CSC Signing
Introduction
The Cloud Signature Consortium (CSC) is a standard protocol for cloud-based digital signatures that supports web and mobile applications and complies with the most demanding electronic signature regulations in the world. The goal is to provide a common technical specification that will make solutions interoperable and suitable for uniform adoption in the global market, and to meet the highest level requirements of the European Union’s regulation on Identification and Trust Services (eIDAS). For more details on CSC and it's implementation click here.
SigningHub supports the Cloud Signature Consortium (CSC) API protocol, this enables customers to leverage Remote Signing Service Providers (RSSP) for signing documents. Support for CSC within SigningHub now means customers can not only use SigningHub with Ascertia ADSS Signing Server but also independently with a CSC compliant RSSP.
SigningHub supports Cloud Signature Consortium (CSC) signing via the following two flows:
CSC Signing - Client Credentials Flow
- How it works?
- Configure a Connector in SigningHub Admin
- Configure a Signing Profile in SigningHub Admin
- Add Signing Profile to a Service Plan in SigningHub Admin
- Add Signing Server to a User Role in SigningHub Web
- Specify the CSC User ID against your profile in SigningHub Web
- CSC Signing
- To perform CSC signing, you must configure a CSC connector, in SigningHub Admin.
- Configure a signing profile using the connector, in SigningHub Admin.
- Configure the signing profile to the service plan, in SigningHub Admin.
- Add Signing Server to your enterprise user role that you want to use for CSC signing.
- Specify your CSC User ID against your profile.
- Sign the document using the CSC Signing Server via SigningHub Web or API.
Configure a Connector in SigningHub Admin
To see in detail, how to create an CSC Connector in SigningHub, click here.
Make the following configurations to a connector in SigningHub Admin:
- In the "Basic Information" section, choose "CSC" as the "Provider".
- In the "Details" section, choose "Client Credentials" as the "Auth Type".
|
Configure a Signing Profile in SigningHub Admin
To see in detail, how to create a signing profile in SigningHub, click here.
Make the following configurations to a signing profile in SigningHub Admin:
- Select the CSC Connector created earlier, in the highlighted field below:
Add Signing Profile to a Service Plan in SigningHub Admin
To see in detail, how to create a service plan in SigningHub, click here.
Make the following configurations to the service plan in SigningHub Admin:
- In the "Signature" section of the service plan, select and add the earlier configured signing profile, as shown below:
Add Signing Server to a User Role in SigningHub Web
To see in detail, how to manage enterprise user roles in SigningHub, click here.
Make the following configurations to a user role in SigningHub Web:
- Against your user role, in the "Signature Settings" tab, add the signing server.
Specify the CSC User ID against your profile in SigningHub Web
To see in detail, how to set up your profile in SigningHub, click here.
Make the following configurations to your profile in SigningHub Web:
- In the "General" tab, specify the "Cloud Signature Consortium (CSC) User ID".
Sign the document using the CSC Signing Server via SigningHub Web or API.
- Signing via SigningHub Web
To perform CSC signatures via SigningHub Web, follow the below-mentioned steps:
- From the document listing, open a the document having the signature field that you want to sign.
|
- Click on the signature field, select the CSC Signing Server.
- Click the "SIGN NOW" button and based on your CSC Signing Server configurations, provide the authorization details for Explicit (PIN/OTP/Both), Implicit or OAuth 2.0 authorization.
Once the authorization is complete the document will be signed.
|
- Signing via API
To perform CSC signatures via API, follow the below-mentioned steps:
- Use the "Authenticate" API of SigningHub to get the authentication token of the user who is performing the signatures.
- The signature application (SigningHub) uses the "Get RSSP Information" API to get the RSSP (Remote Signing Service Provider) information that is needed to perform CSC Signing.
- The signature application (SigningHub) uses the "info" API of the CSC server which returns the information about the RSSP (Remote Signing Service Provider) and the list of API methods it has implemented. This method shall be implemented by any RSSP conforming to this specification.
- The signature application (SigningHub) gets the access token using the "oauth2/token" API with "client_credentials" as grant_type using the RSSP client credentials (client ID and conditionally a client secret).
- The signature application (SigningHub) gets the list of credentials associated with a user identifier using the "credentials/list" RSSP API or if the RUT filtration is required call the "Get Filtered Credential List" API of SigningHub. A user may have one or multiple credentials hosted by a single remote signing service provider.
- The signature application (SigningHub) gets the information on a signing credential, its associated certificate, and a description of the supported authorization mechanism using the "credentials/info" API of the CSC server.
- If the "authorization_required" parameter is true, in response to the "Get RSSP Information" API, the "Get Account Token" API shall be used to get the account_token which will be used to hit the "oauth2/authorize" endpoint.
- Use the "Get Document Hash" API of SigningHub to get the hash of the document.
- Signature application (SigningHub) can use any one of the following APIs of the CSC server for authorization of credential ID, based on the response of the "credentials/info" API of the CSC server:
- "credentials/sendOTP" API to start the online OTP mechanism associated with a credential ID for Explicit (OTP) authorization.
- "credentials/authorize" API to authorize access to the credential ID for signing for Explicit (OTP/PIN) or Implicit authorization. The SAD received in response shall be used in the "signatures/signHash" API request.
- "oauth2/authorize" API to initiate an OAuth 2.0 authorization flow for the OAuth 2.0 authorization. The authorization is returned in the form of an authorization code, which the signature application shall then use to obtain the SAD with "credential" as scope. To get the SAD, use the "oauth2/token" API with "authorization_code" as the grant_type. The SAD received in response shall be used in the "signatures/signHash" API request.
- The signature application (SigningHub) calculates the remote digital signature of one or multiple hash values provided in input using the "signatures/signHash" API of the CSC server. This method requires credential authorization in the form of Signature Activation Data (SAD).
- Use the "Embed Signature" API of SigningHub to embed signatures in the document.
- The signature application (SigningHub) uses one of the following APIs of the CSC server for revoking access tokens, as per the requirement:
- "auth/revoke" API to revoke the service access token or refresh token.
- "oauth2/revoke" API to revoke an OAuth 2.0 access token or refresh token.
CSC Signing - Authorisation Code Flow
- How it works?
- Configure a Connector in SigningHub Admin
- Configure a Signing Profile in SigningHub Admin
- Add Signing Profile to a Service Plan in SigningHub Admin
- Add Signing Server to a User Role in SigningHub Web
- CSC Signing
- To perform CSC signatures, you must configure a CSC connector, in SigningHub Admin.
- Configure a signing profile using the connector, in SigningHub Admin.
- Configure the signing profile to the service plan, in SigningHub Admin.
- Add Signing Server to your enterprise user role that you want to use for CSC signing.
- Sign the document using the CSC Signing Server via SigningHub Web or API.
Configure a Connector in SigningHub Admin
To see in detail, how to create an CSC Connector in SigningHub, click here.
Make the following configurations to a connector in SigningHub Admin:
- In the "Basic Information" section, choose "CSC" as the "Provider".
- In the "Details" section, choose "Authorization Code" as the "Auth Type".
|
Configure a Signing Profile in SigningHub Admin
To see in detail, how to create a signing profile in SigningHub, click here.
Make the following configurations to a signing profile in SigningHub Admin:
- Select the CSC Connector created earlier, in the highlighted field below:
Add Signing Profile to a Service Plan in SigningHub Admin
To see in detail, how to create a service plan in SigningHub, click here.
Make the following configurations to the service plan in SigningHub Admin:
- In the "Signature" section of the service plan, select and add the earlier configured signing profile, as shown below:
Add Signing Server to a User Role in SigningHub Web
To see in detail, how to manage enterprise user roles in SigningHub, click here.
Make the following configurations to a user role in SigningHub Admin:
- Against your user role, in the "Signature Settings" tab, add the signing server.
Sign the document using the CSC Signing Server via SigningHub Web or API.
- Signing via SigningHub Web
To perform CSC signatures via SigningHub Web, follow the below-mentioned steps:
- From the document listing, open a the document having the signature field that you want to sign.
|
- Click on the signature field, select the CSC Signing Server.
- Input the CSC user credentials, provided by the CSC Signing Server.
- Click the "SIGN NOW" button and based on your CSC Signing Server configurations, provide the authorization details for Explicit (PIN/OTP/Both), Implicit or OAuth 2.0 authorization.
Once the authorization is complete the document will be signed.
|
- Signing via API
To perform CSC signatures via API, follow the below-mentioned steps:
- Use the "Authenticate" API of SigningHub to get the authentication token of the user who is performing the signatures.
- The signature application (SigningHub) uses the "Get RSSP Information" API to get the RSSP (Remote Signing Service Provider) information that is needed to perform CSC Signing.
- The signature application (SigningHub) uses the "info" API of the CSC server which returns the information about the RSSP (Remote Signing Service Provider) and the list of API methods it has implemented. This method shall be implemented by any RSSP conforming to this specification.
- If the "authorization_required" parameter is true, in response to the "Get RSSP Information" API, the "Get Account Token" API shall be used to get the account_token which will be used to hit the "oauth2/authorize" endpoint.
- The signature application (SigningHub) requests authorization for the user to access the RSSP resources using the "oauth2/authorize" API of the CSC server. The authorization is returned in the form of an authorization code, which the signature application shall then use to obtain an access token with "service" as scope. To get the access token the signature application (SigningHub) uses the "oauth2/token" API with "authorization_code" as the grant_type. If the "authentication_required" parameter is true, in response to the "Get RSSP Information" API, call the "Get Access Token | SAD" SigningHub API to get the Bearer/SAD token.
- The signature application (SigningHub) gets the list of credentials associated with a user identifier using the "credentials/list" RSSP API or if the RUT filtration is required call the "Get Filtered Credential List" API of SigningHub. A user may have one or multiple credentials hosted by a single remote signing service provider.
- The signature application (SigningHub) gets the information on a signing credential, its associated certificate, and a description of the supported authorization mechanism using the "credentials/info" API of the CSC server.
- Use the "Get Document Hash" API of SigningHub to get the hash of the document.
- The signature application (SigningHub) can use any one of the following APIs of the CSC server for authorization of credential ID, based on the response of the "credentials/info" API of the CSC server:
- "credentials/sendOTP" API to start the online OTP mechanism associated with a credential ID for Explicit (OTP) authorization.
- "credentials/authorize" API to authorize access to the credential ID for signing for Explicit (OTP/PIN) or Implicit authorization. The SAD received in response shall be used in the "signatures/signHash" API request.
- "oauth2/authorize" API to initiate an OAuth 2.0 authorization flow for the OAuth 2.0 authorization. The authorization is returned in the form of an authorization code, which the signature application shall then use to obtain the SAD with "credential" as scope. To get the SAD, use the "oauth2/token" API with "authorization_code" as the grant_type. The SAD received in response shall be used in the "signatures/signHash" API request.
- The signature application (SigningHub) calculates the remote digital signature of one or multiple hash values provided in input using the "signatures/signHash" API of the CSC server. This method requires credential authorization in the form of Signature Activation Data (SAD).
- Use the "Embed Signature" API of SigningHub to embed signatures in the document.
- The signature application (SigningHub) uses one of the following APIs of the CSC server for revoking access tokens, as per the requirement:
- "auth/revoke" API to revoke the service access token or refresh token.
- "oauth2/revoke" API to revoke an OAuth 2.0 access token or refresh token.
See Also
- XML Signing
- Word Document Signing
- Electronic Seal Signing
- eID Easy Signing
- Remote Authorisation Signing (RAS)
- Signing using Policy OID
- Local Side Signing using T1C Server
- Local Side Signing using ADSS Server
- Signing Based on National ID Validation
- Signing via Signature Pad
- Signing Behaviour w.r.t Signature Appearance
- OTP Authentication