DocuSign Admin Consent - missing "coid" field

Question

I integrate with DocuSign as an ISV (SaaS product).

I want the authentication process to be of the Admin Consent type using code grant flow. According to what I checked in this way, if a user with admin privileges in DocuSign performs the authentication, he thereby eliminates the need for the other users in his organization to do the identification and grant permissions to my application.

According to what I understood, in order for this process to happen the side that allows me to connect to his DocuSign account needs to have an account with Admin and Organization management capabilities (in DocuSign terms).

I did a POC that simulates this process and in the exchange process of the code in the access_token I really received a response that contains the id_token field. When I decoded the id_token, I received an object with several fields, but as far as I understand, the coid field, which is necessary to continue the process, is not there.

My questions are:

1. Am I correct in my assumption about Admin Consent? My goal is that based on the authentication of one user I will be able to make API requests on behalf of the other users.

2. Is the coid field really necessary to fulfill the above requirement? And if so, why doesn't it appear for me?

---

Update - 31/03

Inbar and Larry thanks for your answers.

I read what you wrote and made several changes so that my current situation is this:

1. I have a demo account that serves as the host for the integration app (holds the integration and secret keys).
2. I have another account that simulates my customer account. In this account I defined an organization, made a domain claim and added 2 users with an email that matches the domain.

I performed the admin consent process again through one of the users who is defined as admin so that I got to the point where I receive the code and turn it into an access token. In the reponse of that request I received the id_token field. After I decoded it I got a list of fields but the coid field was not part of them.

What am I missing here?

And is it really recommended to do this process and not simply ask for consent from each user individually?

It's just that my product manager is very pushing for me to implement the Admin Consent to make it easier for our users to use the integration I'm developing.

Answer 1

1. Yes, you are correct. What you are trying to do is what we call obtain admin consent for external applications. It appears you already are following this article in order to complete your work.

2. Yes, these IDs are also called organizationID, and they are required for this type of admin consent. It can only be done for users/accounts that are part of an organization.

This shows you what organization, accounts, and users are in DocuSign:

You will need to create an organization (or have your customers do that) and it's documented in this article.

Answer 2

So, to re-phrase:

• You're an ISV. Your application is used by your customers with the customer's preexisting DocuSign accounts.
• You want your customers' admins to provide administrative consent for when your customers' employees use your app.

Answers

In order for your customers to use administrative consent:

• Your customers need to have their eSign accounts "owned" by a DocuSign "organization"
• The organization must have "claimed" one or more DNS domains (eg customer.com)
• The eSign account(s) users must have email addresses within the claimed DNS domain. Eg, [email protected]. Users who use gmail or other addresses can still be account users, but the org admin can't administratively grant consent for them.
• Your app needs to implement Administrative consent for external applications docs. This consent flow will enable your customers' org admins to administratively grant consent to your app if the above requirements were met.

Notes

• Many smaller DocuSign customers don't have an org setup, or they haven't claimed a DNS domain. So if these types of businesses/organizations are your potential customers, you will not be able to provide administrative consent to them.
• If your end customers' employees are using authorization code grant (highly recommended), then consent is requested within the flow of the first authentication. This works pretty well.
• If you're planning to use JWT grant, then you do need to plan things out carefully. Your app can provide a link for the employees to click on to grant consent (after authenticating.) This is a one time operation, so it isn't so bad.

See my blog post on obtaining consent for more ideas.