Authentication Providers
In this section you can define external authentication providers for signers. Both OpenIdConnect and SAML providers are supported.
For successful authentication, the signer's email address must match the email address returned by the external authentication provider. The check is NOT case insensitive.
OpenID Connect Provider
The following information is needed when configuring the provider. Please consult with the iDP provider to obtain the following information.
Name : the name of the provider. This name is shown on the authentication button for the signer.
ClientId : the ClientId supplied by the identity provider.
ClientSecret : the ClientSecret supplied by the identity provider.
AuthorizationUrl : the URL to which the signer will be redirected for authentication
TokenUrl : URL used to obtain the access token
UserInfoUrl : URL when the user information is obtained from.
Scope : the scope requested from the identity provider. This field is optional, if left empty the default scope "openid email profile" will be used.
JWT validation is also supported but it is optional. If you need it, please fill in the JWKS URL and Issuer URL.
Additionally, the OIDC provider also allows mapping custom user fields to remote signature provider fields. This can be done for MULTIPLE signature providers. This means that after the user is authenticated with the OIDC provider, the value of specific fields returned by the OIDC provider will be updated in the remote signature configuration.
SAML Provider
The following information is needed :
Name : the name of the provider. This name is shown on the authentication button for the signer. LoginUrl : the URL to which the signer will be redirected for authentication EmailField : the name of the email field. Multiple names can be entered separated by space SAML Metadata File : the SAML metadata file obtained from the SAML server.
FAQ
For OIDC authentication which are the fields checked for the user identity ?
The checked claims are "sub" and "email". These 2 claims are checked against the idtoken and userinfo endpoint.
I authenticate correctly with OIDC provider but in Bulksign I get redirected to a "Invalid Account" page. Why is that ?
This means the email address of the envelope recipient is not the same address used in the OIDC authentication.
I authenticate correctly with OIDC provider but in Bulksign I get redirected to a "Mapping Error" page. Why is that ?
This means the field mapping feature failed for some specific reason. Please get in touch with our support team if you encounter this problem.