search

Signing server preferences

hashtag
Add Signature Server in a Role

  1. Login with your enterprise admin credentials.

  2. Click "Configuration" in left menu.

  3. Choose "Roles" under People options in Enterprise Administration.

  4. Search and select the desired role and click on "Edit" button in left panel.

  5. Expand "Signature Server Preferences" tab and click "Add a Signing Server".

  6. Configure the settings as required.

  7. Click "Done" button.

See below table for description.

Fields
Description

SIGNING SERVER

Keys location

Select the "Keys Location", which display the following options:

  • Server

  • Client Held Keys

Signing server

The Signing Server list will display the available signing servers, based on your service plan configurations.

You can choose to add a signature appearance to be used for the selected signing server. The "Signature Appearance" list will display the available signature appearances allowed in your service plan. If a signature appearance was set against this signing server in the service plan, it will be selected as the "Signature Appearance", by default. The user can choose to change the default "Signature Appearance" as per their requirements. If the user selects a signature appearance that includes a logo, the "Signature Logo" field will appear, allowing the user to upload a logo. The "Signature Logo" is an optional field. The uploaded logo will be used in the signature appearance when signing with this specific signing server. If a logo has not been uploaded, the system will use the "Signature Logo" configured in the "Branding" section.

Only select a "Signature Appearance", if you want the users to use a fixed signature appearance while performing signatures with this specific signing server. If a signature appearance has not been selected, the system will allow the users to perform signing using the signature appearances allowed in the user role.

Level of Assurance

List of level of assurances available for the selected server at the time of signing.

  • Qualified Electronic Signature (QES)

  • Advanced Electronic Signature (AES)

  • High Trust Advanced Signature (AATL)

  • Qualified Electronic Signature (QES)

  • Electronic Seal (eSeal)

  • Advanced Electronic Seal (AdESeal)

  • Qualified Electronic Seal (QESeal)

Default signature appearance

Select the default signature, for this server. The user will be able to modify it based on the role settings.

  • Hand Signature with Details and Logo

  • Hand Signature with Details

  • Hand Signature Only

Signature Logo

  • This logo will be used only for those signature appearances which have a company logo to display.

CAPACITIES

Capacities

This screen lets you configure different "Signing Capacities" for each Level of Assurance. It enables a user to sign on multiple positions within an organisation. When configured, SigningHub creates multiple certificates for the user as per their allowed capacities in the service plan and categorized based on the allowed level of assurances that are configured in the service plan. The user can pick a desired capacity at the signing time and the related certificate will be used in their signature.

Add the signing capacities as required for the enterprise user(s) belonging to this role, categorised as per level of assurance. The options available in the drop-down list are allowed in your service plan.

If there is only one signing capacity then it will not be displayed in the signing dialog at the time of signing. Only the multiple signing capacities will be displayed in the signing dialog. You can select any one of these available capacities for signing.

Default Signing Capacity

Select a capacity from the selected ones in this field that will be displayed as the default signing capacity to the user(s) while signing.

In a scenario where one or more enterprise users can have the same signing capacities within your enterprise, create a specific role with the desired capacities and simply assign it to them. However, when each user has a different set of signing capacities, then create an exclusive role for each user and configure their signing capacities accordingly.

AUTHENTICATIONS

Authentications

This screen lets you select signing-time authentication methods separately for the role. The Levels of Assurance of the selected Signing Capacities are hierarchically grouped under Organization, User and SigningHub Admin. You can select signing-time authentication methods for each of them separately.

Authentication Method

You can select authentication methods for SigningHub web and mobile apps against the relevant Levels of Assurance. The available authentication methods are subject to your Service Plan configuration. The selected method will be used as authentication method, when your enterprise users sign their documents through any web browser. You can configure both; public and private authentication profiles, under "Authentication Method". See the details of authentication methods below. In case of configuring Remote Authorised Signing (RAS), configure signing capacities for RAS in your Service Plan and "Authorisation via Mobile App" option will appear as Authentication Method for those capacities under 'Signing Capacities for Remote Authorisation (Owned by User).

Secondary Authentication Method

Select another authentication method (i.e., Time based One Time Password, One Time Password or No Authentication) from the "Secondary Authentication Method" field. This method will be used in addition to the above mentioned authentication method, giving your enterprise users a provision to use a secondary authentication method at signing time. If a secondary authentication for signing through web browsers is not required, then select "No Authentication" from this field.

circle-info

  1. When a new signing server is configured in the user role, it will fetch any signature appearance configurations set against the signing server in the service plan, if any.

  2. When a new enterprise user is registered, if a signature appearance was set against this signing server in the service plan, against the user's role, it will be selected as the "Signature Appearance", by default.

  3. Upon changing the selected signature appearance, any uploaded logo will be removed as well.

  4. The "Signature Appearance" field appears for both; server-side signing servers, and local-side signing servers.

  5. A passkey authentication profile can be configured as the 'Authentication Method' for the ADSS signing server.

circle-info

  1. Same authentication is applied on Electronic Seal (eSeal), Advanced Electronic Seal (AdESeal) and Qualified Electronic Seal (QESeal) though it will generate different certificates accordingly. Therefore, if you have selected the signing capacities of Electronic Seal (eSeal), Advanced Electronic Seal (AdESeal) and Qualified Electronic Seal (QESeal), then on this screen you will see them bundled as a single authentication.

circle-info

  1. Signing Servers to be configured under enterprise roles, are subject to your assigned enterprise service plan and only those signing servers will be available under enterprise roles that are configured in your service plan.

  2. When adding a Signing Server for CSC, there is no signing capacities or level of assurance related information appears.

  3. When adding a Signing Server for Client Held Keys using either ADSS or CSC, there will be no further options appears.

  4. The availability of Time based One Time Password, and One Time Password as a secondary authentication method is subject to your subscribed service plan.

  5. Once the enterprise administrator enforces Time based One Time Password as a secondary authentication method for a signing server against a role, and a user under that role does not have two factor authentication (2FA) configured at the time of signing with that signing server, they will be prompted with a 'Configure Two Factor Authentication' dialogue to set up and provide a Time-based One-Time Password.. If the user has already configured two factor authentication (2FA) they will be prompted to provide the Time based One Time Password from the authenticator app configured on their mobile device.

  6. To configure the two-factor authentication (2FA) the user will need to install an authenticator app (Google Authenticator, Microsoft Authenticator, etc.) on their mobile device. The 'Configure Two-Factor Authentication' dialogue shown to the user will contain:

    • QR Code

    • Manual Key

    • Recovery Codes

To set up two-factor authentication (2FA), the user can either scan the QR code or manually enter the Manual Key into an authenticator app. After successful registration, the user must provide the Time-based One-Time Password (TOTP) generated by the app to proceed in SigningHub. A set of recovery codes is also provided in the configuration dialog, which can be used in place of a TOTP to regain access if the user loses access to their mobile device. Each recovery code is valid for one-time use only, and it is strongly recommended to store them in a secure location. Users can regenerate a new set of recovery codes anytime from the Manage Two Factor Authentication (2FA). If an enterprise user loses access to both their mobile device and recovery codes, or has used all of them, they can contact their enterprise administrator to reset the two factor authentication (2FA) for their account.

hashtag
Authentication Methods:

When the "Key Protection Option" option is set to 'System Password' (i.e., Sole Control is off) in certification profiles under SigningHub Admin configurations, SigningHub gives you the provision to choose a third-party authentication option for your enterprise users. You may select any of the following 15 options; through which your enterprise users can authenticate themselves for server-side signing.

  • No Authentication:

Select this option to let your enterprise users sign their documents directly without any authentication. In this case, their server based certificate will be used for signing but system will not prompt for any password or OTP.

  • SigningHub ID:

Select this option to allow enterprise users to use their SigningHub account password to sign their documents.

  • Microsoft Active Directory:

Select this option to allow enterprise users to use their Active Directory credentials to sign their documents. SigningHub will require their user ID (as registered in the organisational Active Directory) and domain password for the signing activity. you can authenticate using your Active Directory credentials at the time of signing having a different email address and vice versa.

  • Microsoft ADFS:

Select this option to allow enterprise users to use their ADFS credentials to sign their documents. SigningHub will require their user ID (as registered in cloud ADFS) and domain password for the signing activity. you can authenticate using your ADFS credentials at the time of signing having a different email address and vice versa.

  • Microsoft Office 365:

Select this option to allow enterprise users to use their Microsoft Office 365 credentials to sign their documents. SigningHub will require their Office 365 credentials (ID and password) for the signing activity. In case your enterprise user has logged in through SigningHub ID and want to sign through Microsoft Office 365 credentials, then their SigningHub ID (email address) and Office 365 ID (email address) must be the same.

  • Salesforce:

Select this option to allow enterprise users to use their Salesforce credentials to sign their documents. SigningHub will require their Salesforce credentials (ID and password) for the signing activity. you can authenticate using your Salesforce credentials at the time of signing having a different email address and vice versa.

  • LinkedIn:

Select this option to allow enterprise users to use their LinkedIn credentials to sign their documents. SigningHub will require their LinkedIn credentials (ID and password) for the signing activity. you can authenticate using your LinkedIn credentials at the time of signing having a different email address and vice versa.

  • Google:

Select this option to allow enterprise users to use their Google credentials to sign their documents. SigningHub will require their Google credentials (ID and password) for the signing activity. you can authenticate using your Google credentials at the time of signing having a different email address and vice versa.

  • Freja eID:

Select this option to allow your enterprise users to use their Freja eID authentication to sign their documents. Whenever, your enterprise user attempts to sign a document, a signing request will be sent to their mobile device running the Freja eID app. Upon confirmation from the Freja eID app, the document will be signed.

  • Authorisation via Mobile App:

Select this option as the Authentication Method to allow your enterprise users to use remote authorised signing provision. This option will only appear for the capacities that has Qualified Electronic Signature (QES) configured as the level of assurance and appears under 'Signing Capacities for Remote Authorization (Owned by User)' category.

  • OAuth2:

Select this option to allow enterprise users to use your IDP credentials (OAuth2 supported protocol) to sign their documents. SigningHub will require their IDP credentials (ID and password) for the signing activity. you can authenticate using your IDP credentials at the time of signing having a different email address and vice versa.

  • OIDC:

Select this option to allow enterprise users to use your IDP credentials (OIDC supported protocol) to sign their documents. SigningHub will require their IDP credentials (ID and password) for the signing activity. you can authenticate using your IDP credentials at the time of signing having a different email address and vice versa.

circle-info

  1. When you update a role in a production environment, the saved changes are applicable to the related users on their next login.

  2. The drop-down list of "Authentication Method" (i.e., SigningHub ID, Salesforce, Microsoft Active Directory, LinkedIn, Google, Bank ID etc.) in server-side signing, depends on the key protection option under your certification profiles. If you are unable to find the required authentication method in the list; contact supportenvelope.

  3. The availability of configuring "OTP via SMS" is subject to your subscribed service plan. If you are unable to find this option in your account; upgrade your service plan.

  4. "Authorisation via Mobile App" is subject to your signing profile that is configured in your service plan. If there is a signing capacity added for remote authorisation signing under your singing profile then these capacities will appear under signature settings under the label 'Signing Capacities for Remote Authorisation (Owner by User). If you are unable to find this option in your account; contact supportenvelope.

PreviousSignature appearance preferencesNextManage your enterprise documents

Last updated

Was this helpful?