Solved

Just in time provisioning - two domains on same Azure tenancy

1 year ago
March 26, 2024
3 replies
133 views

+1

TheWizard
New Voice

We have two domains using the same Identity provider. Is there a way to have the Just in time provisioning set up to add the users from domain A to a different GUID than Domain B or is that not possible. we have separate accounts in our Org for each of these domains and want to keep the users separated until we are able to merge the domains and change all users email.

Best answer by JohnSantos

@TheWizard - The ability to differentiate users from different domains and assign them to different GUIDs during JIT provisioning largely depends on the capabilities of your Identity Provider (IdP) and the configuration options it provides. Some IdPs may allow you to set up rules or policies that can differentiate users based on their domain and assign them to different GUIDs or groups accordingly.

If your IdP supports such functionality, you could potentially set up JIT provisioning to differentiate users from Domain A and Domain B and assign them to different GUIDs. If not, you might need to explore other solutions or workarounds, such as manually managing the users from different domains until you are able to merge the domains and change all users’ emails.

It’s recommended to consult with your IdP’s support or documentation for specific instructions or guidance related to your scenario. If your current IdP doesn’t support this functionality, you might also consider whether switching to a different IdP that does support this functionality would be feasible for your organization.

View Original

Is this content helpful?

N

+15

nathaly.monge
Community Moderator
2554 replies
11 months ago
March 27, 2024

Hello @TheWizard ,

Welcome to the DocuSign Community and thank you for posting your concerns!

I understand you are looking to configure your claimed domains to map to a specific account under your organization using a single Identity Provider.

Please note that domains cannot be mapped directly to a specific account.

You would need to use Advanced Just in Time (JIT) provisioning to handle this, but that would all be configured within the Identity Provider. You would have to configure the Identity Provider to send us the accountid and permissionprofileid in your SAML Requests. If you do that correctly, then JIT will provision the user into the account defined in that call, with the permission profile defined in that call: Just in Time Provisioning

Regarding the configuration of the above, we don’t really have any documentation as this is something that is configured in the Identity Provider (IdP) itself, and all IdP are different, so I would recommend you contact their support for assistance if needed.

Let us know if you need further assistance with this.

Best regards,

Nathaly | DocuSign Community Moderator
"Select as Best" below if you find the answer a valid solution to your issue!

N

+15

nathaly.monge
Community Moderator
2554 replies
11 months ago
April 12, 2024

Hello @TheWizard ,

If you found my response to be a useful solution to your question, please mark it as the best answer by clicking “Select as Best” to make it easier for other users to find.

Best regards,

Nathaly | DocuSign Community Moderator
"Select as Best" below if you find the answer a valid solution to your issue!

+18

JohnSantos
Valued Contributor
972 replies
Answer
11 months ago
April 19, 2024

@TheWizard - The ability to differentiate users from different domains and assign them to different GUIDs during JIT provisioning largely depends on the capabilities of your Identity Provider (IdP) and the configuration options it provides. Some IdPs may allow you to set up rules or policies that can differentiate users based on their domain and assign them to different GUIDs or groups accordingly.

If your IdP supports such functionality, you could potentially set up JIT provisioning to differentiate users from Domain A and Domain B and assign them to different GUIDs. If not, you might need to explore other solutions or workarounds, such as manually managing the users from different domains until you are able to merge the domains and change all users’ emails.

It’s recommended to consult with your IdP’s support or documentation for specific instructions or guidance related to your scenario. If your current IdP doesn’t support this functionality, you might also consider whether switching to a different IdP that does support this functionality would be feasible for your organization.

Welcome to the DocuSign Community! Your feedback is highly valued. If you find my response helpful, please give it a "Like" and consider marking it as the "Best Answer" to assist others with similar issues.

Reply

Rich Text Editor, editor1

Reply

Related topics

Once I add/create a user, how can I automatically activate the account (without the user doing so) and set it as the default account?icon

AD and Docusign integrationicon

Setting Up JIT Provisiong with Azure ADicon

Is it possible to disable "Just In Time Provisioning" for SSO?icon

I am sending documents to a client and they are not receiving in their email...no clue why this is suddenly happening. Anyone had the same problem or know how to correct?icon

Most helpful members this week

Sign up

You can login or register as either a Docusign customer or developer. If you don’t already have a Docusign customer or developer account, you can create one for free when registering.

Docusign Community

You can login or register as either a Docusign customer or developer. If you don’t already have a Docusign customer or developer account, you can create one for free when registering.

Scanning file for viruses.

This file cannot be downloaded