Signature settings are all about configuring the allowed signing methods (i.e., Server-side Signing, Client-side (Local) Signing, and/or Mobile Signing), authentication methods (i.e., No Authentication, OTP via SMS, SigningHub ID, Microsoft Active Directory, Salesforce, Freja eID etc.) and signing capacities in a role. You can separately configure these settings for web browsers and mobile apps, and choose a default signing method for each case. 


You can also configure Remote Authorised Signing here, which allows a user to authorise a remote signature (done on server) using their registered mobile device. The device will have its user authentication built-in (touchID or PIN), so in a way they can also configure two-factor authentication.

Furthermore, this section lets you manage signing reasons, which are used in the Signature Appearance, and becomes a permanent part of a PDF signature. The signing reasons can optionally be displayed in the signed PDF document.


Configure Signature Settings in a Role 

  1. Login with your enterprise admin credentials.
  2. Click on the profile drop down menu (available at the top right corner).
  3. Choose the "Enterprise Settings" option.
  4. Choose the "Roles" option from the left menu.



  1. Search and select the role to edit and click the edit icon  adjacent to it. The "Edit Role" screen will appear for re-configurations.


         

  1. Click the "Signature Settings" tab.

           

  1. Click the "Save" button after selecting the desired signing method as default.    

 

Signature Settings

Fields

Description

Signing Servers

Signing Server

Click on the  add icon to display the Add Signing Server dialog for adding a signing server.
  

In the dialog, select the "Keys Location", which display the following screens:

  • Server
  • Capacities
  • Authentications


SERVER

                                            

This screen lets you add a "Signing Server" and "Signature Appearance". You can either add a signing server for Server Side Signing or for Client-Side (Local) Signing, based on the selected Keys Location.
The Signing Server list will display the available signing servers, based on your service plan configurations.

You can either add a signature appearance, based on the selected Signing Server.The Signature Appearance list will display the available signature appearances, based on your service plan and role configurations.Select the "Signature Appearance", if you want your users to use a fixed signature appearance while perform signing with specific Signing Server and will be displayed on Signing dialog. If signature appearance is not selected than the system will work as of today and allow to perform signing using any of signature appearance allowed in the service plan and role.

CAPACITIES

  

This screen lets you configure different "Signing Capacities" for each Level of Assurance. It enables a user to sign on multiple positions within an organisation. When configured, SigningHub creates multiple certificates for the user as per their allowed capacities in the service plan and categorized based on the allowed level of assurances that are configured in the service plan. The user can pick a desired capacity at the signing time and the related certificate will be used in their signature.

Add the signing capacities as required for the enterprise user(s) belonging to this role, categorised as per level of assurance. The options available in the drop-down list are allowed in your service plan.

If there is only one signing capacity then it will not be displayed in the signing dialog at the time of signing. Only the multiple signing capacities will be displayed in the signing dialog. You can select any one of these available capacities for signing.

Default Signing Capacity
Select a capacity from the selected ones in this field that will be displayed as the default signing capacity to the user(s) while signing. 

In a scenario where one or more enterprise users can have the same signing capacities within your enterprise, create a specific role with the desired capacities and simply assign it to them. However, when each user has a different set of signing capacities, then create an exclusive role for each user and configure their signing capacities accordingly. 
For more details, see Configuration Guide.

AUTHENTICATIONS

  
This screen lets you select signing-time authentication methods separately for the role. The  Levels of Assurance of the selected Signing Capacities are hierarchically grouped under Organization, User and SigningHub Admin. You can select signing-time authentication methods for each of them separately.

You can select authentication methods for SigningHub web and mobile apps against the relevant Levels of Assurance.  The available authentication methods are subject to your Service Plan configuration. The selected method will be used as authentication method, when your enterprise users sign their documents through any web browser. See the details of authentication methods below.

Same authentication is applied on Electronic Seal (eSeal)Advanced Electronic Seal (AdESeal) and Qualified Electronic Seal (QESeal) though it will generate different certificates accordingly. Therefore, if you have selected the signing capacities of Electronic Seal (eSeal), Advanced Electronic Seal (AdESeal) and Qualified Electronic Seal (QESeal), then on this screen you will see them bundled as a single authentication.

In case of configuring Remote Authorised Signing (RAS), configure signing capacities for RAS in your Service Plan and "Authorisation via Mobile App" option will appear as Authentication Method for those capacities under 'Signing Capacities for Remote Authorisation (Owned by User).

Secondary Authentication Method
Select another authentication method (i.e., OTP via SMS or No Authentication) from the "Secondary Authentication Method" field. This method will be used in addition to the above mentioned authentication method, giving your enterprise users a provision to use two-factor authentication at signing time. If two-factor authentication for signing through web browsers is not required, then select "No Authentication" from this field.
  1. Signing Servers to be configured under enterprise roles, are subject to your assigned enterprise service plan and only those signing servers will be available under enterprise roles that are configured in your service plan.
  2. When adding a Signing Server for CSC, there is no signing capacities or level of assurance related information appears.
  3. When adding a Signing Server for Client Held Keys using either ADSS or CSC, there will be no further options appears.

Signing Dialog

Hide signature dialog at the time of signing

Select this option to allow the users (that are associated to this role)  to skip the signing dialog while performing signature.Signing dialog will be hidden if :

  • “Hide signature dialog at the time of signing“ is checked in your role,
  • You have selected Hand Signature Method as Text or Upload having the signature image in your My Settings> Signatures> Signature Appearance, and
  • You have a single signing capacity only

Meta Information

Allow user to manage contact information

Select this option to allow the enterprise users (belonging to this role) to view the "Contact Information" field on the signing dialog of signature, and set its value as required before signing.

If you keep it deselected, this field will not be shown to the enterprise users on the signing dialog. In this case, the default set value will automatically be picked from the user's role upon signing, as highlighted below.

See My Settings> Signing Details> Additional Signature Information for details.

Allow user to manage location

Select this option to allow the enterprise users (belonging to this role) to view the "Location" field on the signing dialog of signature, and set its value as required before signing.

If you keep it deselected, this field will not be displayed to the enterprise users on the signing dialog. In this case, the field value will be selected automatically from the default set value under user's role settings upon signing.

 

When this option is deselected from roles, then signing location cannot be updated from user's personal settings and will be shown as disabled in user's settings.
See My Settings> Signing Details> Additional Signature Information for details.

Signing Reason

Allow user to manage signing reason

Select this option to allow the users (belonging to this role) to view the "Signing Reason" field in the signing dialog of signature and set its value as required before signing.

When 'Allow user to manage signing reason' is selected, there are following three options available further:

  • Select the "User defined" option, if you want the users to specify their own signing reasons at the time of signing.
  • Select the "Predefined" option, if you want your users to choose a signing reason from the available list (added via "Signing Reasons" button). Also select a default signing reason that will be displayed to your enterprise users at the signing time.
  • Select the "Fixed" option, if you want your users to use a fixed signing reason. Select a fixed signing reason from the list (added above using the "Signing Reasons" button).


  

If you keep it deselected, this field will not be displayed to the users in the signing dialog. In this case, the default set value will automatically be picked from the user's role upon signing, as highlighted below.

 


When this option is deselected from roles, then signing reason cannot be updated from user's personal settings and will be shown as disabled in user's settings.

See My Settings> Signing Details> Additional Signature Information for details.

Manage Signing Reasons

Manage Signing Reasons

Click the "Signing Reasons" button to manage (add and delete) signing reasons. The specified reasons will then be available in the "Predefined" and "Fixed" fields for selection. When used in the Signature Appearance, Signing reason becomes a permanent part of the PDF signature and can optionally be displayed in the signed PDF document.

 


*Authentication Methods:

When the "Key Protection Option" option is set to 'System Password' (i.e., Sole Control is off) in certification profiles under SigningHub Admin configurations, SigningHub gives you the provision to choose a third-party authentication option for your enterprise users. You may select any of the following 15 options; through which your enterprise users can authenticate themselves for server-side signing.

  • No Authentication:

Select this option to let your enterprise users sign their documents directly without any authentication. In this case, their server based certificate will be used for signing but system will not prompt for any password or OTP.

  • OTP via SMS:

Select this option to let your enterprise users, use their SigningHub account password along with an OTP to sign their documents. Whenever your enterprise user attempts to sign a document, an OTP will be sent on their mobile device that must be entered for signing.

  • SigningHub ID:

Select this option to allow enterprise users to use their SigningHub account password to sign their documents. 

  • Microsoft Active Directory:

Select this option to allow enterprise users to use their Active Directory credentials to sign their documents. SigningHub will require their user ID (as registered in the organisational Active Directory) and domain password for the signing activity. you can authenticate using your Active Directory credentials at the time of signing having a different email address and vice versa.

  • Microsoft ADFS:

Select this option to allow enterprise users to use their ADFS credentials to sign their documents. SigningHub will require their user ID (as registered in cloud ADFS) and domain password for the signing activity.  you can authenticate using your ADFS credentials at the time of signing having a different email address and vice versa.

  • Microsoft Office 365:

Select this option to allow enterprise users to use their Microsoft Office 365 credentials to sign their documents. SigningHub will require their Office 365 credentials (ID and password) for the signing activity. In case your enterprise user has logged in through SigningHub ID and want to sign through Microsoft Office 365 credentials, then their SigningHub ID (email address) and Office 365 ID (email address) must be the same. 

  • Salesforce:

Select this option to allow enterprise users to use their Salesforce credentials to sign their documents. SigningHub will require their Salesforce credentials (ID and password) for the signing activity.  you can authenticate using your Salesforce credentials at the time of signing having a different email address and vice versa.

  • LinkedIn:

Select this option to allow enterprise users to use their LinkedIn credentials to sign their documents. SigningHub will require their LinkedIn credentials (ID and password) for the signing activity.  you can authenticate using your LinkedIn credentials at the time of signing having a different email address and vice versa.

  • Google:

Select this option to allow enterprise users to use their Google credentials to sign their documents. SigningHub will require their Google credentials (ID and password) for the signing activity.  you can authenticate using your Google credentials at the time of signing having a different email address and vice versa.

  • Freja Mobile:

Select this option to allow your enterprise users to use their Freja Mobile authentication to sign their documents. Whenever, your enterprise user attempts to sign a document, a signing request will be sent to their mobile device running the Freja Mobile app. Upon confirmation from the Freja Mobile app, the document will be signed.

  • Freja eID:

Select this option to allow your enterprise users to use their Freja eID authentication to sign their documents. Whenever, your enterprise user attempts to sign a document, a signing request will be sent to their mobile device running the Freja eID app. Upon confirmation from the Freja eID app, the document will be signed.

  • Authorisation via Mobile App:

Select this option as the Authentication Method to allow your enterprise users to use remote authorised signing provision. This option will only appear for the capacities that has Qualified Electronic Signature (QES) configured as the level of assurance and appears under 'Signing Capacities for Remote Authorization (Owned by User)' category.

  • Bank ID

Select this option to allow your enterprise users to use their Bank ID to sign their documents.  

SigningHub will require their Bank ID credentials (i.e., Bank ID, OTP, and Personal Password) for the signing activity. Upon providing all three authentication factors correctly, the document will be signed.

  • itsme

Select this option to allow your enterprise users to use their itsme authentication to sign their documents.   

Whenever, your enterprise user attempts to sign a document, a signing request will be sent to their mobile device running the itsme app. Upon approval from the itsme app, the document will be signed.

  • OAuth2:

Select this option to allow enterprise users to use your IDP credentials (OAuth2 supported protocol)  to sign their documents. SigningHub will require their IDP credentials (ID and password) for the signing activity. you can authenticate using your IDP credentials at the time of signing having a different email address and vice versa.

  • OIDC:

Select this option to allow enterprise users to use your IDP credentials (OIDC supported protocol) to sign their documents. SigningHub will require their IDP credentials (ID and password) for the signing activity. you can authenticate using your IDP credentials at the time of signing having a different email address and vice versa.
  1. When you update a role in a production environment, the saved changes are applicable to the related users on their next login.
  2. The drop-down list of "Authentication Method" (i.e., SigningHub ID, Salesforce, Microsoft Active Directory, LinkedIn, Google, Bank ID etc.) in server-side signing, depends on the key protection option under your certification profiles. If you are unable to find the required authentication method in the list; contact support.
  3. The availability of configuring "OTP via SMS" is subject to your subscribed service plan. If you are unable to find this option in your account; upgrade your service plan.
  4. "Authorisation via Mobile App" is subject to your signing profile that is configured in your service plan. If there is a signing capacity added for remote authorisation signing under your singing profile then these capacities will appear under signature settings under the label 'Signing Capacities for Remote Authorisation (Owner by User). If you are unable to find this option in your account; contact support.


See Also