How do I secure my DocuSign Connect https listener so that only requests from DocuSign are accepted?
I have read the Connect service guide and am uncleared on whether the following setting can be used for this purpose:
- Does this setting apply to both the SOAP and HTTPS listener interfaces?
Yes, it does indeed apply to both listener interfaces.
- Can this setting be used to secure my listener so that only DocuSign requests will be accepted?
Yes, that's what using the X509 certificates accomplishes.
- How do I set up my service to validate the signed message as valid?
It is dependent on the encryption technology you decide to use. If you have something chosen already you should be able to go through its documentation to find out how to verify the messages. Often times it will be binary security token in the header.
More Info
Additionally, please note that DocuSign uses the standard WSE3 BinarySecurityToken
in the SoapHeader to pass the certificate.
From Page #9 of the DocuSign Connect Service Guide