1 of 2

Pre-authorize users

When using an on-premises installation, SigningHub gives you an option to pre-authorise users in your Directory so that they may serve as your registered enterprise users. In this way, your enterprise users can use their Directory credentials (i.e. organisational domain user ID and password) for SigningHub authentication, and won't even need to create their SigningHub IDs.

SCIM provisioning

SigningHub supports SCIM-based auto-provisioning to streamline and automate user management through an external identity provider. With this feature, user accounts in SigningHub are automatically created, updated, disabled, deleted, or re-enabled based on changes made in the connected identity provider. This ensures that user information, such as job titles or contact details, remains consistent and up to date without requiring manual input. Currently, SigningHub supports SCIM-based automatic user provisioning exclusively through Azure Active Directory (AAD).

Follow the steps below to enable SCIM provisioning:

Log in with your enterprise admin credentials.
Click "Configurations" from the left menu and click "Users" under "People" options in the "Enterprise Configurations" section.
Tick the "Enable SCIM provisioning" check box.
Click the "Save" button.

The user role assigned in the identity provider must also exist in SigningHub; otherwise, the user will not be registered.
If no role is specified in the identity provider, the user will be added under the default role configured in the SigningHub web application.

Pre-authorise your users

Log in with your enterprise admin credentials.
Click "Configurations" from the left menu and click "Users" under "People" options in the "Enterprise Configurations" section.
Tick the "Automatically register the users" check box.
The "Authentication Profile" field will appear, listing all the Active Directory Authentication Profiles and the Azure Active Directory Authentication Profiles configured in the SigningHub Admin console. Select the required authentication profile from the list.

All the users that belong to the selected authentication profile will be authorised through Azure Active Directory upon Login, and will be automatically registered and activated in SigningHub under the default SigningHub role, provided that provisioning is not enabled by any other enterprise within the same on-premises deployment.

This implies, if multiple enterprises have been configured within an on-premises deployment, then the "Automatically register the users" check box should be ticked for only one enterprise.

You can also give the role-based access to SigningHub (i.e., Enterprise Admin, Enterprise Users, etc.) at the Security Group level. SigningHub allows you to manage (Add, Edit, and Delete) the Security Groups from the same screen.

Assign a custom role to a Security Group

Log in with your enterprise admin credentials.
Click "Configurations" from the left menu and click "Users" under "People" options in the "Enterprise Configurations" section.
Click "Add a security group".
Specify a Group name.

The added security group will be listed inside the Security Group grid. All the users that belong to the security group will be automatically registered and activated in SigningHub under the specified role.

Edit the assigned role of an Active Directory security group

Select the security group whose role is required to edit.
Click "Edit" in the right panel.
Select the role as required and click "Save changes".

Delete the assigned role and Active Directory security group association

Select the security group required to be deleted.
Click "Delete" from the right panel.
Click "Delete" in the confirmation dialogue.

When using Active Directory authentication for SigningHub Desktop Web, the users to be authenticated should be part of the same domain where SigningHub has been deployed, e.g. if the users belong to the "Ascertia" domain, then SigningHub should also be deployed on the "Ascertia" domain.
If the "Restrict user from editing fields" option is enabled in the user's role and the user is auto provisioned through Microsoft Active Directory, any mismatch between their job title and or company in Microsoft Active Directory and SigningHub's Personal Configurations will result in the values from Microsoft Active Directory being mapped onto SigningHub, except when the values in Microsoft Active Directory are empty or null.

SCIM provisioning

Introduction

SigningHub now supports user provisioning through the System for Cross-domain Identity Management (SCIM) protocol. This industry-standard integration enables seamless, automated management of user identities between identity providers and SigningHub. With SCIM, administrators can create, update, enable, disable and delete user accounts directly from their identity management system, removing the need for manual user administration. This improves operational efficiency, enhances data consistency, and strengthens access security across connected platforms.

This use case outlines the complete configuration required to enable SCIM-based provisioning. It walks through all the key steps—from generating the SCIM endpoint and secret token to configuring the connection between the identity provider and the service, and managing user assignments. Currently, SCIM provisioning in SigningHub is supported exclusively through Azure Active Directory (Azure AD).

How it works?

Enable SCIM provisioning in SigningHub Web to activate automatic user syncing.
Configure the token expiry time in SigningHub Admin to define how long the SCIM token stays valid.
Authenticate using the API to obtain a SCIM-specific token.
Create an SCIM App in Azure Active Directory to initiate provisioning.

Enable SCIM Provisioning

Enable SCIM provisioning in SigningHub Web to ensure that users assigned to the SCIM app in Azure AD are automatically created in the enterprise with mapped roles.

Follow the steps below to enable SCIM provisioning:

Log in to the SigningHub Web portal with your enterprise admin credentials.
Click "Configurations" from the left menu and click "Users" under "People" options in the "Enterprise Configurations" section.
Tick the "Enable SCIM provisioning" check box.

Configure Token Expiry Time

To define how long the SCIM token remains valid, you can set the expiry duration from the SigningHub Admin. This ensures secure communication between SigningHub and external identity providers.

Follow the steps below to configure SCIM token expiry time:

Log in to the SigningHub Admin portal.
From the left-hand menu, click Configurations.
Click on Global Settings.
In the top-right dropdown, select Session and Links Expiry Time.

'Authenticate' API

Follow the steps below to generate a SCIM-specific token using the 'Authenticate' API.

Generate an authentication token using the Client ID and Secret from your Enterprise Integration.
While making this request, include the custom header X-SCIM: true to specify that the token is intended for SCIM operations. If the request is successful, a SCIM-restricted token will be returned. This token is securely bound to the associated enterprise and is valid only for accessing SCIM endpoints through Azure AD.
Save the SCIM token (received in response), it will be used in Azure AD to authenticate and test the connection to the SCIM endpoint.

Create an SCIM App in Azure Active Directory

Access the Azure AD portal and create an application using the following steps:

Sign in to the Azure portal using your Azure Active Directory administrator account, and click on 'Enterprise applications'.
Click on the "New application" button.
Click on the "Create your own application" button.

Create an App Role for the SCIM App

Define custom roles for your application using the following steps:

Select the 'App registration' option from the left panel.
Choose the created application for which you want to define the app role.
Click on 'App roles', and then the 'Create app role' button.
Specify the 'Display name', 'Allowed member types' and the 'Value' for the app role.

Test Connection with SCIM Client

After creating the SCIM app, follow the steps below to establish a connection with the SigningHub API:

In the application’s navigation pane (left side), click on Provisioning:
Enter the 'Tenant URL' (SCIM endpoint) and the 'secret token'.
- The format for the 'Tenant URL' shall be

Configure Provisioning Settings and Access Mappings

Navigate to the 'Provisioning' section, and click on 'Mappings':

Set the 'Provisioning Mode' to Automatic.
Turn the 'Provisioning Status' to On.
Click on Provision Microsoft Entra ID Users to configure attribute mappings.

This section would be unlocked after successfully setting up the connection with the SCIM Client app.

Assign Users and Roles to the SCIM Application

To ensure users are eligible for provisioning and are mapped correctly to enterprise roles, follow these steps:

In the left-hand menu, click on Users and groups.
Click on Add user/group.
In the Users section, select the user(s) you want to assign to the application.
In the Select a role section, choose a role created under the app (e.g., SigningHub_Admin, User, etc.).

Only assigned users are eligible for SCIM provisioning.
Roles must match the enterprise role names in SigningHub for automatic mapping.
If no role is assigned, the system will apply the DefaultEnterprise

Set Source Scope for Provisioning

To define which users are eligible for SCIM provisioning, follow the steps below:

Navigate to Provisioning, then click on Provision Microsoft Entra ID Users, depending on your configuration.
Under Source Object Scope, set the value to All records. (This ensures that all assigned users are considered for provisioning.)
Optionally, apply a filter to include or exclude specific users from being provisioned.

SCIM User Attribute Mapping

User attribute mapping is a critical part of configuring SCIM provisioning. SigningHub requires a specific set of attributes to be mapped correctly from Azure AD.

Delete all default attributes before proceeding. Manually add only the attributes listed below.

Navigate to Provisioning, then click Provision Microsoft Entra ID Users to open the Attribute Mapping screen.
Delete all default mappings shown in the list.
Manually add the following attributes one by one:

Email is the primary identifier in SigningHub and is required for all user-related operations.
1. It must be mapped to the Azure AD mail attribute.
2. Set Matching Precedence to 1 to ensure it's treated as the unique key.

Trigger On-Demand Provisioning

Azure AD auto-provisioning runs every 40 minutes, which can delay testing or first-time setup. To speed up validation, use on-demand provisioning to manually trigger user or sync.

Follow the steps below to trigger on-demand provisioning:

Navigate to Provisioning, then click Provision Microsoft Entra ID Users.
Scroll down and click Provision on demand.
Search for a user and click Provision.

Use this method during initial setup to validate attribute mappings and API connectivity.
If provisioning fails, it may indicate:
- Invalid or expired token,

SCIM Provisioning Behaviour

The following table outlines how user account actions in Azure AD are automatically reflected in SigningHub through SCIM provisioning.

When auto-provisioning is enabled, all users assigned to the SCIM app in Azure AD will sync with the enterprise.
New users not yet registered will be created under the mapped enterprise role. If the role assigned in the identity provider:
- does not exist in SigningHub, the user will not be registered.

Pre-authorize users

SCIM provisioning

Follow the steps below to enable SCIM provisioning:

Log in with your enterprise admin credentials.
Click "Configurations" from the left menu and click "Users" under "People" options in the "Enterprise Configurations" section.
Tick the "Enable SCIM provisioning" check box.
Click the "Save" button.

The user role assigned in the identity provider must also exist in SigningHub; otherwise, the user will not be registered.
If no role is specified in the identity provider, the user will be added under the default role configured in the SigningHub web application.

Pre-authorise your users

Log in with your enterprise admin credentials.
Click "Configurations" from the left menu and click "Users" under "People" options in the "Enterprise Configurations" section.
Tick the "Automatically register the users" check box.
The "Authentication Profile" field will appear, listing all the Active Directory Authentication Profiles and the Azure Active Directory Authentication Profiles configured in the SigningHub Admin console. Select the required authentication profile from the list.

This implies, if multiple enterprises have been configured within an on-premises deployment, then the "Automatically register the users" check box should be ticked for only one enterprise.

Assign a custom role to a Security Group

Log in with your enterprise admin credentials.
Click "Configurations" from the left menu and click "Users" under "People" options in the "Enterprise Configurations" section.
Click "Add a security group".
Specify a Group name.

Edit the assigned role of an Active Directory security group

Select the security group whose role is required to edit.
Click "Edit" in the right panel.
Select the role as required and click "Save changes".

Delete the assigned role and Active Directory security group association

Select the security group required to be deleted.
Click "Delete" from the right panel.
Click "Delete" in the confirmation dialogue.

When using Active Directory authentication for SigningHub Desktop Web, the users to be authenticated should be part of the same domain where SigningHub has been deployed, e.g. if the users belong to the "Ascertia" domain, then SigningHub should also be deployed on the "Ascertia" domain.
If the "Restrict user from editing fields" option is enabled in the user's role and the user is auto provisioned through Microsoft Active Directory, any mismatch between their job title and or company in Microsoft Active Directory and SigningHub's Personal Configurations will result in the values from Microsoft Active Directory being mapped onto SigningHub, except when the values in Microsoft Active Directory are empty or null.

SCIM provisioning

Introduction

How it works?

Enable SCIM provisioning in SigningHub Web to activate automatic user syncing.
Configure the token expiry time in SigningHub Admin to define how long the SCIM token stays valid.
Authenticate using the API to obtain a SCIM-specific token.
Create an SCIM App in Azure Active Directory to initiate provisioning.

Enable SCIM Provisioning

Enable SCIM provisioning in SigningHub Web to ensure that users assigned to the SCIM app in Azure AD are automatically created in the enterprise with mapped roles.

Follow the steps below to enable SCIM provisioning:

Log in to the SigningHub Web portal with your enterprise admin credentials.
Click "Configurations" from the left menu and click "Users" under "People" options in the "Enterprise Configurations" section.
Tick the "Enable SCIM provisioning" check box.

Configure Token Expiry Time

To define how long the SCIM token remains valid, you can set the expiry duration from the SigningHub Admin. This ensures secure communication between SigningHub and external identity providers.

Follow the steps below to configure SCIM token expiry time:

Log in to the SigningHub Admin portal.
From the left-hand menu, click Configurations.
Click on Global Settings.
In the top-right dropdown, select Session and Links Expiry Time.

'Authenticate' API

Follow the steps below to generate a SCIM-specific token using the 'Authenticate' API.

Generate an authentication token using the Client ID and Secret from your Enterprise Integration.
While making this request, include the custom header X-SCIM: true to specify that the token is intended for SCIM operations. If the request is successful, a SCIM-restricted token will be returned. This token is securely bound to the associated enterprise and is valid only for accessing SCIM endpoints through Azure AD.
Save the SCIM token (received in response), it will be used in Azure AD to authenticate and test the connection to the SCIM endpoint.

Create an SCIM App in Azure Active Directory

Access the Azure AD portal and create an application using the following steps:

Sign in to the Azure portal using your Azure Active Directory administrator account, and click on 'Enterprise applications'.
Click on the "New application" button.
Click on the "Create your own application" button.

Create an App Role for the SCIM App

Define custom roles for your application using the following steps:

Select the 'App registration' option from the left panel.
Choose the created application for which you want to define the app role.
Click on 'App roles', and then the 'Create app role' button.
Specify the 'Display name', 'Allowed member types' and the 'Value' for the app role.

Test Connection with SCIM Client

After creating the SCIM app, follow the steps below to establish a connection with the SigningHub API:

In the application’s navigation pane (left side), click on Provisioning:
Enter the 'Tenant URL' (SCIM endpoint) and the 'secret token'.
- The format for the 'Tenant URL' shall be

Configure Provisioning Settings and Access Mappings

Navigate to the 'Provisioning' section, and click on 'Mappings':

Set the 'Provisioning Mode' to Automatic.
Turn the 'Provisioning Status' to On.
Click on Provision Microsoft Entra ID Users to configure attribute mappings.

This section would be unlocked after successfully setting up the connection with the SCIM Client app.

Assign Users and Roles to the SCIM Application

To ensure users are eligible for provisioning and are mapped correctly to enterprise roles, follow these steps:

In the left-hand menu, click on Users and groups.
Click on Add user/group.
In the Users section, select the user(s) you want to assign to the application.
In the Select a role section, choose a role created under the app (e.g., SigningHub_Admin, User, etc.).

Only assigned users are eligible for SCIM provisioning.
Roles must match the enterprise role names in SigningHub for automatic mapping.
If no role is assigned, the system will apply the DefaultEnterprise

Set Source Scope for Provisioning

To define which users are eligible for SCIM provisioning, follow the steps below:

Navigate to Provisioning, then click on Provision Microsoft Entra ID Users, depending on your configuration.
Under Source Object Scope, set the value to All records. (This ensures that all assigned users are considered for provisioning.)
Optionally, apply a filter to include or exclude specific users from being provisioned.

SCIM User Attribute Mapping

User attribute mapping is a critical part of configuring SCIM provisioning. SigningHub requires a specific set of attributes to be mapped correctly from Azure AD.

Delete all default attributes before proceeding. Manually add only the attributes listed below.

Navigate to Provisioning, then click Provision Microsoft Entra ID Users to open the Attribute Mapping screen.
Delete all default mappings shown in the list.
Manually add the following attributes one by one:

Email is the primary identifier in SigningHub and is required for all user-related operations.
1. It must be mapped to the Azure AD mail attribute.
2. Set Matching Precedence to 1 to ensure it's treated as the unique key.

Trigger On-Demand Provisioning

Azure AD auto-provisioning runs every 40 minutes, which can delay testing or first-time setup. To speed up validation, use on-demand provisioning to manually trigger user or sync.

Follow the steps below to trigger on-demand provisioning:

Navigate to Provisioning, then click Provision Microsoft Entra ID Users.
Scroll down and click Provision on demand.
Search for a user and click Provision.

Use this method during initial setup to validate attribute mappings and API connectivity.
If provisioning fails, it may indicate:
- Invalid or expired token,

SCIM Provisioning Behaviour

The following table outlines how user account actions in Azure AD are automatically reflected in SigningHub through SCIM provisioning.

When auto-provisioning is enabled, all users assigned to the SCIM app in Azure AD will sync with the enterprise.
New users not yet registered will be created under the mapped enterprise role. If the role assigned in the identity provider:
- does not exist in SigningHub, the user will not be registered.