When using an on-premises installation, SigningHub gives you an option to use your Microsoft Active Directory credentials to log into SigningHub. You don't even need to have a SigningHub ID, as your organizational domain user ID and password will be used for SigningHub authentication. In such a case, logging in through your Microsoft Active Directory credentials for the first time, will take you to the registration screen and display your Microsoft Active Directory ID (email address) for new registration. After registration, you can log in through your Microsoft Active Directory credentials. However, if the "Automatically register the users" option is enabled from the "Auto Provision Users" screen, and an Active Directory has been selected as an Authentication Profile, then the registration screen will not be displayed, as the provisioned Active Directory users from there will be automatically registered and activated in SigningHub.
Browse your local on-premises installation URL.
Click the "More Login Options" link available at the bottom of the login screen. A dialogue box will appear listing all the supported authentication methods.
Click the "Microsoft Active Directory" option.
Specify your user ID (registered in Active Directory) and domain password.
Click the "Login" button.
Single sign-on (SSO) is an authentication process that allows a user to utilise his specific credentials (ID and password) to access multiple applications. The process authenticates the user for all the applications they have been given rights and avoids further prompts when they switch applications during a particular session. The "Microsoft Active Directory" authentication method also supports the Single sign-on (SSO) facility. To configure this, go to the integration screen and select "Active Directory" in the "Default Authentication Method" drop-down. However, there are certain browser based configurations that need to be done at the client's end, in order to seamlessly use SSO against the "Microsoft Active Directory" authentication method.
When accessing the SigningHub app through Microsoft Internet Explorer or Google Chrome for SSO, an individual would need to do the following configurations:
Open the "Internet Options" dialogue box by choosing "Internet Options" either from the Control Panel or from the "Tools" menu in Internet Explorer.
In the "Internet Options" dialog box, on the "Security" tab, select "Local intranet", and then click "Custom Level".
In the "Security Settings" dialogue box, under "Logon", select "Automatic logon only in Intranet zone", and then click "OK".
In the "Internet Options" dialogue box on the "Security Settings" tab with "Local intranet" still selected, click "Sites".
In the "Local intranet" dialogue box, click "Advanced".
In the next dialogue box (also titled "Local intranet"), type the URL of your Communicator Web Access site (for example, https://web.signinghub.com) in the "Add this Web site to the zone box", and then click "Add".
In the "Local intranet" dialog, box click "OK".
In the original "Local intranet" dialogue box, click "OK".
In the "Internet Options" dialogue box, click "OK".
When the end users (within Active Directory) need to access the SigningHub app through Microsoft Internet Explorer or Google Chrome for SSO, a network administrator could make the following browser configurations for all the users through Group Policy:
Open the Group Policy Management Console, and then either create a new Group Policy Object (GPO) or edit an existing GPO.
Expand "Computer Configuration", expand "Policies", expand "Administrative Templates", expand "Windows Components", expand "Internet Explorer", expand "Internet Control Panel", and then click "Security Page".
In the details pane, double-click "Site to Zone Assignment List".
In the "Site to Zone Assignment List Properties" dialog box, click "Enabled".
In the "Site to Zone Assignment List Properties" dialog box, click "Show".
In the "Show Contents" dialogue box, click "Add".
In the "Add Item" dialogue box, type the URL of your Communicator Web Access site (for example, https://web.signinghub.com) in the "Enter the name of the item to be added" box.
Type "1" (indicating the local intranet zone) in the "Enter the value of the item to be added" box, and then click "OK".
In the "Show Contents" dialogue box, click "OK".
In the "Site to Zone Assignment List" dialog box, click "OK".
In the Group Policy Management Editor, click "Intranet Zone".
In the details pane, double-click "Logon options".
In the "Logon options Properties" dialogue box, click "Enabled".
In the "Logon options" list, click "Automatic logon only in Intranet zone", and then click "OK".
Close the Group Policy Management Editor.
When accessing the SigningHub app through Mozilla Firefox for SSO, an individual would need to do the following configurations:
Browse the URL "about:config" in Firefox.
Click the "I'll be careful, I promise!" button.
In the next appearing screen, search the "network.negotiate-auth.trusted-uris" preference and double-click on it.
A dialogue box will appear, specify the URL of your Communicator Web Access site (for example, https://web.signinghub.com) and click "OK".
You need to authenticate once in a browser, so that it may keep your session. After that no need to authenticate again in the same browser for login and/ or signing.
As a part of GDPR compliance, the "Service Agreement" dialogue box will appear after successful user authentication. This dialogue box contains the links to the "Terms of Service" and "Privacy Policy" pages. SigningHub will ensure that you agree to them before letting you use your account.
The "Service Agreement" dialogue box will not appear after successful user authentication if no Service Agreement is marked active.
When using an on-premises installation of SigningHub and this is the only configured authentication for the end-users, then you won't need to click the "More Login Options" link to choose it. In that case, this authentication method will be invoked by default on the Login screen.
Users cannot log in to SigningHub if their account is disabled, marked as dormant, or temporarily locked due to multiple invalid login attempts.
SigningHub gives you the option to pre-authorise users in your Microsoft Active Directory so that they may serve as your registered enterprise users. In this way, your enterprise users can use their Directory credentials (i.e. organizational domain user ID and password) for SigningHub authentication, and won't even need to create their SigningHub IDs.
Configure an Active Directory connector in SigningHub Admin.
Configure the connector in an authentication profile, in SigningHub Admin.
Configure auto provisioning in SigningHub Web.
Configure a security group for auto-provisioning.
Auto-provision users at the time of login.
Make the following configurations to a connector in SigningHub Admin:
In the "Basic Information" section, choose "Active Directory" as the "Provider".
In the "Details" section, fill in the required fields.
This domain user does not necessarily need to have administrator rights in Active Directory. Here are the important considerations about the user connecting with the Domain Controller:
Must exist in Active Directory, i.e. a valid Active Directory user.
Must be an active user of Active Directory, i.e. should not be set as disabled.
Must have the "Read" permissions on Active Directory to read the Security Groups and email addresses of all the users.
Make the following configurations to an authentication profile in SigningHub Admin:
Select the Active Directory Connector created earlier, in the highlighted field below:
If you want to allow access to specific authorised security groups in your Active Directory (i.e. Sales, Marketing, Accounts, etc.), enter the name of the security groups, with comma separation, in the "Allowed Groups" field to be used for provisioning in SigningHub.
If the "Allowed Groups" field is left blank, then all the domain users of a directory would be able to authenticate by using the authentication profile.
The "Fully Qualified Domain Name" field refers to the complete domain name that has been configured by your IT Administrator and consists of all the domain users, i.e. mysigninghub.com.
To see in detail, how to pre-authorise users in SigningHub, click here.
Make the following configurations in the "Users" tab in SigningHub Web:
In the "Auto Provision Users" section, check the "Automatically register the users" check box and select the "Authentication Profile", created earlier. Click the "Save" button.
All the users that belong to the selected authentication profile will be authorised through Active Directory upon login and will be automatically registered and activated in SigningHub under the default SigningHub role, provided that provisioning is not enabled by any other enterprise within the same on-premises deployment.
If multiple enterprises have been configured within an on-premises deployment, then the "Automatically register the users" check box should be ticked for only one enterprise.
Both public and private authentication profiles will be visible in the "Authentication Profile" drop-down for pre-authorising users.
To see in detail, how to manage security groups in SigningHub, click here.
SingingHub also allows you to give role-based access to SigningHub (i.e. Enterprise Admin, Enterprise Users, etc.) at the Security Group level.
Make the following configurations to a security group in SigningHub Web:
For the security group, add the name and role of the security group.
The added security group will be listed inside the Security Group grid. All the users that belong to the security group will be automatically registered and activated in SigningHub, upon login, under the specified role.
The names of the security groups are not validated against the security groups in the Active Directory, at this screen, so it is important that the correct security group name is added for successful pre-authorisation upon login.
In case specific authorised security groups in were allowed in the authentication profile, only the security groups will appear in the "Security Group" drop down.
Logging in through your Active Directory credentials for the first time, will take you to the registration screen and display your Active Directory (email address) for new registration. After registration, you can easily log in through your Active Directory credentials. However, if the "Automatically register the users" check box is ticked from the "Auto Provision Users" screen, and an Active Directory has been selected as an Authentication Profile, then the registration screen will not be displayed, as the provisioned Active Directory users from there will be automatically registered and activated in SigningHub.
To see in detail, how to login through Active Directory in SigningHub, click here.
From the "More Login Options" option, select Active Directory.
Provide your Active Directory credentials.
The following login preferences will be followed when logging into SigningHub Web via Active Directory:
| Availability of Security Group in Active Directory | Availability of Security Group in SigningHub Web | System Behaviour |
|---|---|---|
Yes, the security group exists.
Yes, the mapping for the security group exists.
In case the user was already registered, the system will log in the user as per the assigned role.
In case the user was not already registered, the system will register, auto activate, and log in the user as per the assigned role.
Yes, the security group exists.
No, the mapping for the security group does not exist.
In case the user was already registered, the system will log in the user as per the default role.
In case the user was not already registered, the system will register, auto activate, and log in the user as per the default role.
No, the security group does not exist.
N/A
The system will throw an error and will not allow auto-provisioning.
