Items

Description

Status

A Unity profile may be marked Active or Inactive. Note that an inactive profile will not be used to process requests generated by client application.

Profile ID

A mandatory field which provides a system-defined unique identifier for this profile.

Profile Name

A mandatory unique name defined by the ADSS Server Administrator for easier recognition of the profile within the ADSS Unity Console.

Profile Description

This can be used to describe the profile in more detail (e.g. in which circumstances will this Unity profile be used). This is for information purposes only.

Items

Description

SAM Server Settings

This section defines the configuration required for requests forwarding to SAM Service. 

SAM Service Addresses

This field shows the SAM Service addresses that can be used to generate user keys, register user devices within SAM Service. Multiple service addresses can be added. The Test button checks that the ADSS SAM Service is available. The Remove button deletes a configured SAM Service address.

SAM Profile

Specifies the SAM profile to be used for this Unity profile.

Client ID 

Shows the Client ID of SAM Service. Unity Service will send this Client ID while communicating with SAM service. SAM service verifies that this is a registered Client ID within the Client Manager module before granting access to this service.

Maximum Hashes/Documents Allowed

This field specifies the maximum number of documents/hashes that can be sent to ADSS Unity Service.

Note: The value '0' means unlimited. 

Authorisation Certificate

The Authorisation Certificate field shows a list of certificates configured with 'Document Signing' purpose. The Unity Service uses this certificate to sign the SAD (Signature Activation Data). Normally the SAD is signed by the Go>Sign mobile application but there are cases when the SAD could be signed by Unity Service using this authorisation certificate.
These cases include:

1. When an external IdP is used to authorise the request instead of Go>Sign mobile application.
2. When a PIN/OTP is used to authorise the request in case of SCAL1.
3. In e-sealing cases where first request is authorised by user using Go>Sign mobile application, an external IdP or a PIN/OTP and for rest of the requests the user's involvement is not required. Unity Service gets the first SAD renewed by SAM and sign the new SAD using its authorisation certificate. It repeats the same for next series of requests. 

Use TLS Client Authentication

If this option is enabled, then Unity Service will communicate with SAM Service using TLS client authentication. By default, it is disabled.

Certificate

Select the Client TLS Certificate which pre-exists in the Key Manager. 

Note: It is required to register the Issuer CA of the Client TLS certificate in Trust Manager with the CA for verifying TLS client certificates purpose. 

Items

Description

Service Authorisation

This section defines the configuration required for user authentication mechanism for business application.

Basic Authentication (User ID and Password)

Using Basic Authentication, the user is authorized by providing UserID and password, the Unity Service will return a user access token to the client application for the subsequent communication.

Note: By default, it is disabled. 

OAuth2 Authentication

The user is authenticated using OAuth2.0 mechanism. the authentication of user can be performed in multiple ways. It includes 'Direct user authentication by ADSS Unity and 'Delegated user authentication via external IdP'. Both of these methods are explained below:   

• Direct user authentication by ADSS Unity: In this system, users are authenticated directly by the Unity Service through a login page where they provide their username and password. Once authenticated, the Unity Service issues an access token that business applications can use for future communication.
• Delegated user authentication via external IdP: In this process, the ADSS Unity Service redirects users to an external Identity Provider (IdP) for authentication. The IdP verifies the user's credentials and sends back assertion data to the Unity Service, confirming the authentication details. Once the Unity Service confirms the assertion, it issues an access token that business applications can use for ongoing communication.
• External IdP: This drop-down shows the list of external IdP's configured in Connector sub-module in Global Settings. It allows the user to select the required external IdP from the drop-down list.
• Display Text: While authenticating a user via external IdP, a web page will be displayed by ADSS Unity Service to user. This field allows the user to enter the default text as an instruction for the user on the new page. For example:
  "A document needs your authorisation to be signed". If business application provides a Display Text to Unity Service then that text will be displayed to user instead of the text in this field.
• Forward Display Text to IdP: When this checkbox is enabled, an optional description parameter is sent to the configured external IdP with Display Text as the value of parameter. The parameter will be sent for all supported delegated authentication protocols like SAML and OpenID Connect.

Note: Keep the below points under consideration while operating with checkbox:

• When this option will be selected in Unity Profile, SCAL2 should be selected in SAM Profile.
• When the OAuth2 Authentication checkbox is enabled, the Client Credential Flow is supported by default. 

Credentials Authorisation

This section defines the configuration required for credentials authorisation mechanism.

A business application can request Unity Service to provide the supported credentials authorisation methods using a CSC v2 API (credentials/info) and configurations made in this section are returned to business application as a result.

OAuth2 Authorisation Code

The authorisation for the user to access the signing key will be done by OAuth 2.0 authorisation code flow. The authorisation is returned in the form of an authorisation code, which the application shall then use to obtain SAD (Signature Activation Data).

In OAuth 2.0 authorisation, the authentication of user can be performed in multiple ways. It includes 'Direct user authentication via Go>Sign App' and 'Delegated user authentication via external IdP'. Both of these methods are explained below:  

• Direct user authentication via Go>Sign App: In this scheme, the signing request is authorised on Go>Sign Mobile App, hence, the user is authenticated by Go>Sign Mobile Application.
• Display Text: While authenticating a user via Go>Sign Mobile App, a web page will be displayed by the Unity Service to the user. This field allows the user to enter the default text as an instruction for the user on the web page. For example: 
  "You need to authorise this signing request on Go>Sign mobile application on a registered mobile device."
• Do not display authorisation prompt to user: When this checkbox is enabled, a page that is being displayed by Unity Service asking the user to authorise the transaction as well as loading page for Go>Sign App will be skipped.
• Delegated user authentication via external IdP: In this setup, the ADSS Unity Service redirects users to an external Identity Provider (IdP) for authentication. Users are authenticated directly by the IdP, and the Go>Sign mobile app is not involved in authorizing requests in this scenario. Once authenticated, the IdP provides an assertion to the Unity Service.
• External IdP: This drop-down shows the list of external IdP's configured in Connector sub-module in Global Settings. It allows the user to select the required external IdP from the drop-down list.
• Display Text: While authenticating a user via external IdP, a web page will be displayed by ADSS Unity Service to user. This field allows the user to enter the default text as an instruction for the user on the new page. For example:
  "You need to authorise this signing request". If business application provides a Display Text to Unity Service then that text will be displayed to user instead of the text in this field.
• Forward Display Text to IdP: When this checkbox is enabled, an optional description parameter is sent to the configured external IdP with Display Text as the value of parameter. The parameter will be sent for all supported delegated authentication protocols like SAML, SAML Redirect and OpenID Connect.
• Do not display authorisation prompt to user: When this checkbox is enabled, a page that is being displayed by Unity Service asking the user to authorise the transaction as well as loading page for external IdP will be skipped.

Note: When this option will be selected in Unity Profile, SCAL2 should be selected in SAM Profile.

Explicit

In explicit authorisation, the user can either provide authorisation on Go>Sign mobile app, or the user can authorise the credentials by providing PIN or OTP (One Time Password) under the 'Other' option. 

When "Go>Sign App" will be selected in Unity Profile, only following options should be configured in SAM Profile:

• SCAL2 should be selected for Sole Control Assurance Level.
• Delegated User authentication via external IdP should not be selected

When Other option is selected, the user can authorise the credentials by providing PIN or OTP. Details of both these mechanisms are explained below: 

• PIN based authorisation: In this scheme, the user authorises the credentials by providing a PIN. The user password that was provided while registering the user in ADSS Server will be used as PIN here. The user will enter this PIN on a screen provided by the business application and the business application in turn will send this PIN to Unity Service for credential authorisation.
• PIN Label: This field is used to set a label for the PIN field. Note that this label is displayed on a page hosted by business application. When business application requests Unity Service for a credential's information, returns this PIN Label if set in the profile. The business application can use this label to show against the PIN field on its page. It is an OPTIONAL field with maximum 255 characters allowed.
• PIN Description: This field will be used to enter the PIN description. Just like PIN label this information is also provided to business application. It is an OPTIONAL field with maximum 255 characters allowed
• OTP based authorisation: In this scheme, the user authorises the credentials by providing an OTP. The Unity Service will send an OTP via SMS or Email (as per configuration) to the user. On receiving the OTP, the user will enter it on a page hosted by its business application. The business application will provide this OTP to Unity Service for credentials authorisation.
• OTP Label: This field is used to set a label for the OTP field. This label will also be displayed on the page hosted by business application. It is an OPTIONAL field with maximum 255 characters allowed.
• OTP Description: This field will be used to enter a description for the OTP. It is an OPTIONAL field with maximum 255 characters allowed.
• Send OTP via: This is a drop-down field that enables the user to select whether to send OTP via SMS or Email.
• Out of band (IdP): This checkbox becomes accessible when the user opts for "Delegated user authentication via external IdP" by enabling OAuth2 Authentication under Service Authorisation. If this option is enabled, the user won't need to authorise again during the credentials authorisation process. Instead, the information gathered during service authorisation will be reused.
  Note: Enabling this option disables PIN and OTP-based authorisation. If either the PIN or OTP-based authorisation is enabled, this option will be automatically disabled.

Enable Polling

This checkbox will be available if Go>Sign App is selected for Explicit Credentials Authorisation. It defines whether the polling is currently enabled or disabled for the credentials authorisation for Go>Sign Mobile application. If polling is enabled, the credentials/authorize API will return HTTP 202. Clients need to poll the state of the authorisation via credentials/authorizeCheck API.

User Authentication Settings for Mobile Application

This section defines the configuration required for user authentication mechanism for mobile application.

Authenticate User with OTP(s)

User is authenticated (at time of login and device registration) using the OTPs that are delivered to user’s mobile or email. 

By selecting any check box user can received the OTPs on any of the selected option. 

Authenticate User with QR Code

The Go>Sign mobile app sends a request to the Unity Service to authenticate the user. The Unity Service then notifies the mobile app that the user will be authenticated via a QR code. Subsequently, the Go>Sign mobile app prompts the user to use their mobile device's camera to scan the QR code. Additionally, it instructs the user to log in to their Web RA account to obtain the QR code.

No Authentication

No authentication is required for a user at time of login and device registration.

Items

Description

Enable Full Document Signing

This checkbox will be enabled if the user intends to perform configurations for Full Document Signing. 

Allowed Signature Formats

This drop-down allows the user to select the signature formats to be applied on the full document. The list of allowed signature formats includes: 

• XAdES
• PAdES
• CAdES

Allowed Signed Envelope Properties

This drop-down allows the user to select the signed enveloped properties on the basis of signature formats added in the Allowed Signature formats field. See the details: 

• If 'XAdES' is added in Allowed Signature Formats, then below mentioned signed envelope properties can be added:
• Enveloped
• Enveloping
• If 'PAdES' is added in Allowed Signature Formats, then below mentioned signed envelope properties can be added:
• Certification
• Revision
• If 'CAdES' is added in Allowed Signature Formats, then below mentioned signed envelope properties can be added:
• Detached
• Attached

Allowed Conformance Levels

This drop-down allows the user to select the allowed conformance levels to be applied on the full document. The list of allowed conformance level includes: 

• AdES-B-B
• AdES-B-T
• AdES-B-LT
• AdES-B-LTA

TSA Settings

This section will only be available if conformance level with a timestamp is added in the Allowed Conformance Level field i.e. AdES-B-T, AdES-B-LT or AdES-B-LTA. 

It allows the user to select a configured TSA server from the drop-down. 

Enhance existing signature to an extended format

This checkbox will only be available if 'CAdES' or 'XAdES' are selected in Allowed Signature Formats field, as well as 'AdES-B-T', 'AdES-B-LT' or 'AdES-B-LTA' are added in Allowed Conformance Level field. 

This option is specifically intended for use when the business application submits data with a basic signature to the service with the intention of having it converted into a long-term format.

Note:

1. The only the first signature within the document is converted using this mechanism.
2. If the business application requests a parallel signature by sending an already signed document, a new signature will be created instead of enhancing the existing one. In this case, the checkbox functionality will be disregarded.

Signature Grace Period

This option will only be visible if 'Enhance existing signature to an extended format' checkbox is enabled. This field will define how long ADSS Server should wait after the signing time indicated in the signature (either by TSA or by signer's local time) before converting the basic signature to an advanced signature.

Note: The default value set to '0'. The value '0' indicates that do not consider signature grace period while converting to advanced signature type.

If revocation status info is unavailable then return error 

If 'AdES-B-T' or 'AdES-B-LTA' are added in Allowed Conformance Level, then an extra check box is offered to decide if Unity Console should return an error if it cannot embed the revocation information when creating the Long-Term signature.

Such signatures require embedded status/ revocation information for the signer's certificate chain. This is useful to stop basic signatures being created when a communication failure prevents revocation information being obtained from external resources.  If this check box is not selected, then the signature will be produced but it may not contain the embedded revocation if this was unavailable at the time of signing, e.g. if the relevant OCSP is not responding or if the dynamic CRL is unavailable. ADSS Server is generally configured to cache CA CRLs locally and it also has a short-life cache for dynamic CRLs and OCSP responses.

Note: It is recommended you always tick this box.

Hash Algorithm

The SignDoc API prioritizes the Hash Algorithm based on the request. First, it checks if the algorithm is specified in hashAlgorithmOID or implicitly provided in signAlgo/signAlgoParam. If not found there, it resorts to the hashAlgorithm from the SAM Profile. If the SAM's hash computation at signing time is disabled, it then resorts to the hash algorithm specified in the Unity Profile.

Select which hash algorithm to use as part of the signature creation process. The following algorithms are supported:  

• SHA256
• SHA384
• SHA512
• SHA3-256
• SHA3-384
• SHA3-512

Canonicalization Method

This checkbox will only be available if 'XAdES' is added in Allowed Signature Formats field. The user will select the Canonicalization algorithm that will be used to canonicalize the XML before computing the hash. One of the following algorithms can be selected:

• Inclusive (http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
• Exclusive (http://www.w3.org/2001/10/xml-exc-c14n#)

Note: By default, 'Inclusive' will be selected.

Sign XML document parts

This section will only be available if 'XAdES' is selected in Allowed Signature Formats field, as well as 'Enveloped' is added in Allowed Signed Enveloped Properties field.

This defines how a specific element can be signed in the XML document. Element can be defined individually or via XPath. Multiple signing elements can also be added. XPath uses path expressions to select nodes or node-sets in an XML document. XPath uses path expressions to navigate in XML documents. XPath can be set in number of ways. If checkbox is enabled and the system is unable to find the defined XML signing element then it will return an error. 

If signature/document relationship is Enveloped then XML part signing settings will be enabled.

Xpath Examples:

/root/books/author

//publisher

Apply certify (author) signature

This section will only be available if 'PAdES' is selected in Allowed Signature Formats field. A certify signature option is very useful to lock the document against further unauthorised changes. These options are presented:

• No changes allowed (Useful for invoices, statements, etc)
• Form fill-in and digital signatures (Useful when more than one person need to fill in a form and sign)
• Annotations, form fill-in and digital signatures (Useful when users wish to comment & sign a document)

Note: Keep the below points under consideration while operating with checkbox:

1. It is recommended to use only one precise signing location with certified signature settings.
2. The 'No changes allowed' certify signature option will not be available for AdES-B-LT, AdES-B-LTA conformance levels.
3. If the 'Certification' property of the envelope is requested but not configured in the Unity profile, the default setting 'No Changes Allowed' is applied for PAdES-B-B and B-T, and 'Form-Filling and Digital Signature' for LT and LTA.

Signature Visibility Settings

If this checkbox is enabled, the signature visibility settings become visible to the user. 

Signature Appearance Location Settings

This section will only be available if 'PAdES' is selected in Allowed Signature Formats field, as well as 'Signature Visibility Settings' is checked. This section allows the user to set the appearance and location of the signature. 

Use a PDF editor to draw signature fields(s) as required

If this option is selected, then signing location(s) can be defined by opening the target PDF in the PDF editor. 

Use a default signing field location

If selected then following option are shown:

1. Default Signing Area

This option allows you to select a default location on the page where the signature appearance will be stamped. You have choices of:

• Top Left corner
• Top Right corner
• Center
• Bottom Right Corner
• Bottom Left Corner

If this does not adequately position the signature field on a document (e.g. engineering drawings have specific requirements where the signature field should go) then use the precise locations option.

2. Signing Page

This defines which page of the document to sign on when using a default signing location. 

3. Signature Appearance

Select one of the PDF Signature Appearances already generated as mentioned in the section PDF Visible Signatures.

Use an existing blank signature field in the target document

If selected then following options are shown:

1. Signing Field

If the document already has a blank signature field, then the name of the signature field can be specified using this option. When ADSS Server signs a PDF document using this signing profile it will then search for this signing field and embed the signature details within that field. This is also a good way of positioning the signature in an exact location rather than just the default locations mentioned above. 

Note: Signature field names are case-sensitive so ensure you enter a valid field name as used in your documents, e.g. field1 and Field1 are not the same. 

2. Signature Appearance

Select one of the PDF Signature Appearances already generated as mentioned in the section PDF Visible Signatures.

Embed font to be used for PDF signature appearance text objects

This section will only be available if 'PAdES' is selected in Allowed Signature Formats field, as well as 'Signature Visibility Settings' is checked. It selects the fonts used in the signature appearance to be embedded in the signed PDF document. 

What to Include in the Signature

This section will only be available if 'PAdES' is selected in Allowed Signature Formats field, as well as 'Signature Visibility Settings' is unchecked. It defines the elements that are to be included in the signature. The user needs to define values in the below mentioned fields: 

1. Signing Reason

In this field, the user can define the reason of the signing, that will become the part of signature.

2. Signing Location

In this field, the user can define the location of the signing, e.g. London, UK. 

3. Contact Information

In this field, the user can provide its contact information.

Explicit Policy Based Electronic (EPES) signature settings

By enabling the check box Add Signature Policy Identifier, the signing profile can be used to produce (EPES) signatures where a signature policy OID, URI, user notice and policy store are added in the digital signature as specified below:

1. Signature Policy Object ID

A Mandatory field

Provide the Signature Policy OID to be added for EPES signatures.

2. Signature Policy URI

A Mandatory field.

Provide the Signature Policy URI to be added for EPES signatures.

If there is no Policy URI defined inside the signing profile then EPES configurations should be made in policy.properties file located at: [ADSS Installation Directory]/service/

Open this file in any text editor and enter policy OID and path to the policy document 

e.g. 1.2.3.4.5 = "F:/Policy_File"

3. Signature Policy User Notice

Provide the user notice to be added to the EPES signatures.

4. Signature Policy Store

Provide the user policy store to be added to the EPES signatures. This option is ignored in case of PAdES signature format.

Maximum Document Size Allowed

This field allows the user to set the maximum size of the document that is be signed. The size of the document is set in MBs.

Signature Dictionary Size (KBs)

This section will only be available if 'PAdES' is selected in Allowed Signature Formats field. The signature dictionary size is the allocated signature dictionary that is used to embed signature in the PDF document. Default size is 40 KB, however, user can change it accordingly based on the signature size. 

Lock the Document After Signing

This checkbox enables the user to lock the PDF document after the final signature, preventing any further changes such as digital signing, form-filling, or annotations.

Note: This option is not available for PAdES-B-LT, PAdES-B-LTA and PAdES-E-LTV signature types.

Use a permission passphrase to control the PDF data as defined in the ISO 32000 specifications

Enable this option to set the document level permissions on PDF files as defined in ISO 32000 specification. 

Note: These permission settings are ignored for PAdES Signature Format as well as AdES-B-LT and AdES-B-LTA Conformance Levels. 

Once this checkbox is enabled the below fields become visible to the user. The details of fields are explained below:

• Permission Paraphrase: This field is used to type a passphrase that will be set on the PDF document to change the permissions of this document
• Allow Printing: The user is permitted to print the document. The user can define the resolution of printing either by selecting High Resolution or Low Resolution.
• Allow content to be modified: The user is permitted to modify the contents e.g. to change the content of a page, or insert or remove a page.
• Allow copying and extraction of content: The user is permitted to insert, remove, and rotate pages and add bookmarks. 
  Note: The content of a page can’t be changed unless the permission Allow content to be modified is granted too.
• Allow document assembly: The user is permitted to copy or otherwise extract text and graphics from the document, including using assistive technologies i.e. screen readers or other accessibility devices.
• Enable text access for the visually impaired: The user is permitted to extract text and graphics for use by accessibility devices.
• Only allow filling of form fields: The user is permitted to fill form fields (for 128-bit encryption only).
• Allow commenting: The user is permitted to add or modify text annotations and interactive form fields.

Items

Description

Signing Field

If the document already has a blank signature field, then the name of the signature field can be specified using this option. When ADSS Server signs a PDF document using this unity profile, it will then search for this signing field and embed the signature details within that field. This is also a good way of positioning the signature in an exact location rather than just the default locations mentioned above. 

Note: Signature field names are case-sensitive so ensure you enter a valid field name as used in your documents, e.g. field1 and Field1 are not the same.

Signature Appearance

Select one of the PDF Signature Appearances already generated as mentioned in the section PDF Visible Signatures.

Overridable

This flag indicates whether the details configured in the unity profile can be amended by the client application by passing parameters in the unity service request message. Select the check boxes for those values that the client application is able to override in this unity profile. This provides a great deal of flexibility to the client application to override the unity profile settings at the time of sending the request to ADSS Server.

Items

Description

Certificate Settings

This section defines the configuration required for certificate creation at Certification Service. 

Certificate Service Addresses

This field shows the Certificate Service addresses that can be used to generate user keys, register user devices within SAM Service. Multiple service addresses can be added. 

Certificate Profile

Specifies the Certification profile to be used for this Unity profile.

Client ID 

Shows the Client ID of Certification Service. Unity Service will send this Client ID while communicating with Certification service. Certification service verifies that this is a registered Client ID within the Client Manager module before granting access to this service.

Use TLS Client Authentication

If this option is enabled, then Unity Service will communicate with Certification Service using TLS client authentication. By default, it is disabled.

Certificate

Select the Client TLS Certificate which pre-exists in the Key Manager. 

Note: It is required to register the Issuer CA of the Client TLS certificate in Trust Manager with the CA for verifying TLS client certificates purpose. 

Short-Lived Certificate Settings

This is a license based feature and will only be available to the user if enabled in license. The short-lived certificates will stay active unless document signing is performed. After that, the user and it's relevant keys are deleted. 

The below sections become available to the user after enabling 'Enable Short-Lived Certificates' checkbox.

Subject Distinguished Names:
This item describes the default attributes and values to be used for Subject Distinguished Name (DName) during certificate generation. 

The claim includes user information and is linked to external Identity Providers (IdPs). Users have the ability to match the IdP claims they receive with the corresponding Relative Distinguished Names (RDNs). It's possible for the same RDN to be added multiple times against different claims.

Note: The supported Relative DNs values are: 

• CN - Common Name 
• G - Given Name
• SN - Surname
• T - Title
• OU - Organization Unit
• O - Organization
• OI - Organization Identifier
• E - Email
• L - Locality
• ST - Street Address
• S - State
• P - Postal Code
• C - Country
• SERIALNUMBER - Subject Serial Number
• UID - Unique Identifier
• B - Business Category
• houseIdentifier - House Identifier
• DC - Domain Component

Subject Directory Attribute:
This item describes the default attributes and values to be used for Custom Extensions during certificate generation.

The claim includes user information and is linked to external Identity Providers (IdPs). Users have the ability to match the IdP claims they receive with the corresponding OIDs.

.

Custom Extensions:
This item describes the default attributes and values to be used for Subject Directory Attribute during certificate generation.

The claim includes user information and is linked to external Identity Providers (IdPs). Users have the ability to match the IdP claims they receive with the corresponding Subject Directory Attributes.

Validity Period

Set the validity period and select the time unit from the drop-down (minute(s), hour(s), day(s)) to set the certificate validity period.

Note: If the value in the field is set to '0', then the expiry time set in the Certification Profile will be utilized.

Remove Certificate from CA

If this checkbox is enabled, the user certificate will be deleted from configured Certification Service after document signing is completed.

The Duplicate profile will be created without the Name and Description of the selected Profile. The Unique ID generates automatically or the next available ID will be assigned to the Profile.