|Table of contents|
How to configure SAML-SSO integration in SigningHub?
There are four prerequisites of SAML-SSO integration, i.e.:
- This feature should be enabled in your SigningHub license file.
- The fetching of users' information must be based on the users' email addresses.
- You should have the IDP metadata XML file of the IDP server that includes the IDP signing certificate, and
- You should have the SP Request Signing Certificate (PFX file and its password).
- Open the SigningHub Admin console.
- Create a SAML connector with the following data, see details:
Name: My SAML IDP Connector.
Provider: SAML Identity Provider.
IDP Metadata: Browse the IDP Metadata XML (from your machine) that is generated from the IDP server .
SP Request Signing Certificate (PKCS#12): Browse and select a request signing certificate (PFX file) for the service provider (SP).
SP Request Signing Certificate Password: Specify the password of PFX file.
Want Assertion Signed: Ticked.
Authentication Request Signed: Ticked.
- Now edit the recently created connector (i.e. My SAML IDP Connector), and click the "Export SP Metadata" button.
A signed "SPMetaData.XML" file will be exported (downloaded on your machine).
- Create a SAML authentication profile with the following data, see details:
Name: My SAML Authentication Profile.
Description: SAML-SSO integration.
Method: SAML Authentication
Connector: My SAML IDP Connector
Logo: Browse your company logo for it (64x50 resolution image is recommended).
- Click the "Publish Changes" button.
Update the signed and exported SP metadata file on the IDP server for client-end configuration.
What should be the rights of an IIS user on the SigningHub installation directory?
When you (IIS User) need to configure Enterprise Branding through SigningHub Admin, you should have the "Read and Write" rights on the "SigningHub" installation directory. You should also have the same rights on the "Temp" and "Framework64" directories as well.
- SigningHub Directory
Browse the SigningHub installation directory on server, i.e. (Path)
- Temp Directory
Browse the Temp directory on server, i.e. (Path)
- Framework64 Directory
Browse the Framework64 directory on server, i.e. (Path)
How to configure Active Directory with SSO (Single Sign On)?
To configure Active Directory with SSO:
- Ensure that Active directory feature is enabled in your license.
- Ensure the following on SigningHub Admin Console:
Create a new connector for active directory, see details.
Create a new authentication profile for active directory authentication and disable the SigningHub ID if user don't want to use SigningHub ID, see details.
Click the "Publish Changes" button.
- Ensure the following on the site of SigningHub Web IIS:
After successful deployment of SigningHub, register an Enterprise account with SigningHub ID. To implement Single Sign On for Active Directory, the following IIS configurations are required:
- Enable Anonymous and Windows Authentication - Click the "Server node > Authentication" and make sure "Anonymous Authentication" and "Windows Authentication" are enabled, and all the other authentications are disabled.
- Set Authentication-Windows to Read/Write - To enable this feature in IIS, click the Server node > Feature Delegation > Authentication - Windows
- Application pool settings - Make sure the following features must be set for the SigningHub web Application pool:
"Managed Pipeline Mode" is set to "Integrated"
".Net Framework version" is "v4.0"
"Identity" is set to default identity "ApplicationPoolIdentity"
- SigningHub Web > Basic Settings - Click the SigningHub Website in IIS and ensure that the following configuration "Basic Settings" must be set to "Application user (pass-through authentication)" but not the "Specific user" otherwise, Active Directory will get the profile information of the specific user mentioned here
- SigningHub Web > CGI - Click the SigningHub Website in IIS and double click on CGI. Set "Impersonate User" to "true" in order to authenticate user from windows
- Internet Options trust settings - Click the "Internet Options" then "Security", then "Trusted sites" Sites and add the IP of your SigningHub web deployment in your trusted sites
After these configurations, restart the IIS.
What can I do after the AD and SSO integration in SigningHub?
After the successful integration of AD and SSO, you can:
- Register with Microsoft Active Directory users - SigningHub allows direct registrations from the Microsoft Active Directory. Click here for details if you are using SigningHub v7, or click here if you are using any older version of SigningHub
- Supported login mechanisms - You can log into SigningHub through different authentication mechanisms. Click here for details if you are using SigningHub v7, or click here if you are using any older version of SigningHub
- Login through Microsoft Active Directory - You can log into SigningHub via your Active Directory credentials. Click here for details if you are using SigningHub v7, or click here if you are using any older version of SigningHub
- Configure Signature Settings for Active Directory - SigningHub enables you to configure the signature settings for your enterprise users. Click here for details if you are using SigningHub v7, or click here if you are using any older version of SigningHub
- Bulk Signing with Microsoft Active Directory - You can perform bulk signing with your active directory credentials. Click here for details if you are using SigningHub v7, or click here if you are using any older version of SigningHub
How can I handle the growing ADSS Server and SigningHub database temp db
- Stop the SigningHub Core instance from Windows services panel
- Stop the ADSS Server Core, Console and Service instances from Windows services panel
- Launch the SQL Server management studio and connect to the database engine with relevant username and password
- Right click the respective database of SigningHub > Properties > Options
- Look for the property "Is Read Committed Snapshot On". Ensure that the value of this properly is set to "False"
- Repeat steps 'a' and 'b' for ADSS Server database
- Start the ADSS Server Core, Console and Service instances from Windows services panel
- Start the SigningHub Core instance from Windows services panel
How to configure Dropbox with SigningHub?
You can configure Dropbox with SigningHub in three easy steps:
- Create a Dropbox connector in the SigningHub Admin console, see details.
- Configure that Dropbox connector as "Default Dropbox Connector" in the Global Settings of SigningHub Admin console, see details
- Start using your Dropbox documents from SigningHub web. Click here for details if you are using SigningHub v7, or click here if you are using any older version of SigningHub
How to configure Google Drive with SigningHub?
You can configure Google Drive with SigningHub in three easy steps:
- Create a Google Drive connector in the SigningHub Admin console, see details
- Configure that Google Drive connector as "Google Drive connector" in the Global Settings of SigningHub Admin console, see details
- Start using your Google Drive documents from SigningHub web. Click here for details if you are using SigningHub v7, or click here if you are using any older version of SigningHub
How to configure Worldpay with SigningHub?
You can configure Worldpay with SigningHub in three easy steps:
- Create a Worldpay connector in the SigningHub Admin console, see details.
- Configure that Worldpay connector as "Payment Gateway" in the Billing configurations of SigningHub Admin console, see details
- Start making your SigningHub payments through the Worldpay channel. Click here for details if you are using SigningHub v7, or click here if you are using any older version of SigningHub
How to migrate SigningHub from one machine to another?
This assumes the database server system is not being changed
- Get the package for the same version of SigningHub on the new machine
- Extract the SigningHub package on new machine
- Stop the IIS Server on existing SigningHub machine
- Go to location: [New-SigningHub-Installer]/setup directory and run the install.bat file by right clicking and choosing Run as administrator option
- On the SigningHub Installation Type dialog, select the option I want to install SigningHub using existing database
- Provide the credentials for the existing database that contains the SigningHub configurations
- Continue with the installation and click the Finish button to complete the installation. More detailed instructions can be found in section 5.3 of the SigningHub installation guide
- If there were load balanced instance(s) then repeat the steps 1 to 7 on rest of the SigningHub machines
- One all installations are done, login to SigningHub Admin > Configurations > Global Settings and configure the public URLs for SigningHub Web, API and Mobile Web.
- Edit the [New-SigningHub-Installer]/web/web.config file and replace the SigningHub Mobile URLs with public SigningHub Mobile URLs in rewrite element. Apply this change on all SigningHub instances if it a load-balanced installation
- Edit the [New-SigningHub-Installer]/mobile/web.config file and replace the SigningHubApiURL value with public SigningHub API URL. Apply this change on all SigningHub instances if it a load-balanced installation
- Restart the IIS Service on all instances for the changes to take effect
- Now uninstall the SigningHub from the old machine(s) by following section 6 of SigningHub installation guide
Changing logging level for SigningHub
To change the debug logging level for the SigningHub, modify the NLog.xml files present at the following locations for all instances (Web, API, Core & Admin) of SigningHub Enterprise and replace the value Info with Debug or Error as needed.
- Restart the IIS Server on all instances for the changes to take effect.
How to add a new font for signature appearance?
You can use choice fonts in your on-premises deployment by following these steps:
- Go to the [SigningHub-Installation-Directory]\default\fonts path and place your choice font(s) over there.
- Go to SigningHub Admin, edit the related Signing Profile being used in service plan, and select the added font from Text-based Signature Font. See details.
Save and close the Edit Signing Profile dialog.
- Publish the changes, see how.
How to change the default welcome document?
The Welcome document is a PDF that is shown as Pending document to each newly registered user of your on-premises deployment for test signing. You can change the default welcome document as required, for this:
- Go to the [SigningHub-Installation-Directory]\default\document path.
- Place your choice PDF document over there. Make sure your PDF document must have an unassigned signing field.
Note: In case of adding multiple documents in the folder, SigningHub alphabetically sorts them and automatically picks the one that is listed on the top.
How to change certificate of a SigningHub Admin operator?
At times you need to change the certificates of your SigningHub Admin operators. For this:
- Go to SigningHub Admin > Access Control
- Edit the required Administator and browse a new certificate from Authentication Certificate, see details.
Save and close the Edit Administrator dialog.
How to change the certificate alias in SigningHub Admin for a particular end-user?
A signing certificate is used in conjunction with its alias to sign a document. The ownership of a certificate alias can either be protected by SigningHub, or a user may own their certificate and protect it with a password. In case a user has configured multiple signing capacities, then each signing capacity will have a unique certificate alias.
Certificate Alias are changed to allow the SigningHub users to use their personal (any 3rd party signing) certificate for signing through SigningHub web. See how to change a certificate alias.
How to apply a patch on SigningHub on-premises deployment?
- Download the SigningHub patch file from the link that is provided by Ascertia Support and copy it on the SigningHub server.
- Extract the patch in a new folder.
- Take the backup of SigningHub existing installation directory.
- Copy the patch files and paste them on the SigningHub installation directory. When asked choose to overwrite the existing files.
- Restart the "World Wide Web Publishing Service/Internet Information Services" to impact changes.
How to Migrate Data Between an upgraded and clean installation of SigningHub?
SigningHub makes use of a Data Encryption Key (DEK) which is used to encrypt all documents and personal information. When the Key Encryption Key (KEK) is turned on in the SigningHub Admin the DEK gets encrypted by the KEK assigned to the Client ID in ADSS Server > Client Manager > ClientID > Advanced Settings.
When decrypting data, the KEK will decrypt the DEK and the DEK will be used to decrypt the documents and personal information. When the KEK is switched off in SigningHub Admin and the KEK is available in ADSS Server, SigningHub will decrypt the DEK and then re-encrypt the DEK with a SigningHub KEK. This means that the DEK doesn’t change and it also means that you should be able to switch off the KEK in SigningHub admin, move and reconfigure SigningHub to the new ADSS Server and switch on KEK using the KEK generated on the new ADSS Server, therefore allowing you to remove the migrated ADSS Server.
Steps completed for the testing in a local environment:
- Created a replica environment starting with SigningHub 6.5 with KEK (software) enabled
- Uploaded 10 documents, 5 of which were signed with 3 in progress and 3 in draft/pending states
- Upgraded using the wizard to 7.6 (KEK enabled)
- Uploaded an additional 10 documents, 5 of which were signed with 3 in progress and 3 in draft/pending state
- Disabled the KEK in SigningHub Admin
- Stopped ADSS Server services and restarted SH IIS to ensure cached KEK is flushed from memory
- Tested access to documents that were uploaded in both SH 6.5 and in SH 7.6
- Restarted ADSS Server services keeping KEK disabled
- Uploaded an additional 10 documents, 5 of which were signed with 3 in progress and 3 in draft/pending states
- Signed previous documents that were uploaded in the points above
- Migrated SigningHub 7.6 instance to use new ADSS Server Instance
- Enabled KEK in SigningHub Admin against the new ADSS Server instance
- Tested access to documents both new and old
- Created new workflows with documents that were signed and unsigned
- Tested access to both new and pre/post migration old documents
- Switched off KEK in SigningHub Admin again
- Stopped ADSS Server services
- Restarted SigningHub instance IIS
- Ensured all documents that have been uploaded in all stages above are accessible
In the light of these testing results, this worked as expected without any issues, we were able to access all documents as the DEK stayed intact.
Please ensure to take all the necessary backups and thoroughly test the change at your testing environment prior proceeding with your Production environment. Additionally, it is highly advisable to follow the necessary caution when completing this change.