eSign.dll from DocuSign C# Client.
We currently use the Legacy Header Authentication to authenticate.
One of our customers, would like to enable single sign on using Azure Active Directory. They have set up their account as described on Tutorial: Azure Active Directory integration with DocuSign already (for the DocuSign App).
How do we change our integration to allow Single Sign On using SAML? What API methods do we use? Does the DocuSign C# Client support this?
Legacy Header does not support SSO Authentication. For legacy header to work, users must have a password.
You will either need to grant a Login Policy Exception (to allow them to bypass SSO) to each user that needs to authenticate via the API, or you will need to implement OAuth token authentication.
An example of OAuth token authentication in C# is available on GitHub: https://github.com/docusign/eg-03-csharp-auth-code-grant-core
Once SSO is implemented by your client and has enabled mandatory SSO in their DocuSign configuration, then you should use OAUTH either using Authorization Code Grant-User Application or JSON Web Token Grant-System Integration to generate AccessToken for your Client API user. JSON Web Token Grant is normally used when System Integration is happening in your Integration with DocuSign. In Either way, you need to ask Client API user to provide User Consent to your IntegratorKey, so that your IntegratorKey can generate AccessToken on Client API User's behalf. Obtaining Consent explains how to get User Consent for Either User Application or System Integration. In Providing the consent to your Integrator, Customers will login to DocuSign via their SSO setup, in the same way how they login to DocuSign to access DocuSign WebApp.

Resources