Skip to main content

I got an email about docusign security certificate update. We are using azure SSO with Docusign. see the link here: https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/docusign-tutorial 

Do I need to do anything so SSO will continue to work after Docusign updated their cert? 

Have you spoken with your IT / Network / Infrastructure team regarding the new SSO certificate from DocuSign?

I got a specific email from DocuSign, which I imagine was sent to a multitude of customers reading the following:

"Some Identity Providers (IdP) will use this certificate to verify DocuSign’s authentication request in SAML. If so, this certificate might be used by the IdP to encrypt the SAML response to DocuSign. Please review your IdP and replace this certificate as needed, failing to update this certificate could mean that your IdP may not allow a user to log into DocuSign."


I'm the network team 🙂 I followed instructions in the link above. it works. It has many steps, but I don't see anywhere it explicitly uses DocuSign cert. So I wonder if anyone has done this before and tell me if I need to do anything at all. Maybe this is a question for Microsoft support.


I think it would be useful to reach out to Microsoft support. Also perhaps someone more experienced in the IdP and certificates might respond here to the DocuSign post. Another alternative might be to create a DocuSign Support case.


Hi,

Welcome to the DocuSign Support Community!

It will depend on whether or not you use our metadata URL or if you manually upload/trust our cert individually. If you currently use our metadata URL, then no change is needed because the URL will update automatically today.

If you happen to manually upload our cert, then you'll need to manually upload the new cert at some point after it's live today or at some point before we expire the old cert.

I hope that helps.

Donna

Community Moderator


azure SSO uses metadata URL, so no action is required.


We're using ADFS 3.0 for SSO (because the programs that is currently using Docusign is not supported by Azure, so we're keeping them in the same SSO environment).

We have the metadata URL checked, but I get an error when I test the URL. Other relying party's Test URL work fine, so it's not an issue of access being blocked.

Should I just uncheck the "Monitor RP" and update the cert manually? Is anyone else get an error when they test the URL?

2019-03-20 10_22_51-Remote Desktop Manager

Thanks,

Mike


In case anyone was interested, this issue was because TLS 1.0 was still enabled on the server, but DocuSign disabled TLS 1.0 last year. So I have to uncheck the auto update for the RP and manually add the cert. Once TLS 1.0 gets disabled, I can check to auto update again.


In Azure AD, I couldn't find anywhere to update the metadata URL like you could in ADFS In ADFS, there was an option to put the metadata URL and that would auto update.

For Azure AD, just download the metadata from Docusign (put the URL into a browser and then copy and paste the metadata into a file and name it with a .xml extensio) and upload that new metadata into the Docusign SSO config and you should be good.

I don’t know where AAD stores that cert when you upload the metadata, but it must be somewhere.

Hope that helps.


Thank you, Mike. I was also looking for a place to add the metadata URL, or the new cert. You pointed me in the right direction


Reply