Set up a Docusign v2 connector

ConductorOne provides identity governance for Docusign. Integrate your Docusign instance with ConductorOne to run user access reviews (UARs) and enable just-in-time access requests.

This is an updated and improved version of the Docusign connector! If you’re setting up Docusign with ConductorOne for the first time, you’re in the right place.

Capabilities

Resource	Sync	Provision
Accounts	✅	✅
Groups	✅
Permissions	✅

The Docusign v2 connector supports automatic account provisioning.

Gather Docusign credentials

Configuring the connector requires you to pass in credentials generated in Docusign. Gather these credentials before you move on.

A user with access to the Docusign Admin console must perform this task.

Create a Docusign app

In the Docusign Admin Console, click Add App and Integration Key.
Choose a name for your app, such as “ConductorOne” and click Create App.
On the app configuration screen, carefully copy and save the Client ID (also called an integration key).
Click Add Secret Key, then carefully copy and save the client secret.
In the Redirect URI field, enter any URI of your choice (such as http://example.com/callback) and click Add.
Locate the API Account ID and carefully copy and save this ID.
Click Save at the bottom of the page.

Set authentication method

Navigate to the Apps and Keys page and locate the app you just created.
Select EDIT from the app’s ACTIONS context menu. The configuration page opens.
In the Authentication section, select Public Authorization Code Grant.
In the User Application section, when prompted whether your application is able to securely store a client secret, select No.
In the Authentication Method for your App section, select Authorization Code Grant with Proof Key for Code Exchange (PKCE).

That’s it! Next, move on to the connector configuration instructions.

Configure the Docusign connector

To complete this task, you’ll need the Connector Administrator or Super Administrator role in ConductorOne and the relevant set of permissions on your Docusign account:
To sync access data (READ): Read users, groups, and permissions.
To sync access data and provision accounts (READ/WRITE): Create users plus read users, groups, and permissions.

Follow these instructions to use a built-in, no-code connector hosted by ConductorOne.

In ConductorOne, navigate to Admin > Connectors and click Add connector.
Search for Docusign v2 and click Add.
Choose how to set up the new Docusign connector:
- Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)
- Add the connector to a managed app (select from the list of existing managed apps)
- Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.
If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.
Click Next.
Find the Settings area of the page and click Edit.
Optional. Click the box to Use the demo environment, if desired.
Add the Docusign API Account ID so that the integration is set up to pull the correct data. If you do not specify an account ID, ConductorOne will use the default account for the user (that’s likely you!) who logs into Docusign with Oauth in the next step. To look up the account ID:
- In Docusign Admin, navigate to the Apps and Keys page.
- Click to copy the API Account ID for the account you wish to integrate.
Click Login with OAuth.
Log in and authorize ConductorOne with your Docusign instance.
After authorizing, you’ll be redirected back to the ConductorOne integrations page, where an “Authorized as” message is now printed.
Click Save.
The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.

That’s it! Your Docusign connector is now pulling access data into ConductorOne.

Follow these instructions to use the Docusign connector, hosted and run in your own environment.

When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with ConductorOne, automatically syncing and uploading data at regular intervals. This data is immediately available in the ConductorOne UI for access reviews and access requests.

Step 1: Set up a new Docusign connector

In ConductorOne, navigate to Connectors > Add connector.
Search for Baton and click Add.
Choose how to set up the new Docusign connector:
- Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)
- Add the connector to a managed app (select from the list of existing managed apps)
- Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.
If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.
Click Next.
In the Settings area of the page, click Edit.
Click Rotate to generate a new Client ID and Secret.
Carefully copy and save these credentials. We’ll use them in Step 2.

Step 2: Create Kubernetes configuration files

Create two Kubernetes manifest files for your Docusign connector deployment:

Secrets configuration

# baton-docusign-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
  name: baton-docusign-secrets
type: Opaque
stringData:
  # ConductorOne credentials
  BATON_CLIENT_ID: <ConductorOne client ID>
  BATON_CLIENT_SECRET: <ConductorOne client secret>
  
  # Docusign credentials
  BATON_ACCOUNT_ID: <Docusign API account ID>
  BATON_CLIENTID: <Docusign app client ID>
  BATON_CLIENTSECRET: <Docusign app client secret>
  BATON_REDIRECT_URI: <The redirect URI you entered when setting up the Docusign app>

  # Optional: include if you want ConductorOne to provision access using this connector
  BATON_PROVISIONING: true

See the connector’s README or run --help to see all available configuration flags and environment variables.

Deployment configuration

# baton-docusign.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: baton-docusign
  labels:
    app: baton-docusign
spec:
  selector:
    matchLabels:
      app: baton-docusign
  template:
    metadata:
      labels:
        app: baton-docusign
        baton: true
        baton-app: docusign
    spec:
      containers:
      - name: baton-docusign
        image: ghcr.io/conductorone/baton-docusign:latest
        imagePullPolicy: IfNotPresent
        envFrom:
        - secretRef:
            name: baton-docusign-secrets

Step 3: Deploy the connector

Create a namespace in which to run ConductorOne connectors (if desired), then apply the secret config and deployment config files.
Check that the connector data uploaded correctly. In ConductorOne, click Applications. On the Managed apps tab, locate and click the name of the application you added the Docusign connector to. Docusign data should be found on the Entitlements and Accounts tabs.

That’s it! Your Docusign connector is now pulling access data into ConductorOne.