Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
When using a cloud-based installation, SigningHub gives you an option to use your Microsoft Active Directory Federation Services (ADFS) credentials to log into SigningHub. In this case, you don't even need to have a SigningHub ID, as your organizational domain user ID and password will be used for SigningHub authentication. However, logging in through your Microsoft ADFS credentials for the first time, will take you to the registration screen and display your Microsoft ADFS ID (email address) for new registration. After registration, you can easily login through your Microsoft ADFS credentials.
Go to the SigningHub login screen.
Click the "More Login Options" link available at the bottom of the login screen. A dialogue box will appear listing all the supported authentication methods.
Click the "Microsoft ADFS" option.
A popup will appear, specify your domain user ID (registered in Active Directory) and password. Click "Ok".
From the next appearing screen, select the relying party from the "Select one of the following sites" option. Click "Go".
As a part of GDPR compliance, the "Service Agreement" dialogue box will appear after successful user authentication. This dialogue box contains the links to the "Terms of Service" and "Privacy Policy" pages. SigningHub will ensure that you agree to them before letting you use your account.
The "Service Agreement" dialogue box will not appear after successful user authentication if no Service Agreement is marked active.
When using an on-premises installation of SigningHub and this is the only configured authentication for the end-users, then you won't need to click the "More Login Options" link to choose it. In that case, this authentication method will be invoked by default on the Login screen.
Users cannot log in to SigningHub if their account is disabled, marked as dormant, or temporarily locked due to multiple invalid login attempts.
When using an on-premises installation, SigningHub gives you an option to use your Microsoft Active Directory credentials to log into SigningHub. You don't even need to have a SigningHub ID, as your organizational domain user ID and password will be used for SigningHub authentication. In such a case, logging in through your Microsoft Active Directory credentials for the first time, will take you to the registration screen and display your Microsoft Active Directory ID (email address) for new registration. After registration, you can log in through your Microsoft Active Directory credentials. However, if the "Automatically register the users" option is enabled from the "Auto Provision Users" screen, and an Active Directory has been selected as an Authentication Profile, then the registration screen will not be displayed, as the provisioned Active Directory users from there will be automatically registered and activated in SigningHub.
Browse your local on-premises installation URL.
Click the "More Login Options" link available at the bottom of the login screen. A dialogue box will appear listing all the supported authentication methods.
Click the "Microsoft Active Directory" option.
Specify your user ID (registered in Active Directory) and domain password.
Click the "Login" button.
Single sign-on (SSO) is an authentication process that allows a user to utilise his specific credentials (ID and password) to access multiple applications. The process authenticates the user for all the applications they have been given rights and avoids further prompts when they switch applications during a particular session. The "Microsoft Active Directory" authentication method also supports the Single sign-on (SSO) facility. To configure this, go to the integration screen and select "Active Directory" in the "Default Authentication Method" drop-down. However, there are certain browser based configurations that need to be done at the client's end, in order to seamlessly use SSO against the "Microsoft Active Directory" authentication method.
When accessing the SigningHub app through Microsoft Internet Explorer or Google Chrome for SSO, an individual would need to do the following configurations:
Open the "Internet Options" dialogue box by choosing "Internet Options" either from the Control Panel or from the "Tools" menu in Internet Explorer.
In the "Internet Options" dialog box, on the "Security" tab, select "Local intranet", and then click "Custom Level".
In the "Security Settings" dialogue box, under "Logon", select "Automatic logon only in Intranet zone", and then click "OK".
In the "Internet Options" dialogue box on the "Security Settings" tab with "Local intranet" still selected, click "Sites".
In the "Local intranet" dialogue box, click "Advanced".
In the next dialogue box (also titled "Local intranet"), type the URL of your Communicator Web Access site (for example, https://web.signinghub.com) in the "Add this Web site to the zone box", and then click "Add".
In the "Local intranet" dialog, box click "OK".
In the original "Local intranet" dialogue box, click "OK".
In the "Internet Options" dialogue box, click "OK".
When the end users (within Active Directory) need to access the SigningHub app through Microsoft Internet Explorer or Google Chrome for SSO, a network administrator could make the following browser configurations for all the users through Group Policy:
Open the Group Policy Management Console, and then either create a new Group Policy Object (GPO) or edit an existing GPO.
Expand "Computer Configuration", expand "Policies", expand "Administrative Templates", expand "Windows Components", expand "Internet Explorer", expand "Internet Control Panel", and then click "Security Page".
In the details pane, double-click "Site to Zone Assignment List".
In the "Site to Zone Assignment List Properties" dialog box, click "Enabled".
In the "Site to Zone Assignment List Properties" dialog box, click "Show".
In the "Show Contents" dialogue box, click "Add".
In the "Add Item" dialogue box, type the URL of your Communicator Web Access site (for example, https://web.signinghub.com) in the "Enter the name of the item to be added" box.
Type "1" (indicating the local intranet zone) in the "Enter the value of the item to be added" box, and then click "OK".
In the "Show Contents" dialogue box, click "OK".
In the "Site to Zone Assignment List" dialog box, click "OK".
In the Group Policy Management Editor, click "Intranet Zone".
In the details pane, double-click "Logon options".
In the "Logon options Properties" dialogue box, click "Enabled".
In the "Logon options" list, click "Automatic logon only in Intranet zone", and then click "OK".
Close the Group Policy Management Editor.
When accessing the SigningHub app through Mozilla Firefox for SSO, an individual would need to do the following configurations:
Browse the URL "about:config" in Firefox.
Click the "I'll be careful, I promise!" button.
In the next appearing screen, search the "network.negotiate-auth.trusted-uris" preference and double-click on it.
A dialogue box will appear, specify the URL of your Communicator Web Access site (for example, https://web.signinghub.com) and click "OK".
You need to authenticate once in a browser, so that it may keep your session. After that no need to authenticate again in the same browser for login and/ or signing.
As a part of GDPR compliance, the "Service Agreement" dialogue box will appear after successful user authentication. This dialogue box contains the links to the "Terms of Service" and "Privacy Policy" pages. SigningHub will ensure that you agree to them before letting you use your account.
The "Service Agreement" dialogue box will not appear after successful user authentication if no Service Agreement is marked active.
When using an on-premises installation of SigningHub and this is the only configured authentication for the end-users, then you won't need to click the "More Login Options" link to choose it. In that case, this authentication method will be invoked by default on the Login screen.
Users cannot log in to SigningHub if their account is disabled, marked as dormant, or temporarily locked due to multiple invalid login attempts.
SigningHub gives you an option to use your LinkedIn credentials to log into SigningHub. In this case, you don't even need to have a SigningHub ID, as your LinkedIn account will be used for SigningHub authentication. However, logging in through your LinkedIn account for the first time, will take you to the registration screen and display your LinkedIn ID (email address) for new registration. After registration, you can easily login through your LinkedIn account.
Go to the SigningHub login screen.
Click the "More Login Options" link available at the bottom of the login screen. A dialogue box will appear listing all the supported authentication methods.
Click the "LinkedIn" option. The LinkedIn app will appear in a popup.
Specify your LinkedIn ID and password in the app.
Click the "Log into LinkedIn" button. SigningHub permissions screen will appear.
Click the "Allow" option. The system will let you log into SigningHub.
As a part of GDPR compliance, the "Service Agreement" dialogue box will appear after successful user authentication. This dialogue box contains the links to the "Terms of Service" and "Privacy Policy" pages. SigningHub will ensure that you agree to them before letting you use your account.
The "Service Agreement" dialogue box will not appear after successful user authentication if no Service Agreement is marked active.
When using an on-premises installation of SigningHub and this is the only configured authentication for the end-users, then you won't need to click the "More Login Options" link to choose it. In that case, this authentication method will be invoked by default on the Login screen.
Users cannot log in to SigningHub if their account is disabled, marked as dormant, or temporarily locked due to multiple invalid login attempts.
SigningHub gives you an option to use your Salesforce credentials to log into SigningHub. In this case, you don't even need to have a SigningHub ID, as your Salesforce account will be used for SigningHub authentication. However, logging in through your Salesforce account for the first time, will take you to the registration screen and display your Salesforce ID (email address) for new registration. After registration, you can easily login through your Salesforce account.
Go to the SigningHub login screen.
Click the "More Login Options" link available at the bottom of the login screen. A dialogue box will appear listing all the supported authentication methods.
Click the "Salesforce" option. The Salesforce app will appear in a popup.
Specify your Salesforce ID and password in the app.
Click the "Log into Salesforce" button. SigningHub permissions screen will appear.
Click the "Allow" option. The system will let you log into SigningHub.
As a part of GDPR compliance, the "Service Agreement" dialogue box will appear after successful user authentication. This dialogue box contains the links to the "Terms of Service" and "Privacy Policy" pages. SigningHub will ensure that you agree to them before letting you use your account.
The "Service Agreement" dialogue box will not appear after successful user authentication if no Service Agreement is marked active.
When using an on-premises installation of SigningHub and this is the only configured authentication for the end-users, then you won't need to click the "More Login Options" link to choose it. In that case, this authentication method will be invoked by default on the Login screen.
Users cannot log in to SigningHub if their account is disabled, marked as dormant, or temporarily locked due to multiple invalid login attempts.
Go to the SigningHub login screen.
Click the "SigningHub ID" option.
Specify your SigningHub ID that you registered at the time of subscription.
Click the "Next" button.
Specify your password, and click the "Login" button.
As a part of GDPR compliance, the "Service Agreement" dialogue box will appear after successful user authentication. This dialogue box contains the links to the "Terms of Service" and "Privacy Policy" pages. SigningHub will ensure that you agree to them before letting you use your account.
The "Service Agreement" dialogue box will not appear after successful user authentication if no Service Agreement is marked active.
In case of repeated attempts with invalid credentials, your account can be temporarily locked for security reasons. When an account is locked, the user can not log in with SigningHub ID through SigningHub Desktop Web, API, Mobile Web, Mobile App or Native Apps till the (displayed) locked duration is over.
If CSP Provisioning is allowed in your service plan, then you will be automatically registered in the CSP Service.
If Remote Authorised Signing (RAS) is allowed in your role, then you will be automatically registered in the SAM services.
Users cannot log in to SigningHub if their account is disabled, marked as dormant, or temporarily locked due to multiple invalid login attempts.
SigningHub offers a range of secure login and authentication methods to ensure a seamless and protected experience for all users. You can conveniently access your SigningHub account using your SigningHub ID or choose from various third-party authentication options that integrate seamlessly with your existing systems. These include popular platforms such as Microsoft Active Directory, Salesforce, Microsoft ADFS, Microsoft Office 365, LinkedIn, and Google.
To enhance security, SigningHub also supports two-factor authentication (2FA) through One-Time Passwords (OTP), ensuring that only authorized users can access sensitive information. For added flexibility, users can utilize SSL client certificates, as well as identity solutions like Freja Mobile, Freja eID, Bank ID, and itsme.
Organizations looking for advanced authentication methods can leverage options like Azure Active Directory, corporate logins, OpenID Connect (OIDC), OAuth2, and Azure SAML for a streamlined login experience. Selecting the authentication method that best fits your needs is crucial for maintaining security and ensuring ease of access to your SigningHub account. With these versatile options, you can choose the most suitable way to log in and manage your digital signing processes effectively.
Select the authentication option you wish to use.
The "Remember Me" functionality will retain the email address used to log in via SigningHub ID, as well as via third-party private authentication methods. However, this retention is applicable as long as the user manually enters the email address into the designated field.
If the ''Only display the logos of the authentication and signing profiles' checkbox is checked in SigingHub Admin and a logo has not been configured for an authentication profile in the connector, the system will pick and display a logo for the authentication profile from the SigningHub directory, on the login screen.
The authentication profiles with sort order 1 to 3, in SigningHub Admin, will be displayed on the login screen and the authentication profiles with the succeeding sort order will be displayed in the "More Login Options" dialog on the login screen.
The authentication profiles for which a sort order has been provided, in SigningHub Admin, will follow the defined sort order and the remaining authentication profiles will follow the default system sort order.
If the sort order has not been specified for any of the authentication profiles, the default system sort order will be followed.
As a part of GDPR compliance, the "Service Agreement" dialogue box will appear after successful user authentication. This dialogue box contains the links to the "Terms of Service" and "Privacy Policy" pages. SigningHub will ensure that you agree to them before letting you use your account.
The "Service Agreement" dialogue box will not appear after successful user authentication if no Service Agreement is marked active.
Following is the list of authentications that are SigningHub supports in its mobile web/native apps version, in addition to SigningHub desktop web. Rest of the authentications are supported in SigningHub desktop web only.
Password-based authentication (i.e. SigningHub)
One-Time Password as secondary authentication
Time-based One-Time Password as two-factor authentication
Microsoft Active Directory
Microsoft Office 365
Microsoft Azure Active Directory
OAuth2
OpenID Connect (OIDC)
In case your login session reaches the limit set by Admin for "Concurrent Sessions Limit>Global Configurations" then a dialogue box will appear with the message "Your account's login limit has been reached". Users also have the option to "Logout and Continue", this will log out a user from all the previous sessions and allow login into a new session.
The availability of Time based One Time Password, and One Time Password as a two-factor authentication method is subject to your subscribed service plan. In case you lose access to your mobile device and recovery codes, or have used all of the recovery codes, you can ask your enterprise admin to reset the two-factor authentication (2FA) against your account.
Once the enterprise administrator enforces a Time-based One-Time Password as a secondary authentication method on to a role, and a user under that role does not have two-factor authentication (2FA) configured at the time of login, they will be sent an email to set up and to provide a Time based One Time Password. If the user has already configured two-factor authentication (2FA) they will be prompted to provide the Time-based One Time Password from the authenticator app configured on their mobile device.
To configure the two-factor authentication (2FA) the user will need to install an authenticator app (Google Authenticator, Microsoft Authenticator, etc.) on their mobile device. The email sent to the user to configure two-factor authentication (2FA) will contain:
QR Code
Manual Key
Recovery Codes
To set up, the user can either scan the "QR Code" or manually input the "Manual Key" in the Authenticator app. Once the registration is successful, the user can provide the automatically generated Time-based One-Time Password from the Authenticator app to SigningHub in order to proceed. The list of recovery codes included in the configuration email can be used in place of a Time-based One-Time Password, once each recovery code is to regain access to your SigningHub account, in case you lose access to your mobile device. It is advised to save the recovery codes in a safe place. The user can, however, regenerate a new list of the recovery codes from the Manage Two Factor Authentication (2FA) option. In case an enterprise user loses access to your mobile device and recovery codes, or has used all of the recovery codes, you can ask your enterprise admin to reset the two-factor authentication (2FA) against your account.
SigningHub also allows you to use OTP via SMS as a secondary authentication method in conjunction with any of the pre-configured authentication methods above. This will make you feel more secure by going through two-factor authentication at the login time. The availability of OTP security features as two-factor authentication is subject to your subscribed service plan and login authentication settings. If you are willing to use this provision, please contact your Enterprise Admin to .
To see an end-to-end flow for OTP authentication at the time of login, .
Go to the SigningHub login screen.
Click the "More Login Options" link available at the bottom of the login screen. A dialogue box will appear listing all the supported authentication methods.
Click your pre-configured authentication method, i.e. SigningHub ID, Salesforce, etc.
Log in with your respective credentials. If the provided credentials are correct:
An OTP will be sent to your mobile device or email address.
A dialogue box will appear on the login screen to enter the received OTP
Once OTP is received enter it in the text field. In case OTP is not received, you may select the option to resend it. You can also choose another method for OTP by selecting 'Switch Method'
Enter the received OTP and click the "Login" button.
To successfully log in, you must provide your account credentials and the received OTP correctly.
The use of OTP as two-factor authentication is subject to your subscribed service plan and role settings. SigningHub currently supports 4, 6, and 9 digits OTP.
As a part of GDPR compliance, the "Service Agreement" dialogue box will appear after successful user authentication. This dialogue box contains the links to the "Terms of Service" and "Privacy Policy" pages. SigningHub will ensure that you agree to them before letting you use your account.
The "Service Agreement" dialogue box will not appear after successful user authentication if no Service Agreement is marked active.
The OTP method will be as per the configured OTP method in the document owner's service plan.
"(Email)", in case only "Email OTP" is configured in the service plan
"(SMS)", in case only "SMS OTP" is configured in the service plan
"(SMS and Email)", in case both "Email OTP" and "SMS OTP" are configured in the service plan
The OTP retry and expiry times are based on your subscribed service plan.
Users cannot log in to SigningHub if their account is disabled, marked as dormant, or temporarily locked due to multiple invalid login attempts.
SigningHub gives you an option to use your Microsoft Office 365 credentials to log into SigningHub. In this case, you don't even need to have a SigningHub ID, as your account will be used for SigningHub authentication. Currently, Office 365 uses Azure Active Directory (Azure AD) to manage identities and authentication. However, logging in through your Microsoft Office 365 credentials for the first time, will take you to the registration screen and display your Microsoft Office 365 ID (email address) for new registration. After registration, you can easily login through your Microsoft Office 365 credentials.
Go to the SigningHub login screen.
Click the "More Login Options" link available at the bottom of the login screen. A dialogue box will appear listing all the supported authentication methods.
Click the "Microsoft Office 365" option. The Microsoft Office 365 app will appear in a popup.
Specify your Microsoft Office 365 ID and password in the app.
Click the "Login" button. SigningHub permissions screen will appear.
Click the "Accept" option. You will be authenticated into SigningHub.
As a part of GDPR compliance, the "Service Agreement" dialogue box will appear after successful user authentication. This dialogue box contains the links to the "Terms of Service" and "Privacy Policy" pages. SigningHub will ensure that you agree to them before letting you use your account.
The "Service Agreement" dialogue box will not appear after successful user authentication if no Service Agreement is marked active.
When using an on-premises installation of SigningHub and this is the only configured authentication for the end-users, then you won't need to click the "More Login Options" link to choose it. In that case, this authentication method will be invoked by default on the Login screen.
Users cannot log in to SigningHub if their account is disabled, marked as dormant, or temporarily locked due to multiple invalid login attempts.
SigningHub gives you the option to pre-authorise users in your Microsoft Active Directory so that they may serve as your registered enterprise users. In this way, your enterprise users can use their Directory credentials (i.e. organizational domain user ID and password) for SigningHub authentication, and won't even need to create their SigningHub IDs.
Configure an Active Directory connector in SigningHub Admin.
Configure the connector in an authentication profile, in SigningHub Admin.
Configure auto provisioning in SigningHub Web.
Configure a security group for auto-provisioning.
Auto-provision users at the time of login.
Make the following configurations to a connector in SigningHub Admin:
In the "Basic Information" section, choose "Active Directory" as the "Provider".
In the "Details" section, fill in the required fields.
This domain user does not necessarily need to have administrator rights in Active Directory. Here are the important considerations about the user connecting with the Domain Controller:
Must exist in Active Directory, i.e. a valid Active Directory user.
Must be an active user of Active Directory, i.e. should not be set as disabled.
Must have the "Read" permissions on Active Directory to read the Security Groups and email addresses of all the users.
Make the following configurations to an authentication profile in SigningHub Admin:
Select the Active Directory Connector created earlier, in the highlighted field below:
If you want to allow access to specific authorised security groups in your Active Directory (i.e. Sales, Marketing, Accounts, etc.), enter the name of the security groups, with comma separation, in the "Allowed Groups" field to be used for provisioning in SigningHub.
If the "Allowed Groups" field is left blank, then all the domain users of a directory would be able to authenticate by using the authentication profile.
The "Fully Qualified Domain Name" field refers to the complete domain name that has been configured by your IT Administrator and consists of all the domain users, i.e. mysigninghub.com.
Make the following configurations in the "Users" tab in SigningHub Web:
In the "Auto Provision Users" section, check the "Automatically register the users" check box and select the "Authentication Profile", created earlier. Click the "Save" button.
All the users that belong to the selected authentication profile will be authorised through Active Directory upon login and will be automatically registered and activated in SigningHub under the default SigningHub role, provided that provisioning is not enabled by any other enterprise within the same on-premises deployment.
If multiple enterprises have been configured within an on-premises deployment, then the "Automatically register the users" check box should be ticked for only one enterprise.
Both public and private authentication profiles will be visible in the "Authentication Profile" drop-down for pre-authorising users.
SingingHub also allows you to give role-based access to SigningHub (i.e. Enterprise Admin, Enterprise Users, etc.) at the Security Group level.
Make the following configurations to a security group in SigningHub Web:
For the security group, add the name and role of the security group.
The added security group will be listed inside the Security Group grid. All the users that belong to the security group will be automatically registered and activated in SigningHub, upon login, under the specified role.
The names of the security groups are not validated against the security groups in the Active Directory, at this screen, so it is important that the correct security group name is added for successful pre-authorisation upon login.
In case specific authorised security groups in were allowed in the authentication profile, only the security groups will appear in the "Security Group" drop down.
From the "More Login Options" option, select Active Directory.
Provide your Active Directory credentials.
The following login preferences will be followed when logging into SigningHub Web via Active Directory:
SigningHub gives you an option to use your Google credentials to log into SigningHub. In this case, you don't even need to have a SigningHub ID, as your account will be used for SigningHub authentication. However, logging in through your Google account for the first time, will take you to the registration screen and display your Google ID (email address) for new registration. After registration, you can easily login through your Google account.
Go to the SigningHub login screen. Click the "More Login Options" link available at the bottom of the login screen. A dialogue box will appear listing all the supported authentication methods.
Click the "Google" option. The Google app will appear in a popup.
Specify your Google ID and password in the app.
Click the "Log into Google" button. SigningHub permissions screen will appear.
Click the "Allow" option. The system will let you log into SigningHub.
As a part of GDPR compliance, the "Service Agreement" dialogue box will appear after successful user authentication. This dialogue box contains the links to the "Terms of Service" and "Privacy Policy" pages. SigningHub will ensure that you agree to them before letting you use your account.
The "Service Agreement" dialogue box will not appear after successful user authentication if no Service Agreement is marked active.
When using an on-premises installation of SigningHub and this is the only configured authentication for the end-users, then you won't need to click the "More Login Options" link to choose it. In that case, this authentication method will be invoked by default on the Login screen.
Users cannot log in to SigningHub if their account is disabled, marked as dormant, or temporarily locked due to multiple invalid login attempts.
To see in detail, how to pre-authorise users in SigningHub, .
To see in detail, how to manage security groups in SigningHub, .
Logging in through your Active Directory credentials for the first time, will take you to the registration screen and display your Active Directory (email address) for new registration. After registration, you can easily log in through your Active Directory credentials. However, if the "Automatically register the users" check box is ticked from the "" screen, and an Active Directory has been selected as an Authentication Profile, then the registration screen will not be displayed, as the provisioned Active Directory users from there will be automatically registered and activated in SigningHub.
To see in detail, how to login through Active Directory in SigningHub, .
| Availability of Security Group in Active Directory | Availability of Security Group in SigningHub Web | System Behaviour |
|---|
Yes, the security group exists. | Yes, the mapping for the security group exists. |
|
Yes, the security group exists. | No, the mapping for the security group does not exist. |
|
No, the security group does not exist. | N/A |
|
SigningHub primarily depends on your registered enterprise user ID (email address) for your authentication. However, if you want to attach another unique ID with your account, SigningHub gives you an option to use your SSL certificate to log into SigningHub. For this, your SSL certificate needs to be registered in SigningHub through SigningHub API.
Go to the SigningHub login screen.
Click the "More Login Options" link available at the bottom of the login screen. A dialogue box will appear listing all the supported authentication methods.
Click the "SSL Client Authentication" option. A popup will appear to select your SSL certificate.
Select your certificate and click OK.
The SSL Client authentication is not available to Individual subscriptions.
​The availability of SSL Client authentication is subject to your enterprise service plan.
As a part of GDPR compliance, the "Service Agreement" dialogue box will appear after successful user authentication. This dialogue box contains the links to the "Terms of Service" and "Privacy Policy" pages. SigningHub will ensure that you agree to them before letting you use your account.
The "Service Agreement" dialogue box will not appear after successful user authentication if no Service Agreement is marked active.
When using an on-premises installation of SigningHub and this is the only configured authentication for the end-users, then you won't need to click the "More Login Options" link to choose it. In that case, this authentication method will be invoked by default on the Login screen.
Users cannot log in to SigningHub if their account is disabled, marked as dormant, or temporarily locked due to multiple invalid login attempts.
Verisec is an identity and access management platform, that provides a strong authentication solution to safeguard access to the system. SigningHub enables you to use the Freja eID app as an optional login and signing authentication method.
For this, you need to have a Freja eID account. Once you have registered with Freja eID:
Go to the SigningHub login screen.
Click the "More Login Options" link available at the bottom of the login screen. A dialogue box will appear listing all the supported authentication methods.
Click the "Freja eID" option.
Specify your user ID that is registered with Freja eID.
Click the "Next" button. An authentication request will be sent to your mobile device.
Run the "Freja eID" app on your mobile device.
Open the authentication request and approve it from there. You will be logged in to your SigningHub account.
As a part of GDPR compliance, the "Service Agreement" dialogue box will appear after successful user authentication. This dialogue box contains the links to the "Terms of Service" and "Privacy Policy" pages. SigningHub will ensure that you agree to them before letting you use your account.
The "Service Agreement" dialogue box will not appear after successful user authentication if no Service Agreement is marked active.
When using an on-premises installation of SigningHub and this is the only configured authentication for the end-users, then you won't need to click the "More Login Options" link to choose it. In that case, this authentication method will be invoked by default on the Login screen.
Users cannot log in to SigningHub if their account is disabled, marked as dormant, or temporarily locked due to multiple invalid login attempts.
SigningHub gives you an option to use your Microsoft Azure Active Directory credentials to log into SigningHub. In this case, you don't even need to have a SigningHub ID, as your Azure Active Directory account will be used for SigningHub authentication. However, logging in through your Azure Active Directory credentials for the first time, will take you to the registration screen and display your Azure Active Directory (email address) for new registration. After registration, you can easily log in through your Azure Active Directory credentials.
However, if the "Automatically register the users" is enabled from the "Auto Provision Users" screen, and an Azure Active Directory has been selected as an Authentication Profile, then the registration screen will not be displayed, as the provisioned Azure Active Directory users from there will be automatically registered and activated in SigningHub.
Go to the SigningHub login screen.
Click the "More Login Options" link available at the bottom of the login screen. A dialogue box will appear listing all the supported authentication methods.
Click the "Azure AD" option. The Microsoft Azure Active Directory app will appear in a popup.
Specify your Microsoft Azure Active Directory ID and password in the app.
Click the "Sign in" button. You will be authenticated into SigningHub.
In order to make your Azure Active Directory application running, you need to manually update a property on the Azure Portal under the application's manifest.
For this:
Click Manifest at the left pane describing your app.
Change the value of the oauth2AllowImplicitFlow property to True. If the property is not present, add it and set its value to true.
Click "Save" to save the modified manifest.
In order to make your Azure Active Directory application run, you need to manually update a property on the Azure Portal under the application's manifest.
For this:
Click Manifest at the left pane describing your app.
Change the value of the oauth2AllowImplicitFlow property to True. If the property is not present, add it and set its value to true.
Click "Save" to save the modified manifest.
As a part of GDPR compliance, the "Service Agreement" dialogue box will appear after successful user authentication. This dialogue box contains the links to the "Terms of Service" and "Privacy Policy" pages. SigningHub will ensure that you agree to them before letting you use your account.
The "Service Agreement" dialogue box will not appear after successful user authentication if no Service Agreement is marked active.
When using an on-premises installation of SigningHub and this is the only configured authentication for the end-users, then you won't need to click the "More Login Options" link to choose it. In that case, this authentication method will be invoked by default on the Login screen.
Users cannot log in to SigningHub if their account is disabled, marked as dormant, or temporarily locked due to multiple invalid login attempts.
SigningHub gives you an option to use your IDP credentials (OAuth2 supported protocol) to log into SigningHub. In this case, you don't even need to have a SigningHub ID, as your personal account will be used for SigningHub authentication. However, logging in through your personal credentials for the first time, will take you to the registration screen and display your personal (email address) for new registration. After registration, you can easily login through your personal credentials.
Go to the SigningHub login screen.
Click the "More Login Options" link available at the bottom of the login screen. A dialogue box will appear listing all the supported authentication methods.
Click the "OAuth2 Configured profile" option. The configured app will appear in a popup.
Specify your ID and password in the app.
Click the "Login" button. SigningHub permissions screen will appear.
Click the "Accept" option. You will be authenticated into SigningHub.
As a part of GDPR compliance, the "Service Agreement" dialogue box will appear after successful user authentication. This dialogue box contains the links to the "Terms of Service" and "Privacy Policy" pages. SigningHub will ensure that you agree to them before letting you use your account.
The "Service Agreement" dialogue box will not appear after successful user authentication if no Service Agreement is marked active.
When using an on-premises installation of SigningHub and this is the only configured authentication for the end-users, then you won't need to click the "More Login Options" link to choose it. In that case, this authentication method will be invoked by default on the Login screen.
Users cannot log in to SigningHub if their account is disabled, marked as dormant, or temporarily locked due to multiple invalid login attempts.
SigningHub gives you an option to pre-authorize users in your Azure Active Directory so that they may serve as your registered enterprise users. In this way, your enterprise users can use their Directory credentials (i.e. organizational domain user ID and password) for SigningHub authentication, and won't even need to create their SigningHub IDs.
Configure an Azure Active Directory connector in SigningHub Admin.
Configure the connector in an authentication profile, in SigningHub Admin.
Configure auto provisioning in SigningHub Web.
Configure a security group for auto-provisioning.
Auto-provision the users at login
Make the following configurations to a connector in SigningHub Admin:
In the "Basic Information" section, choose "Azure Active Directory" as the "Provider".
In the "Details" section, fill in the required fields.
In addition to "User.Read", an additional mandatory permission, "Directory.Read.All", will have to be configured for pre-authorization of users in Azure Active Directory.
Make the following configurations to an authentication profile in SigningHub Admin:
Select the Azure Active Directory Connector created earlier, in the highlighted field below:
If you want to allow access to specific authorised security groups in your Azure Active Directory (i.e. Sales, Marketing, Accounts, etc.), enter the name of the security groups, with comma separation, in the "Allowed Groups" field to be used for provisioning in SigningHub.
If the "Allowed Groups" field is left blank, then all the domain users of a directory would be able to authenticate by using the authentication profile.
To see in detail, how to pre-authorise users in SigningHub, click here.
Make the following configurations in the "Users" tab in SigningHub Web:
In the "Auto Provision Users" section, check the "Automatically register the users" check box and select the "Authentication Profile", created earlier. Click the "Save" button.
All the users that belong to the selected authentication profile will be authorised through Azure Active Directory upon login and will be automatically registered and activated in SigningHub under the default SigningHub role, provided that provisioning is not enabled by any other enterprise within the same on-premises deployment.
If multiple enterprises have been configured within an on-premises deployment, then the "Automatically register the users" check box should be ticked for only one enterprise.
Both public and private authentication profiles will be visible in the "Authentication Profile" drop-down for pre-authorising users.
SingingHub also allows you to give role-based access to SigningHub (i.e. Enterprise Admin, Enterprise Users, etc.) at the Security Group level.
Make the following configurations to a security group in SigningHub Web:
For the security group, add the name and role of the security group.
The added security group will be listed inside the Security Group grid. All the users that belong to the security group will be automatically registered and activated in SigningHub, upon login, under the specified role.
The names of the security groups are not validated against the security groups in the Azure Active Directory, at this screen, so the correct security group name must be added for successful pre-authorisation upon login.
In case specific authorised security groups in were allowed in the authentication profile, only the security groups will appear in the "Security Group" drop down.
Logging in through your Azure Active Directory credentials for the first time, will take you to the registration screen and display your Azure Active Directory (email address) for new registration. After registration, you can easily login through your Azure Active Directory credentials. However, if the "Automatically register the users" check box is ticked from the "Auto Provision Users" screen, and an Azure Active Directory has been selected as an Authentication Profile, then the registration screen will not be displayed, as the provisioned Azure Active Directory users from there will be automatically registered and activated in SigningHub.
From the "More Login Options" option, select Azure Active Directory.
Provide your Azure Active Directory credentials.
The following login preferences will be followed when logging into SigningHub Web via Azure Active Directory:
SigningHub gives you the option to authenticate yourself by using Microsoft Azure's SAML-based Single Sign-on credentials to log into SigningHub. In this case, you don't even need to have a SigningHub ID, as your account will be used for SigningHub authentication. However, logging in through your Azure Active Directory credentials for the first time, will take you to the registration screen and display your Azure Active Directory (email address) for new registration. After registration, you can easily login through your Azure Active Directory credentials.
To configure Azure with SAML and use it in SH below steps needs to be completed
Configure Microsoft Azure
Configure SigningHub
Sign in to the Azure portal using your Azure Active Directory administrator account.
Click on the "Active Directory do Azure".
Click on the "Enterprise Applications" on the right side.
In the app gallery, you can add an unlisted app by selecting the "Non-gallery Application" tile.
After entering a Name for your application, you can configure the single sign-on options and behaviour.
Once the app is successfully added, it will appear under "Enterprise Applications".
Select your added app from the list.
To start, click on Single sign-on from the application's left-hand navigation menu. The next screen presents the options for configuring single sign-on.
Select the option "SAML-based Sign-on" from the drop-down "Single Sign-on Mode" to configure SAML-based authentication for the application. This requires that the application support SAML 2.0. Complete the following sections to configure single sign-on between the application and Azure AD.
To set up Azure AD, enter the basic SAML configuration. You can manually enter the values or upload a metadata file to extract the values of the fields.
When a user authenticates to the application, Azure AD will issue a SAML token to the app that contains information (or claims) about the user that uniquely identifies them. By default, this includes the user's username, email address, first name, and last name.
When you create Non-Gallery application, Azure AD will create an application-specific certificate with an expiration date of 3 years from the date of creation. You need this certificate to set up the trust between Azure AD and the application.
Click on the "Save" button on top.
To ensure users can sign in to SigningHub after it has been configured to use Azure Active Directory. Users must be assigned access to SigningHub in Azure AD to sign in.
To configure the application for single sign-on, scroll to the end of the SAML-based sign-on configuration page, and then click on Configure SigningHub (Name of the app).
If you are unable to add a custom application, enable the feature by clicking the arrow next to "Get a free Premium trial to use this feature."
If "Single sign-on" is disabled for the logged-in user for the selected app, add the logged-in user as the owner of the added app.
For configuration at SigningHub go to the administrator URL such as "https://admin.signinghub.com/".
Create the connector by clicking on the add icon from Configurations>Connectors.
Select the provider "SAML Identity Provider" from the "Provider" drop-down.
Provide the necessary information such as Name, Login & Logout URL (mentioned in step 15), Binding Type (POST/Redirect define in connector), Signature algorithm (SHA1/SHA256 define in connector ), upload IDP certificate downloaded from azure mentioned in step 12 and click on Save button.
Export the SP metadata by clicking on the "Export SP Metadata" button, this metadata can be used in step 10.
Create the authentication profile by clicking on the add icon from Configurations>Authentication Profiles.
Provide the Name, method as "SAML Authentications", Connector that is created in step 19, select the logo and Save the information.
Publish the changes.
Access the web URL as "https://web.signinghub.com/".
Click the "More Login Options".
Click on the authentication profile that you have created above.
Provide the credentials and log in here
The signature algorithm will match the one set in Step 12 and will be used when signing the request. SHA256 is recommended when the binding type is set to "POST."
In order to make your Azure Active Directory application run, you need to manually update a property on the Azure Portal under the application's manifest. For this:
Click Manifest at the left pane describing your app.
Change the value of the oauth2AllowImplicitFlow property to True. If the property is not present, add it and set its value to true.
Click "Save" to save the modified manifest.
The Microsoft Azure Active Directory authentication method also supports the Single sign-on (SSO) facility. To configure this, go to the integration screen and select "Azure AD" in the "Default Authentication Method" drop-down (as explained in point 6).
As a part of GDPR compliance, the "Service Agreement" dialogue box will appear after successful user authentication. This dialogue box contains the links to the "Terms of Service" and "Privacy Policy" pages. SigningHub will ensure that you agree to them before letting you use your account.
The "Service Agreement" dialogue box will not appear after successful user authentication if no Service Agreement is marked active.
When using an on-premises installation of SigningHub and this is the only configured authentication for the end-users, then you won't need to click the "More Login Options" link to choose it. In that case, this authentication method will be invoked by default on the Login screen.
Users cannot log in to SigningHub if their account is disabled, marked as dormant, or temporarily locked due to multiple invalid login attempts
Corporate logins refer to the private authentication method that is set by your Enterprise Admin. In this way, the enterprise users of a certain enterprise can be authenticated by their enterprise-specific authentication method. Such methods are not usually listed under the "More Login Options" link on the login screen for public users.
There are two ways to enjoy the corporate login facility, they are:
When a private authentication profile is , you are provided with an , which contains your branded enterprise GUI for login. But this is not compulsory either, you can be asked to access a public URL for login. The authentication process will be:
Browse the URL as provided by your Enterprise Admin
Specify your registered ID in the login screen
SigningHub will read your ID and will trigger the configured (private) authentication method (i.e. SSL authentication, Microsoft Active Directory, Salesforce, Google, etc.) screen
Specify your account credentials to authenticate yourself
When a private authentication profile is , you are always provided with an , which contains your branded enterprise GUI for login. The authentication process will be:
Browse the Enterprise URL as provided by your Enterprise Admin
SigningHub will automatically trigger the configured (private) authentication method (i.e. SSL authentication, Microsoft Active Directory, Salesforce, Google, etc.) screen
Specify your account credentials to authenticate yourself
A private authentication profile is the one that is exclusively used for corporate logins and is not available to the end users (public) on their Login screen and Integration screen of SigningHub Desktop Web. The availability of private authentication profiles is subject to your subscribed service plan. If you cannot find this option in your account, .
The availability of the corporate logins feature is subject to your enterprise service plan.
As a part of GDPR compliance, the "Service Agreement" dialogue box will appear after successful user authentication. This dialogue box contains the links to the "Terms of Service" and "Privacy Policy" pages. SigningHub will ensure that you agree to them before letting you use your account.
The "Service Agreement" dialogue box will not appear after successful user authentication if no Service Agreement is marked active.
Users cannot log in to SigningHub if their account is disabled, marked as dormant, or temporarily locked due to multiple invalid login attempts.
| Availability of Security Group in Azure Active Directory | Availability of Security Group in SigningHub Web | System Behaviour |
|---|---|---|
Yes, the security group exists.
Yes, the mapping for the security group exists.
In case the user was already registered, the system will log in the user as per the assigned role.
In case the user was not already registered, the system will register, auto activate, and log in the user as per the assigned role.
Yes, the security group exists.
No, the mapping for the security group does not exist.
In case the user was already registered, the system will log in the user as per the default role.
In case the user was not already registered, the system will register, auto activate, and log in the user as per the default role.
No, the security group does not exist.
N/A
The system will throw an error and will not allow auto-provisioning.
SigningHub gives you an option to use your IDP credentials (OIDC supported protocol) to log into SigningHub. In this case, you don't even need to have a SigningHub ID, as your personal account will be used for SigningHub authentication.
However, logging in through your personal credentials for the first time, will take you to the registration screen and display your personal (email address) for new registration. After registration, you can easily login through your personal credentials.
Go to the SigningHub login screen.
Click the "More Login Options" link available at the bottom of the login screen. A dialogue box will appear listing all the supported authentication methods.
Click the "OIDC Configured profile" option. The configured app will appear in a popup.
Specify your ID and password in the app.
Click the "Login" button. SigningHub permissions screen will appear.
Click the "Accept" option. You will be authenticated into SigningHub.
When syncing a user's National Identity (NID) and email from OpenID Connect (OIDC) with SigningHub, actions vary based on whether the user already exists in the SigningHub system:
If both email and NID are received from OIDC and the user exists in SigningHub: The user will log in, and the NID in the [User] table will be updated with the new NID from OIDC. If the user does not yet exist, they will be registered in the system, and their NID will be added to the [User] table.
If only the email is received from OIDC and the user exists in SigningHub: The user will simply log in. If the user does not exist, they will be registered.
If only the NID is received from OIDC and the user exists in SigningHub: SigningHub will search for a user with the received NID. If found, the user will log in, and their NID in the [User] table will be updated. If the user does not already exist in SigningHub, an error will be shown, as the user must already be present in the UserIdentity or [User] table for NID-only syncs.
If neither email nor NID is received from OIDC: An error will be returned in both cases, as the user must already be present in the UserIdentity or [User] table to proceed with syncing.
As a part of GDPR compliance, the "Service Agreement" dialogue box will appear after successful user authentication. This dialogue box contains the links to the "Terms of Service" and "Privacy Policy" pages. SigningHub will ensure that you agree to them before letting you use your account.
The "Service Agreement" dialogue box will not appear after successful user authentication if no Service Agreement is marked active.
When using an on-premises installation of SigningHub and this is the only configured authentication for the end-users, then you won't need to click the "More Login Options" link to choose it. In that case, this authentication method will be invoked by default on the Login screen.
Users cannot log in to SigningHub if their account is disabled, marked as dormant, or temporarily locked due to multiple invalid login attempts.
