Table of contents

How to configure SAML-SSO integration in SigningHub?

There are four prerequisites of SAML-SSO integration, i.e.:

  1. This feature should be enabled in your SigningHub license file.
  2. The fetching of users' information must be based on the users' email addresses.
  3. You should have the IDP metadata XML file of the IDP server that includes the IDP signing certificate, and
  4. You should have the SP Request Signing Certificate (PFX file and its password).

 Configuration steps:

  1. Open the SigningHub Admin console.
  2. Create a SAML connector with the following data, see details:
    1. Name: My SAML IDP Connector. 

    2. Provider: SAML Identity Provider.

    3. IDP Metadata: Browse the IDP Metadata XML (from your machine) that is generated from the IDP server .

    4. SP Request Signing Certificate (PKCS#12): Browse and select a request signing certificate (PFX file) for the service provider (SP). 

    5. SP Request Signing Certificate Password: Specify the password of PFX file.

    6. Want Assertion Signed: Ticked.

    7. Authentication Request Signed: Ticked.

    8. Active: Ticked.

  3. Now edit the recently created connector (i.e. My SAML IDP Connector), and click the "Export SP Metadata" button.
    A signed "SPMetaData.XML" file will be exported (downloaded on your machine).
  4. Create a SAML authentication profile with the following data, see details:
    1. Name: My SAML Authentication Profile.

    2. Description: SAML-SSO integration.

    3. Method: SAML Authentication

    4. Connector: My SAML IDP Connector

    5. Logo: Browse your company logo for it (64x50 resolution image is recommended).

    6. Active: Ticked.

  5. Click the "Publish Changes" button.

Post configuration:

Update the signed and exported SP metadata file on the IDP server for client-end configuration.

What should be the rights of an IIS user on the SigningHub installation directory?

When you (IIS User) need to configure Enterprise Branding through SigningHub Admin, you should have the "Read and Write" rights on the "SigningHub" installation directory. You should also have the same rights on the "Temp" and "Framework64" directories as well. 

How to configure Active Directory with SSO (Single Sign On)?

To configure Active Directory with SSO:

  1. Ensure that Active directory feature is enabled in your license.
  2. Ensure the following on SigningHub Admin Console:
    1. Create a new connector for active directory, see details.

    2. Create a new authentication profile for active directory authentication and disable the SigningHub ID if user don't want to use SigningHub ID, see details.

    3. Click the "Publish Changes" button.

  3. Ensure the following on the site of SigningHub Web IIS:

After successful deployment of SigningHub, register an Enterprise account with SigningHub ID. To implement Single Sign On for Active Directory, the following IIS configurations are required:

    1. Enable Anonymous and Windows Authentication - Click the "Server node > Authentication" and make sure "Anonymous Authentication" and "Windows Authentication" are enabled, and all the other authentications are disabled.

    2. Set Authentication-Windows to Read/Write - To enable this feature in IIS, click the Server node > Feature Delegation > Authentication - Windows

    3. Application pool settings - Make sure the following features must be set for the SigningHub web Application pool:
      1. "Managed Pipeline Mode" is set to "Integrated"

      2. ".Net Framework version" is "v4.0"

      3. "Identity" is set to default identity "ApplicationPoolIdentity"


    4. SigningHub Web > Basic Settings - Click the SigningHub Website in IIS and ensure that the following configuration "Basic Settings" must be set to "Application user (pass-through authentication)" but not the "Specific user" otherwise, Active Directory will get the profile information of the specific user mentioned here

    5. SigningHub Web > CGI - Click the SigningHub Website in IIS and double click on CGI. Set "Impersonate User" to "true" in order to authenticate user from windows

    6. Internet Options trust settings - Click the "Internet Options" then "Security", then "Trusted sites" Sites and add the IP of your SigningHub web deployment in your trusted sites

After these configurations, restart the IIS.

What can I do after the AD and SSO integration in SigningHub? 

After the successful integration of AD and SSO, you can:

How can I handle the growing ADSS Server and SigningHub database temp db

  1. Stop the SigningHub Core instance from Windows services panel
  2. Stop the ADSS Server Core, Console and Service instances from Windows services panel
  3. Launch the SQL Server management studio and connect to the database engine with relevant username and password
    1. Right click the respective database of SigningHub > Properties > Options 
    2. Look for the property "Is Read Committed Snapshot On". Ensure that the value of this properly is set to "False"
    3. Repeat steps 'a' and 'b' for ADSS Server database

  4. Start the ADSS Server Core, Console and Service instances from Windows services panel
  5. Start the SigningHub Core instance from Windows services panel

How to configure Dropbox with SigningHub? 

You can configure Dropbox with SigningHub in three easy steps:

  1. Create a Dropbox connector in the SigningHub Admin console, see details.
  2. Configure that Dropbox connector as "Default Dropbox Connector" in the Global Settings of SigningHub Admin console, see details
  3. Start using your Dropbox documents from SigningHub web. Click here for details if you are using SigningHub v7, or click here if you are using any older version of SigningHub

How to configure Google Drive with SigningHub? 

You can configure Google Drive with SigningHub in three easy steps:

  1. Create a Google Drive connector in the SigningHub Admin console, see details
  2. Configure that Google Drive connector as "Google Drive connector" in the Global Settings of SigningHub Admin console, see details
  3. Start using your Google Drive documents from SigningHub web. Click here for details if you are using SigningHub v7, or click here if you are using any older version of SigningHub

How to configure Worldpay with SigningHub? 

You can configure Worldpay with SigningHub in three easy steps:

  1. Create a Worldpay connector in the SigningHub Admin console, see details.
  2. Configure that Worldpay connector as "Payment Gateway" in the Billing configurations of SigningHub Admin console, see details
  3. Start making your SigningHub payments through the Worldpay channel. Click here for details if you are using SigningHub v7, or click here if you are using any older version of SigningHub

How to migrate SigningHub from one machine to another?

 This assumes the database server system is not being changed

  1. Get the package for the same version of SigningHub on the new machine
  2. Extract the SigningHub package on new machine
  3. Stop the IIS Server on existing SigningHub machine
  4. Go to location: [New-SigningHub-Installer]/setup directory and run the install.bat file by right clicking and choosing Run as administrator option
  5. On the SigningHub Installation Type dialog, select the option I want to install  SigningHub using existing database
  6. Provide the credentials for the existing database that contains the SigningHub configurations
  7. Continue with the installation and click the Finish button to complete the installation.  More detailed instructions can be found in section 5.3 of the SigningHub installation guide
  8. If there were load balanced instance(s) then repeat the steps 1 to 7 on rest of the SigningHub machines
  9. One all installations are done, login to SigningHub Admin > Configurations > Global Settings and configure the public URLs for SigningHub Web,  API and Mobile Web.
  10. Edit the [New-SigningHub-Installer]/web/web.config file and replace the SigningHub Mobile URLs with public SigningHub Mobile URLs in rewrite element. Apply this change on all SigningHub instances if it a load-balanced installation
  11. Edit the [New-SigningHub-Installer]/mobile/web.config file and replace the SigningHubApiURL value with public SigningHub API URL. Apply this change on all SigningHub instances if it a load-balanced installation
  12. Restart the IIS Service on all instances for the changes to take effect
  13. Now uninstall the SigningHub from the old machine(s) by following section 6 of SigningHub installation guide

Changing logging level for SigningHub

To change the debug logging level for the SigningHub, modify the NLog.xml files present at the following locations for all instances (Web, API, Core & Admin) of SigningHub Enterprise and replace the value Info with Debug or Error as needed.

  1. [SigningHub_Installation-Dir]/web/ 
  2. [SigningHub_Installation-Dir]/api/
  3. [SigningHub_Installation-Dir]/core/
  4. [SigningHub_Installation-Dir]/admin/
  5. Restart the IIS Server on all instances for the changes to take effect.


How to add a new font for signature appearance?

 You can use choice fonts in your on-premises deployment by following these steps:

  1. Go to the [SigningHub-Installation-Directory]\default\fonts path and place your choice font(s) over there.

  2. Go to SigningHub Admin, edit the related Signing Profile being used in service plan, and select the added font from Text-based Signature Font. See details.
    Save and close the Edit Signing Profile dialog.

  3. Publish the changes, see how. 

How to change the default welcome document?

The Welcome document is a PDF that is shown as Pending document to each newly registered user of your on-premises deployment for test signing. You can change the default welcome document as required, for this: 

  1. Go to the [SigningHub-Installation-Directory]\default\document path.
  2. Place your choice PDF document over there. Make sure your PDF document must have an unassigned signing field.

Note: In case of adding multiple documents in the folder, SigningHub alphabetically sorts them and automatically picks the one that is listed on the top.

How to change certificate of a SigningHub Admin operator?

At times you need to change the certificates of your SigningHub Admin operators. For this:

  1. Go to SigningHub Admin > Access Control
  2. Edit the required Administator and browse a new certificate from Authentication Certificate, see details.
    Save and close the Edit Administrator dialog.

How to change the certificate alias in SigningHub Admin for a particular end-user? 

A signing certificate is used in conjunction with its alias to sign a document. The ownership of a certificate alias can either be protected by SigningHub, or a user may own their certificate and protect it with a password. In case a user has configured multiple signing capacities, then each signing capacity will have a unique certificate alias. 

Certificate Alias are changed to allow the SigningHub users to use their personal (any 3rd party signing) certificate for signing through SigningHub web. See how to change a certificate alias.

How to apply a patch on SigningHub on-premises deployment?

  1. Download the SigningHub patch file from the link that is provided by Ascertia Support and copy it on the SigningHub server.
  2. Extract the patch in a new folder.
  3. Take the backup of SigningHub existing installation directory.
  4. Copy the patch files and paste them on the SigningHub installation directory. When asked choose to overwrite the existing files.
  5. Restart the "World Wide Web Publishing Service/Internet Information Services" to impact changes.


How to Migrate Data Between an upgraded and clean installation of SigningHub?

SigningHub makes use of a Data Encryption Key (DEK) which is used to encrypt all documents and personal information.  When the Key Encryption Key (KEK) is turned on in the SigningHub Admin the DEK gets encrypted by the KEK assigned to the Client ID in ADSS Server > Client Manager > ClientID > Advanced Settings.

When decrypting data, the KEK will decrypt the DEK and the DEK will be used to decrypt the documents and personal information.  When the KEK is switched off in SigningHub Admin and the KEK is available in ADSS Server, SigningHub will decrypt the DEK and then re-encrypt the DEK with a SigningHub KEK.  This means that the DEK doesn’t change and it also means that you should be able to switch off the KEK in SigningHub admin, move and reconfigure SigningHub to the new ADSS Server and switch on KEK using the KEK generated on the new ADSS Server, therefore allowing you to remove the migrated ADSS Server.

Steps completed for the testing in a local environment:

In the light of these testing results, this worked as expected without any issues, we were able to access all documents as the DEK stayed intact.

Please ensure to take all the necessary backups and thoroughly test the change at your testing environment prior proceeding with your Production environment. Additionally, it is highly advisable to follow the necessary caution when completing this change.