Copy link to clipboard
Copied
Question, Does anyone use Adobe Sign without the the reautentication of their user ID (email) and password? This is a CFR setting within Adobe Sign . We use Azure for the authentication and single sign on but I would like to know if anyone out there is only using the corporate single sign on and authentication methd and not the one for Adobe Sign.
Look forward to thoughts.
Ralph
Copy link to clipboard
Copied
Can you clarify your query, I'm not sure what you are asking. For CFR21 purpose, the rules require a signer to be authenticated before viewing the agreement/signing and also when the signature is applied.
Sign supports 2 types of authentication,
-Adobe Sign auth and
- Phone One time Pin auth.
The former will ask a Signer to login their Sign account before and after, and the method of login is determined by that Signers Sign account. If that Sign account is configured for SSO, then which ever system and rules of SSO will be used for that Signer.
Copy link to clipboard
Copied
Thnaks Simon for he reply.
I undrstand the non repudetation with Part 11. Currently we have the system settings so that the user logs into Adobe Sign. When they an agreement is sent for approval, they either log in or if lready logged in they sign the agreement and authentication is required. A one time phone pin is sent or using authenticator you confrim.
The question is, if we use the Adobe Sign Authentication, is the phone one time PIN setting necessary?
We do hve SSO set up.
Best Ralph
Copy link to clipboard
Copied
With Adobe Sign, you either use the Adobe Sign authentication, or the OTP authentication for a given participant.
You can use both at in the saem agreement for the same participant.
Now Adobe Sign auth means that the signer needs to have an Adobe Sign account. Therefore this method works best when the sender is sending the agreement to signer who are in the same Adobe Sign account as the sender (aka internal signers)
For external signers the sender may not know if the signer has an Adobe Sign account, so it's better to use the OTP option.
As said the Adobe Sign login is governed by the overall SSO setting for that Sign account. If the SSO is configured to do a Phone OTP, then that's something that is controlled in the SSO Id provider. (though I've not heard of OTP being used for SSO, more common SSO is to login in compnaycertificates/smart cards)
Wether that's overkill or not will depending on your company policies and/or GXP./cfr21 audit person.
Also this article and link to Montrium Sign validaiton pack for cfr21 compliance may be useful if you haven't seen it already:
https://helpx.adobe.com/uk/sign/using/21-cfr-validation-pack.html