Implementing Leaver Use Case for DocuSign Using SailPoint IdentityNow Workflow

Overview

While working on a client implementation using the DocuSign eSignature Direct Connector in SailPoint IdentityNow, I successfully configured Joiner and Mover use cases. However, I encountered a limitation: Leaver functionality is not natively supported, as the connector lacks an option to disable user accounts.

To meet the client’s requirement of closing user accounts during the Leaver process, I collaborated with the DocuSign application team and devised a custom solution using DocuSign REST APIs and SailPoint Workflows.

Problem

The DocuSign eSignature Direct Connector does not support account disablement or deactivation, which is critical for offboarding (Leaver process).

Solution Approach

By leveraging DocuSign’s Close User API, I implemented a custom integration via HTTP operations in SailPoint Workflows. This API requires an JWT Bearer Token, which can be reused due to its long lifespan.

DocuSign API Reference

• Close User API:
  delete | REST API | Docusign

Step-by-Step Implementation

1. JWT Authentication for Access Token

To access the DocuSign API securely, I used the JWT OAuth grant type, which supports long-lived tokens (up to 10 years).

Required Parameters:

• user_id
• integration_key (Client ID)
• private_key (RSA key)

Refer to DocuSign JWT Authentication Guide for detailed steps.

JWT Claim Tips:

• iat: Current Unix time – use https://www.epochconverter.com/
• exp: Set expiry far in the future, e.g., 1999999999

Generate Access Token:

http

CopyEdit

POST https://account-d.docusign.com/oauth/token
Content-Type: application/json

{
"grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
"assertion": "YOUR_JWT"
}

2. Calling the Close User API

Once the token is obtained, use it in the Authorization header to call the Close User API:

http

CopyEdit

DELETE [https://account-d.docusign.com/restapi/v2.1/accounts/{accountId}/users/{userId}](https://account-d.docusign.com/restapi/v2.1/accounts/%7BaccountId%7D/users/%7BuserId%7D)
Authorization: Bearer {access_token}

3. Workflow Configuration in SailPoint IdentityNow

1. Trigger: Use Native Change Detection to monitor userStatus from the authoritative source.
2. Condition: If status == inactive, initiate the workflow.
3. Step 1 – Get Token:

• Add HTTP Operation to generate the Bearer token.

4. Step 2 – Close Account:

• Add another HTTP Operation to call the Close User API with the token.

image449×390 15.5 KB

image650×556 9.98 KB

image671×608 10 KB

image691×418 13.6 KB

image1332×600 30.8 KB

image673×676 20.1 KB

image668×408 7.03 KB

Summary

By integrating SailPoint Workflows with DocuSign’s REST API, I successfully implemented the Leaver use case despite the limitations of the native connector. This approach provides a scalable, API-driven way to manage user lifecycle events beyond what’s offered out-of-the-box.

Nice Info harsh thaNKS

Your Welcome @Chaithu9110

Hi @hkhandale,

This is a great implementation, thank you for sharing in such detail!

In my experience, whenever an OOTB connector falls short of supporting all required operations (like account disablement in this case), I’ve usually taken the route of building a Web Services connector or a fully custom connector from scratch. While that gives complete control over the integration logic, it also introduces overhead in terms of connector maintenance and deployment complexity.

I really appreciate your approach here leveraging Workflows to complement the native DocuSign connector functionality is a smart and modular way to extend capabilities without going full custom.

Hi @TheOneAMSheriff ,

Thank you so much for taking the time to go through my post and share your insights!

I really appreciate your kind words and the perspective you provided. I completely agree while custom connectors offer flexibility, the added maintenance can be challenging. That’s exactly why I opted for a workflow based approach here to strike a balance between control and simplicity.

Glad to hear the approach resonated with you!