Make the following changes in the “web.config” file to configure Application Settings for SigningHub API.


To add signature policy information while performing signatures:

<add key="SignaturePolicyURI" value=""/>

<add key="SignaturePolicyName" value=""/>

  1. For the tag with the “SignaturePolicyURI” key, set the value to a valid downloadable link of the signature policy document. 
  2. For the tag with the “SignaturePolicyURI” key, set the value to a name of a signature policy document with extension, which is placed under default directory in SigningHub deployment directory at the following path:

    [SigningHub Deployment Directory]\default\signaturepolicydocuments

    There is a workaround needed to be done at ADSS end for verification of EPES signatures as ADSS is unable to download the document from the provided URI in signature due to which the policy document needs to be placed under policy folder at the following path:

    [ADSS Installation Directory]/service/policy

    Moreover, OID and path in the 'policy.properties' file must be added at the following path:

    [ADSS Installation Directory]/service

    Example:
    Sample-OID = D:/Deployments/ADSS-Server/service/policy/Sample-Policy-Document.pdf

To add signature policy information while performing signature

<add key="SignaturePolicyOID" value=""/>

For the tag with the “SignaturePolicyOID” key, set the value to the signature policy OID according to the policy document.


To display an error if no RUT value found in user identity table:

<add key="ValidateRUT" value="False" />

For the tag with the “ValidateRUT” key, set the value to “True”, else system will work as of today and will let user sign the document.


To add the '00' IDD prefix (if not already present) in the mobile number:

<add key="MODIFY_MOBILE_NUMBER_FOR_SAM" value=""/>

For the tag with the “MODIFY_MOBILE_NUMBER_FOR_SAM” key, set the value “True” SigningHub work as of today by adding the '00' prefix (if not already present) in the mobile number before sending it to the ADSS Server's SAM.


If it's “False”, SigningHub will send the mobile number to the ADSS's SAM without any modifications.


To turn off default certify policy for individual users:

<add key="DefaultCertifyFor IndividualUsers" value="False"/>

For the tag with ''DefaultCertifyForIndividualUsers '' key, set the value 'True' SigningHub will work as of today and turn on the certify policy by default for individual user. If it's "False", the SigingHub will turn off the certify policy.


To enable V3 APIs for SigningHub:


“<add key="V3_Enabled" value="false"/>“


For the tag with " V3_Enabled " key, set the value "True" SigningHub will work as of today and V3 APIs can be used for SigningHub. If it's "False", V3 APIs cannot be used for SigningHub.


To turn on Email Address Validation:

<add key="Validate_Email_For_Signing_Authentication" value="false"/>

For the tag with "Validate_Email_For_Signing_Authentication" key, set the value "True" and SigningHub will enforce users use the same email address for both login authentication and signing authentication. If it's "False", SigningHub will work as of today and the users can use different email address for login authentication and signing authentication.


To turn off Auto-opening of Edit Signature Field dialogue:

<add key="HideEditDialogOnFieldDropped" value="" />

For the tag with "HideEditDialogOnFieldDropped" key, set the value "True" SigningHub will turn off the Auto-opening Edit Signature Field dialogue window, when the user performs a Signature field drag and drop. If it's "False", SigningHub will work as of today and the Edit Signature Field dialogue window auto-opened.


To set default Workflow Mode for individual users:

<add key="DefaultWorkflowForIndividualUsers" value="" />

For the tag with "DefaultWorkflowForIndividualUsers" key, set the value of the workflow mode, SigningHub will set that workflow mode as a default for the individual users. If it's not present , then SigningHub will work as of today and sets the workflow mode "ONLY_OTHERS". There are three types of workflow modes supported in application. Possible values are  "ONLY_ME", "ME_AND_OTHERS" and "ONLY_OTHERS".


To set time zone that is used when sending verification time to ADSS Server's Verification Service:

<add key="ADSS_SERVER_TIMEZONE" value="" />

For the tag with "ADSS_SERVER_TIMEZONE" key, set the value of the time zone, SigningHub will use that time zone when sending verification time to ADSS Server's Verification Service. If it's not present ,sends the verification time in the UTC time zone. There are three types of time zones supported in application. Possible values are  "GMT+06", "GMT+03" and "GMT+02".


To perform XAdES Extended signature for XML document:

<add key="XADES_SIGNATURE_TYPE" value="" />

For the tag with "XADES_SIGNATURE_TYPE" key,  set the value "ES-X-L", SigningHub will perform a XAdES Extended signature for backward compatibility with ADSS Server version 6.9 or lesser. If it's not present, then SigningHub will work as of today and perform the "XAdES-Baseline-LTA" ETSI compliant signatures.


To enable custom CORS Policy in API:

<add key="AllowedOrigins" value="[URL1;URL2]" />

For the tag with "AllowedOrigins" key, set the value of origins e.g. "https://mobile.signinghub.com;https://beta.mobile.signinghub.com". SigningHub API would only be accessible from the origins mentioned in the list. If it's not present, then SigningHub will work as of today and allow all origins by default.


To enable Kerberos authentication:


<location path="authenticate/kerberos">
               <system.webServer>
                       <security>
                               <authentication>
                                       <anonymousAuthentication enabled="true" />
                                       <windowsAuthentication enabled="true" />
                               </authentication>
                       </security>
               </system.webServer>
       </location>


For the Kerberos authentication, uncomment the above location tag. SigningHub will work as of today and is not allowed Kerberose authentication when the location tag is commented out.


To use SigningHub administrator API:


<location path="admin/authenticate/client_cert" overrideMode="Allow">
               <system.webServer>
                       <security>
                               <access sslFlags="SslNegotiateCert" />
                       </security>
               </system.webServer>
       </location>


For the SigningHub Admin API usage, uncomment the above location tag. SigningHub will work as of today and is not allowed to use SigningHub Admin APIs when the location tag is commented out.


To enable user validation for OIDC authentication:


<add key="ValidateOidcUserEmailAndNationalId" value="false"/>


When ValidateOidcUserEmailAndNationalId is set to true:

  • The system will enforce the following validations during authentication:
    • The combination of the email address and the national ID of the authenticated user must match the combination of the email address and the national ID present in SigninHub.
    • The format BID:{USER_NATIONAL_ID} will be passed as login_hint in the authorization request only if the Login Hint is enabled with the BID value in the OIDC connector.


When ValidateOidcUserEmailAndNationalId is set to false or the key is not present:

  • The system will continue to operate under the existing conditions as it does today, without enforcing the specified validations.


To use HashiCorp KeyVault:

<add key="HASHI_CORP_UAMI_CLIENT_ID" value="" />

<add key="HASHI_CORP_LOGIN_URL" value="" />

<add key="HASHI_CORP_UAMI_NAME" value="" />

<add key="HASHI_CORP_NAMESPACE" value="" />

<add key="HASHI_CORP_VAULT_PATH" value="" />

<add key="HASHI_CORP_SECRET_KEY" value="" />

<add key="HASHI_CORP_SECRET_KEY_TYPE" value="PASSWORD" /><!--Possible Values: PASSWORD | CONNECTION_STRING-->

For the tag with the “HASHI_CORP_UAMI_CLIENT_ID” key, specify the unique identifier for the client application integrating with HashiCorp Key Vault connector.

For the tag with the “HASHI_CORP_LOGIN_URL” key, specify the URL where the HashiCorp Vault can be accessed for authentication and authorization.

For the tag with the “HASHI_CORP_UAMI_NAME” key, specify a unique identifier or label within Azure Active Directory (AD), used to identify and manage individual users or entities within the Azure AD framework, ensuring an organized and secure structure for user-related information and permissions. 

For the tag with the “HASHI_CORP_NAMESPACE” key, specify the logical partition within HashiCorp Vault for organizing and managing secrets. 

For the tag with the “HASHI_CORP_VAULT_PATH” key, specify a pathway to a location within the HashiCorp Vault for storing and managing secrets and data. 

For the tag with the “HASHI_CORP_SECRET_KEY” key,  specify the key against which to get the value from the Key Vault.

For the tag with the “HASHI_CORP_SECRET_KEY_TYPE” key, possible values are password and connection string.


For the above tags, add the relevant details of the HashiCorp KeyVault to integrate SigningHub with HashiCorp KeyVault to securely access sensitive information such as secrets stored within HashiCorp Vault. If it's empty then SigningHub will work without the HashiCorp KeyVault integration.






See also