1 of 2

Pre-authorize users

When using an on-premises installation, SigningHub gives you an option to pre-authorise users in your Directory so that they may serve as your registered enterprise users. In this way, your enterprise users can use their Directory credentials (i.e. organisational domain user ID and password) for SigningHub authentication, and won't even need to create their SigningHub IDs.

SCIM provisioning

SigningHub supports SCIM-based auto-provisioning to streamline and automate user management through an external identity provider. With this feature, user accounts in SigningHub are automatically created, updated, disabled, deleted, or re-enabled based on changes made in the connected identity provider. This ensures that user information, such as job titles or contact details, remains consistent and up to date without requiring manual input. Currently, SigningHub supports SCIM-based automatic user provisioning exclusively through Azure Active Directory (AAD).

Follow the steps below to enable SCIM provisioning:

Log in with your enterprise admin credentials.
Click "Configurations" from the left menu and click "Users" under "People" options in the "Enterprise Configurations" section.
Tick the "Enable SCIM provisioning" check box.
Click the "Save" button.

The user role assigned in the identity provider must also exist in SigningHub; otherwise, the user will not be registered.
If no role is specified in the identity provider, the user will be added under the default role configured in the SigningHub web application.

Pre-authorise your users

Log in with your enterprise admin credentials.
Click "Configurations" from the left menu and click "Users" under "People" options in the "Enterprise Configurations" section.
Tick the "Automatically register the users" check box.
The "Authentication Profile" field will appear, listing all the Active Directory Authentication Profiles and the Azure Active Directory Authentication Profiles configured in the SigningHub Admin console. Select the required authentication profile from the list.
Click the "Save" button.

All the users that belong to the selected authentication profile will be authorised through Azure Active Directory upon Login, and will be automatically registered and activated in SigningHub under the default SigningHub role, provided that provisioning is not enabled by any other enterprise within the same on-premises deployment.

This implies, if multiple enterprises have been configured within an on-premises deployment, then the "Automatically register the users" check box should be ticked for only one enterprise.

You can also give the role-based access to SigningHub (i.e., Enterprise Admin, Enterprise Users, etc.) at the Security Group level. SigningHub allows you to manage (Add, Edit, and Delete) the Security Groups from the same screen.

Assign a custom role to a Security Group

Log in with your enterprise admin credentials.
Click "Configurations" from the left menu and click "Users" under "People" options in the "Enterprise Configurations" section.
Click "Add a security group".
Specify a Group name.
Now, select a role to assign to this security group and click the "Submit" button. The default role is shown as automatically chosen for the security group; change it as required.

The added security group will be listed inside the Security Group grid. All the users that belong to the security group will be automatically registered and activated in SigningHub under the specified role.

Edit the assigned role of an Active Directory security group

Select the security group whose role is required to edit.
Click "Edit" in the right panel.
Select the role as required and click "Save changes".

Delete the assigned role and Active Directory security group association

Select the security group required to be deleted.
Click "Delete" from the right panel.
Click "Delete" in the confirmation dialogue.

When using Active Directory authentication for SigningHub Desktop Web, the users to be authenticated should be part of the same domain where SigningHub has been deployed, e.g. if the users belong to the "Ascertia" domain, then SigningHub should also be deployed on the "Ascertia" domain.

SCIM provisioning

Introduction

SigningHub now supports user provisioning through the System for Cross-domain Identity Management (SCIM) protocol. This industry-standard integration enables seamless, automated management of user identities between identity providers and SigningHub. With SCIM, administrators can create, update, enable, disable and delete user accounts directly from their identity management system, removing the need for manual user administration. This improves operational efficiency, enhances data consistency, and strengthens access security across connected platforms.

This use case outlines the complete configuration required to enable SCIM-based provisioning. It walks through all the key steps—from generating the SCIM endpoint and secret token to configuring the connection between the identity provider and the service, and managing user assignments. Currently, SCIM provisioning in SigningHub is supported exclusively through Azure Active Directory (Azure AD).

How it works?

Enable SCIM provisioning in SigningHub Web to activate automatic user syncing.
Configure the token expiry time in SigningHub Admin to define how long the SCIM token stays valid.
Authenticate using the API to obtain a SCIM-specific token.
Create an SCIM App in Azure Active Directory to initiate provisioning.
Create an App Role to manage role-based user assignments.
Test the connection between Azure AD and the SCIM client.
Configure provisioning settings and access mappings for the SCIM app.
Assign users and roles to the SCIM application in Azure AD.
Set the source scope to define which users are provisioned.
Map user attributes from Azure AD to the required SCIM fields.
Trigger on-demand provisioning to validate the configuration or sync instantly.

Enable SCIM Provisioning

Enable SCIM provisioning in SigningHub Web to ensure that users assigned to the SCIM app in Azure AD are automatically created in the enterprise with mapped roles.

Follow the steps below to enable SCIM provisioning:

Log in to the SigningHub Web portal with your enterprise admin credentials.
Click "Configurations" from the left menu and click "Users" under "People" options in the "Enterprise Configurations" section.
Tick the "Enable SCIM provisioning" check box.

Configure Token Expiry Time

To define how long the SCIM token remains valid, you can set the expiry duration from the SigningHub Admin. This ensures secure communication between SigningHub and external identity providers.

Follow the steps below to configure SCIM token expiry time:

Log in to the SigningHub Admin portal.
From the left-hand menu, click Configurations.
Click on Global Settings.
In the top-right dropdown, select Session and Links Expiry Time.
Locate the field for 'SCIM Token Expiry Time' and specify the number of days (i.e. 7) after which the SCIM token should expire.
Click on the 'Save' button to apply the new expiry duration.

'Authenticate' API

Follow the steps below to generate a SCIM-specific token using the 'Authenticate' API.

Generate an authentication token using the Client ID and Secret from your Enterprise Integration.
While making this request, include the custom header X-SCIM: true to specify that the token is intended for SCIM operations. If the request is successful, a SCIM-restricted token will be returned. This token is securely bound to the associated enterprise and is valid only for accessing SCIM endpoints through Azure AD.
Save the SCIM token (received in response), it will be used in Azure AD to authenticate and test the connection to the SCIM endpoint.

Create an SCIM App in Azure Active Directory

Access the Azure AD portal and create an application using the following steps:

Sign in to the Azure portal using your Azure Active Directory administrator account, and click on 'Enterprise applications'.
Click on the "New application" button.
Click on the "Create your own application" button.
Enter the name for the app, select an option for your app via the radio button, and click on the "Create" button.

Create an App Role for the SCIM App

Define custom roles for your application using the following steps:

Select the 'App registration' option from the left panel.
Choose the created application for which you want to define the app role.
Click on 'App roles', and then the 'Create app role' button.
Specify the 'Display name', 'Allowed member types' and the 'Value' for the app role.

Test Connection with SCIM Client

After creating the SCIM app, follow the steps below to establish a connection with the SigningHub API:

In the application’s navigation pane (left side), click on Provisioning:
Enter the 'Tenant URL' (SCIM endpoint) and the 'secret token'.
- The format for the 'Tenant URL' shall be https://yourdomain.com/api/scim/v2.
- The 'Secret Token' is the SCIM-specific bearer token, generated earlier.
Click the Test Connection button.

Configure Provisioning Settings and Access Mappings

Navigate to the 'Provisioning' section, and click on 'Mappings':

Set the 'Provisioning Mode' to Automatic.
Turn the 'Provisioning Status' to On.
Click on Provision Microsoft Entra ID Users to configure attribute mappings.

This section would be unlocked after successfully setting up the connection with the SCIM Client app.

Assign Users and Roles to the SCIM Application

To ensure users are eligible for provisioning and are mapped correctly to enterprise roles, follow these steps:

In the left-hand menu, click on Users and groups.
Click on Add user/group.
In the Users section, select the user(s) you want to assign to the application.
In the Select a role section, choose a role created under the app (e.g., SigningHub_Admin, User, etc.).
Click Assign to complete the user-role mapping.

Only assigned users are eligible for SCIM provisioning.
Roles must match the enterprise role names in SigningHub for automatic mapping.
If no role is assigned, the system will apply the DefaultEnterprise role by default.
Once mapped, no further role configuration is needed in SigningHub.

Set Source Scope for Provisioning

To define which users are eligible for SCIM provisioning, follow the steps below:

Navigate to Provisioning, then click on Provision Microsoft Entra ID Users, depending on your configuration.
Under Source Object Scope, set the value to All records. (This ensures that all assigned users are considered for provisioning.)
Optionally, apply a filter to include or exclude specific users from being provisioned.

SCIM User Attribute Mapping

User attribute mapping is a critical part of configuring SCIM provisioning. SigningHub requires a specific set of attributes to be mapped correctly from Azure AD.

Delete all default attributes before proceeding. Manually add only the attributes listed below.

Navigate to Provisioning, then click Provision Microsoft Entra ID Users to open the Attribute Mapping screen.
Delete all default mappings shown in the list.
Manually add the following attributes one by one:

SCIM Attribute (SigningHub)

Azure AD Attribute

Mandatory?

email[type eq "work"].value

mail

Yes

active

accountEnabled

title

jobTitle

userName

displayName

Yes

name.givenName

givenName

name.familyName

surname

phoneNumber[type eq "work"].value

mobile

roles[primary eq "True"].value

Custom expression

urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization

companyName

Email is the primary identifier in SigningHub and is required for all user-related operations.
1. It must be mapped to the Azure AD mail attribute.
2. Set Matching Precedence to 1 to ensure it's treated as the unique key.
3. If email is not correctly mapped, provisioning will fail.
The target attribute names can be customised but must align with the schema expected by the SCIM client (SigningHub).
Role mapping requires a custom attribute expression.
1. For roles[primary eq "True"].value, use a custom expression to map Azure AD app role assignments to the enterprise role in SigningHub.
2. This allows the correct role to be assigned automatically during provisioning.
All mandatory attributes (marked "Yes" in the table) must be configured. If any required attribute is missing or misconfigured, provisioning will not work.
Attribute formats must exactly match what the SigningHub SCIM client expects. This applies especially to structured attributes like email, phone number, and roles (e.g.,email[type eq "work"].value).
You may choose optional attributes like job title or mobile number based on your organisation’s needs, but they are not required for successful provisioning.

Trigger On-Demand Provisioning

Azure AD auto-provisioning runs every 40 minutes, which can delay testing or first-time setup. To speed up validation, use on-demand provisioning to manually trigger user or sync.

Follow the steps below to trigger on-demand provisioning:

Navigate to Provisioning, then click Provision Microsoft Entra ID Users.
Scroll down and click Provision on demand.
Search for a user and click Provision.

Use this method during initial setup to validate attribute mappings and API connectivity.
If provisioning fails, it may indicate:
- Invalid or expired token,
- SCIM endpoint is unreachable,
- Attribute mismatch.
If auto-provisioning stops due to such errors, manual intervention may be needed to restore it.

SCIM Provisioning Behaviour

The following table outlines how user account actions in Azure AD are automatically reflected in SigningHub through SCIM provisioning.

Azure AD Action

SigningHub Response

Description

New user added

User account is automatically created

A new SigningHub user is created based on the SCIM mapping.

User details updated

User details are automatically updated

Updates to fields like job title, company name, mobile number, or role are synced.

User account disabled

User account is automatically disabled

The user becomes disabled in SigningHub.

User account deleted

User account is automatically deleted

The corresponding SigningHub user is permanently removed.

Disabled user re-enabled

User account is automatically re-enabled

The previously disabled SigningHub user account is enabled.

When auto-provisioning is enabled, all users assigned to the SCIM app in Azure AD will sync with the enterprise.
New users not yet registered will be created under the mapped enterprise role. If the role assigned in the identity provider:
- does not exist in SigningHub, the user will not be registered.
- is missing, the user will be added under the default enterprise role configured in the SigningHub web application.
Users manually created in SigningHub (outside SCIM) are not deleted automatically. These users will only be eligible for SCIM provisioning after they are added to Azure AD, assigned a valid role, and provisioned (either manually or automatically).

SCIM provisioning

Introduction

How it works?

Enable SCIM provisioning in SigningHub Web to activate automatic user syncing.
Configure the token expiry time in SigningHub Admin to define how long the SCIM token stays valid.
Authenticate using the API to obtain a SCIM-specific token.
Create an SCIM App in Azure Active Directory to initiate provisioning.
Create an App Role to manage role-based user assignments.
Test the connection between Azure AD and the SCIM client.
Configure provisioning settings and access mappings for the SCIM app.
Assign users and roles to the SCIM application in Azure AD.
Set the source scope to define which users are provisioned.
Map user attributes from Azure AD to the required SCIM fields.
Trigger on-demand provisioning to validate the configuration or sync instantly.

Enable SCIM Provisioning

Enable SCIM provisioning in SigningHub Web to ensure that users assigned to the SCIM app in Azure AD are automatically created in the enterprise with mapped roles.

Follow the steps below to enable SCIM provisioning:

Log in to the SigningHub Web portal with your enterprise admin credentials.
Click "Configurations" from the left menu and click "Users" under "People" options in the "Enterprise Configurations" section.
Tick the "Enable SCIM provisioning" check box.

Configure Token Expiry Time

To define how long the SCIM token remains valid, you can set the expiry duration from the SigningHub Admin. This ensures secure communication between SigningHub and external identity providers.

Follow the steps below to configure SCIM token expiry time:

Log in to the SigningHub Admin portal.
From the left-hand menu, click Configurations.
Click on Global Settings.
In the top-right dropdown, select Session and Links Expiry Time.
Locate the field for 'SCIM Token Expiry Time' and specify the number of days (i.e. 7) after which the SCIM token should expire.
Click on the 'Save' button to apply the new expiry duration.

'Authenticate' API

Follow the steps below to generate a SCIM-specific token using the 'Authenticate' API.

Generate an authentication token using the Client ID and Secret from your Enterprise Integration.
While making this request, include the custom header X-SCIM: true to specify that the token is intended for SCIM operations. If the request is successful, a SCIM-restricted token will be returned. This token is securely bound to the associated enterprise and is valid only for accessing SCIM endpoints through Azure AD.
Save the SCIM token (received in response), it will be used in Azure AD to authenticate and test the connection to the SCIM endpoint.

Create an SCIM App in Azure Active Directory

Access the Azure AD portal and create an application using the following steps:

Sign in to the Azure portal using your Azure Active Directory administrator account, and click on 'Enterprise applications'.
Click on the "New application" button.
Click on the "Create your own application" button.
Enter the name for the app, select an option for your app via the radio button, and click on the "Create" button.

Create an App Role for the SCIM App

Define custom roles for your application using the following steps:

Select the 'App registration' option from the left panel.
Choose the created application for which you want to define the app role.
Click on 'App roles', and then the 'Create app role' button.
Specify the 'Display name', 'Allowed member types' and the 'Value' for the app role.

Test Connection with SCIM Client

After creating the SCIM app, follow the steps below to establish a connection with the SigningHub API:

In the application’s navigation pane (left side), click on Provisioning:
Enter the 'Tenant URL' (SCIM endpoint) and the 'secret token'.
- The format for the 'Tenant URL' shall be https://yourdomain.com/api/scim/v2.
- The 'Secret Token' is the SCIM-specific bearer token, generated earlier.
Click the Test Connection button.

Configure Provisioning Settings and Access Mappings

Navigate to the 'Provisioning' section, and click on 'Mappings':

Set the 'Provisioning Mode' to Automatic.
Turn the 'Provisioning Status' to On.
Click on Provision Microsoft Entra ID Users to configure attribute mappings.

This section would be unlocked after successfully setting up the connection with the SCIM Client app.

Assign Users and Roles to the SCIM Application

To ensure users are eligible for provisioning and are mapped correctly to enterprise roles, follow these steps:

In the left-hand menu, click on Users and groups.
Click on Add user/group.
In the Users section, select the user(s) you want to assign to the application.
In the Select a role section, choose a role created under the app (e.g., SigningHub_Admin, User, etc.).
Click Assign to complete the user-role mapping.

Only assigned users are eligible for SCIM provisioning.
Roles must match the enterprise role names in SigningHub for automatic mapping.
If no role is assigned, the system will apply the DefaultEnterprise role by default.
Once mapped, no further role configuration is needed in SigningHub.

Set Source Scope for Provisioning

To define which users are eligible for SCIM provisioning, follow the steps below:

Navigate to Provisioning, then click on Provision Microsoft Entra ID Users, depending on your configuration.
Under Source Object Scope, set the value to All records. (This ensures that all assigned users are considered for provisioning.)
Optionally, apply a filter to include or exclude specific users from being provisioned.

SCIM User Attribute Mapping

User attribute mapping is a critical part of configuring SCIM provisioning. SigningHub requires a specific set of attributes to be mapped correctly from Azure AD.

Delete all default attributes before proceeding. Manually add only the attributes listed below.

Navigate to Provisioning, then click Provision Microsoft Entra ID Users to open the Attribute Mapping screen.
Delete all default mappings shown in the list.
Manually add the following attributes one by one:

SCIM Attribute (SigningHub)

Azure AD Attribute

Mandatory?

email[type eq "work"].value

mail

Yes

active

accountEnabled

title

jobTitle

userName

displayName

Yes

name.givenName

givenName

name.familyName

surname

phoneNumber[type eq "work"].value

mobile

roles[primary eq "True"].value

Custom expression

urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization

companyName

Email is the primary identifier in SigningHub and is required for all user-related operations.
1. It must be mapped to the Azure AD mail attribute.
2. Set Matching Precedence to 1 to ensure it's treated as the unique key.
3. If email is not correctly mapped, provisioning will fail.
The target attribute names can be customised but must align with the schema expected by the SCIM client (SigningHub).
Role mapping requires a custom attribute expression.
1. For roles[primary eq "True"].value, use a custom expression to map Azure AD app role assignments to the enterprise role in SigningHub.
2. This allows the correct role to be assigned automatically during provisioning.
All mandatory attributes (marked "Yes" in the table) must be configured. If any required attribute is missing or misconfigured, provisioning will not work.
Attribute formats must exactly match what the SigningHub SCIM client expects. This applies especially to structured attributes like email, phone number, and roles (e.g.,email[type eq "work"].value).
You may choose optional attributes like job title or mobile number based on your organisation’s needs, but they are not required for successful provisioning.

Trigger On-Demand Provisioning

Azure AD auto-provisioning runs every 40 minutes, which can delay testing or first-time setup. To speed up validation, use on-demand provisioning to manually trigger user or sync.

Follow the steps below to trigger on-demand provisioning:

Navigate to Provisioning, then click Provision Microsoft Entra ID Users.
Scroll down and click Provision on demand.
Search for a user and click Provision.

Use this method during initial setup to validate attribute mappings and API connectivity.
If provisioning fails, it may indicate:
- Invalid or expired token,
- SCIM endpoint is unreachable,
- Attribute mismatch.
If auto-provisioning stops due to such errors, manual intervention may be needed to restore it.

SCIM Provisioning Behaviour

The following table outlines how user account actions in Azure AD are automatically reflected in SigningHub through SCIM provisioning.

Azure AD Action

SigningHub Response

Description

New user added

User account is automatically created

A new SigningHub user is created based on the SCIM mapping.

User details updated

User details are automatically updated

Updates to fields like job title, company name, mobile number, or role are synced.

User account disabled

User account is automatically disabled

The user becomes disabled in SigningHub.

User account deleted

User account is automatically deleted

The corresponding SigningHub user is permanently removed.

Disabled user re-enabled

User account is automatically re-enabled

The previously disabled SigningHub user account is enabled.

When auto-provisioning is enabled, all users assigned to the SCIM app in Azure AD will sync with the enterprise.
New users not yet registered will be created under the mapped enterprise role. If the role assigned in the identity provider:
- does not exist in SigningHub, the user will not be registered.
- is missing, the user will be added under the default enterprise role configured in the SigningHub web application.
Users manually created in SigningHub (outside SCIM) are not deleted automatically. These users will only be eligible for SCIM provisioning after they are added to Azure AD, assigned a valid role, and provisioned (either manually or automatically).

Pre-authorize users

SCIM provisioning

Follow the steps below to enable SCIM provisioning:

Log in with your enterprise admin credentials.
Click "Configurations" from the left menu and click "Users" under "People" options in the "Enterprise Configurations" section.
Tick the "Enable SCIM provisioning" check box.
Click the "Save" button.

The user role assigned in the identity provider must also exist in SigningHub; otherwise, the user will not be registered.
If no role is specified in the identity provider, the user will be added under the default role configured in the SigningHub web application.

Pre-authorise your users

Log in with your enterprise admin credentials.
Click "Configurations" from the left menu and click "Users" under "People" options in the "Enterprise Configurations" section.
Tick the "Automatically register the users" check box.
The "Authentication Profile" field will appear, listing all the Active Directory Authentication Profiles and the Azure Active Directory Authentication Profiles configured in the SigningHub Admin console. Select the required authentication profile from the list.
Click the "Save" button.

This implies, if multiple enterprises have been configured within an on-premises deployment, then the "Automatically register the users" check box should be ticked for only one enterprise.

Assign a custom role to a Security Group

Log in with your enterprise admin credentials.
Click "Configurations" from the left menu and click "Users" under "People" options in the "Enterprise Configurations" section.
Click "Add a security group".
Specify a Group name.
Now, select a role to assign to this security group and click the "Submit" button. The default role is shown as automatically chosen for the security group; change it as required.

Edit the assigned role of an Active Directory security group

Select the security group whose role is required to edit.
Click "Edit" in the right panel.
Select the role as required and click "Save changes".

Delete the assigned role and Active Directory security group association

Select the security group required to be deleted.
Click "Delete" from the right panel.
Click "Delete" in the confirmation dialogue.

When using Active Directory authentication for SigningHub Desktop Web, the users to be authenticated should be part of the same domain where SigningHub has been deployed, e.g. if the users belong to the "Ascertia" domain, then SigningHub should also be deployed on the "Ascertia" domain.