[[DocuSign]]
This is an old revision of the document!
DocuSign
This page shows how to enable a shibboleth IDP v4 to authenticate and send attributes to a DocuSign Service Provider .
DocuSign demo SP
In order to validate configuration , the DocuSign Vendor gave us a demo SP to test parameters .
Claim domains
DocuSign needs a TXT record in the client DNS for the associated domain
sample TXT record in DNS zone :
domain.fr IN TXT "docusign=ab64a181-0838-4ae8-9955-4493a6309d34"
Declare IDP
There's no way to use our academic Discovery Service (WAYF) , so we need to declare all of our entities IDP in the DocuSign SP :
Configure IDP End Points
After declaration of our IDP host and certificate, we can now define IDP SSO / metadata SAML EndPoints :
We also set thet we use signe AuthN an use Post Method .
DocuSign SP Metadata
From the Action button on the right side of the IDP lists, we can “show EndPoints” which contains the SP metadata URL that can be downloaded to our IDP for relying party truts .
[root@idptest metadata]# pwd /opt/shibboleth-idp/metadata [root@idptest metadata]# wget https://account-d.docusign.com/organizations/cd450-d4aa-4f12-9b59-1160332/saml2/metadata/aa14dc60-d3ff-4f14-9e59-446044682220
this raw xml file download is quite “rude” to read, for ease of use, it can be renamed to an approprite filename (docusign.xml) and transform it to a more readble xml (indentation) format :
[root@idptest metadata]# mv aa14dc60-d3ff-4f14-9e59-446044682220 docusign.xml [root@idptest metadata]# xmlstarlet fo docusign.xml > docusign-readable.xml
SP metadata certificate
the ducosing SP certificate is included in these frashly downloaded metadata, we can extract it to a dedicated file that will be loaded in our metadata-provider for sign checking .
get certificate from SP metadata element X509Certificate :
<X509Certificate>MIIGvTCCBaW
...
YBlA==
</X509Data>
to a docusing.pem file in an openssl x509 file format :
# cat ./metadata/docusign.pem -----BEGIN CERTIFICATE----- MIIGvTCCBaW .. YBlA== -----END CERTIFICATE-----
load SP metadata in our IDP
Now that we have the SP metadata, we can load it in our IDP configuration, and declare that it is signed by the aboved SP certificate :
<!– SP DocuSign–>
<MetadataProvider id="DocuSign" xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/docusign.xml"
metadataURL="https://account-d.docusign.com/organizations/c397ee08-a735-452c-838b-8eee93009a42/saml2/metadata/bb14dc60-dce5-4f14-9f59-226044683319">
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
certificateFile="%{idp.home}/metadata/docusign.pem"/>
<!--
Require a validUntil XML attribute on the root element and
make sure its value is no more than 14 days into the future.
-->
<!-- <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="PT2487H41M6.544S"/> -->
</MetadataProvider>
</code>
we keept commented the validUntil check , because by default there's no “validUntil” value in docusign SP medatada .
Docusign SAML specificities
Cannot Encrypt assertions
while initial tests failed, we realized that it was related to our shibboleth IDP that encrypts SAML assertions (by design/default/best-practice )
So we need to disable SAML encryption , cf encryptAssertions=“false” for that specific SP c:relyingPartyIds=… below :
[root@idptet conf]# vim relying-party.xml
<!-- Container for any overrides you want to add. -->
<util:list id="shibboleth.RelyingPartyOverrides">
<!--
Override example that identifies a single RP by name and configures it
for SAML 2 SSO without encryption. This is a common "vendor" scenario.
-->
<bean id="DocuSign" parent="RelyingPartyByName" c:relyingPartyIds="https://account-d.docusign.com/organizations/cd450-d4aa-4f12-9b59-1160332/saml2">
<property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO" p:encryptAssertions="false" />
</list>
</property>
</bean>
</util:list>
