Skip to main content

We are currently evaluating the Workday-DocuSign Integration for a customer in the Financial Services industry. The customer's security team has specific questions regarding the security controls in place for this integration.
 

While I have reviewed the information available on Workday Community w.r.t. how the Workday-DocuSign integration works and its security measures, there are additional security controls that our client's security team would like to verify.

Since this is an out-of-the-box integration provided by Workday and there is limited documentation on both the Workday Community and DocuSign Developer Community, we would appreciate further clarification on these controls. It would also be beneficial for others if this information could be added to the relevant Workday Community article & FAQ.

Question 1 - IP Whitelisting

According to DocuSign documentation, client DocuSign administrators can implement IP address restrictions for login and authentication traffic at the domain level. This applies to both password and SSO login. Does this restriction also apply to the integration traffic between Workday and DocuSign? If IP whitelisting is enabled, will it impact the integration functionality in any way?

Question 2 - Integration Key & Certificate Management 

DocuSign offers an add-on product called DocuSign Security Appliance, which allows organizations to manage their eSignature encryption keys on-premises. It enables the use of a hardware security module (HSM) for key management.
 

From the information available on the Workday Community, it appears Workday manages the encryption keys for the integration using AES 256 encryption. Workday’s integration key for DocuSign is not visible to customers or support, and DocuSign’s SSL/TLS certificate is stored in Workday Data Centers for use with TLS 1.2.
 

Given this setup, can Workday confirm whether it utilizes the DocuSign Security Appliance to manage the encryption keys on Workday Data Centre, or if another method is used?


Question 3 - Validity of the DocuSign url 


Workday’s integration uses a custom token in the envelope to validate that the envelope was created by Workday. This token is linked to the number of signers and is checked for every incoming request from DocuSign Connect. The DocuSign documentation. DocuSign documentation also mentions that an expiration date can be set for an envelope.
 

Is this token expiry configurable by the customer, or is it fixed by Workday? If it is fixed by Workday what is the Token Expiry time?

Question 4 - Configuration of Email Notification Domain for DocuSign
 

Based on DocuSign documentation, by default, when a notification email is sent to a recipient, it is sent from the appropriate DocuSign server email address, for example, dse@docusign.net or dse-demo@docusign.net.


With a custom email domain (CED), all outbound emails can be updated to show a customized name and email address. This allows organizations to maintain trust by sending emails from their verified email domains. Example - dse-demo@docusign.<<ClientName>>.net


If the customer configures a custom email domain, will this impact the Workday-DocuSign integration in any way? Specifically, can we expect that the notification emails for document signing will still function as intended, but from the custom domain?

Hi @Siddharth Shukla,

 

Thank you for reaching out to the Docusign Community.  

I will answer your questions in order:

  1. IP restrictions: it is recommended to use a “Service User” exempt from any two step authentication as the “System Sender” between an integration and Docusign eSignature.
  2. Integration key management: this question will need to be answered by Workday, neither Docusign Support, or any eSignature user will be able to provide you with an accurate answer on this matter. As it requires account configuration details be disclosed to third parties.

  3. Validity of the DocuSign url: the token mentioned is included as part of the envelope metadata, mainly for Docusign Connect to know which envelope is being sent by Workday, due to this reason it does not expire. Regarding the envelope expiration settings, these can be set both at the envelope (Envelope Advanced Options) and account level (Settings>Envelope Expiration). Managing user access to editing these settings during the envelope creation process is included as part of the account settings as well. For more details on this topic, see: Envelope Expiration Admin Set Advanced Options for an Envelope or Template

  4.  Configuration of Email Notification Domain for DocuSign: you are welcome to configure your own Custom Email Domain, these settings will not have any negative effect over your Workday integration. And, your account Custom Email Domain should be respected by your integration, as long as both have been configured appropriately.

Feel free to let us know if you need further assistance with this. 

 

Best regards,

Alejandro R. | Docusign Community Moderator  

Please click "Best Answer" below if you find my reply to be a valid solution to your issue!

 

​Hi @Siddharth Shukla,

 

I hope you are doing well.

I would like to confirm if the suggested solution answers your question?           

If so, please mark it as the best answer by clicking “Select as Best” to make it easier for other users to find. Otherwise, feel free to let me know and I will gladly help you address the situation as soon as possible.

 

Best regards,   

 

Alejandro R. | Docusign Community Moderator   

"Select as Best" below if you find the answer a valid solution to your issue! 

Reply


Code of Conduct