SigningHub for SharePoint

Securely send, sign, verify and track documents directly from their SharePoint document libraries

SigningHub for SharePoint

The SigningHub for SharePoint solution enables users to securely send, sign, verify and track documents directly from their SharePoint document libraries from any Internet connected location. The SigningHub App uses the standard Microsoft integration model and is available from the SharePoint app store so no integration is required. The SigningHub app is fast and easy to install and supports enterprise-level controls.

The SigningHub App synchronously connects SharePoint to SigningHub using RESTful web services, using JSON for optimised performance. To ensure a comprehensive and seamless experience for SharePoint users, Ascertia’s SigningHub provides these additional features:

  • Active Directory integration – ensuring that SigningHub user accounts can be automatically created and managed in sync with the corporate Active Directory and allowing the automatic re-use of existing corporate credentials.
  • PDF signing – viewing, signing and verifying PDF documents using long-term digital signatures. Documents using other formats are automatically converted into PDF/A and then signed using long-term PDF signatures.
  • Microsoft Dynamics integration – ensuring contracts and other important documents can be sent, reviewed and signed directly from the Microsoft Dynamics environment.
  • Azure Cloud Platform – ensuring SigningHub Enterprise version can be deployed easily in your private Azure Cloud for high availability, scalability and security.
  • Azure Key Vault HSM – enhancing the protection of user signing keys inside the Azure Key Vault FIPS140-2 Level 2 and CC EAL4+ compliant cloud-based HSM (a more cost-effective solution then providing users with locally held smartcards or secure USB tokens).

Solution Architecture

The following diagram summarises how the SigningHub App for SharePoint can use the flexibility and power of SigningHub to allow internal or external users to view and sign documents held within SharePoint:

From within SharePoint, a user can push a document to SigningHub for signing by one or multiple users who may be either internal or external to the organisation. SigningHub sends an email notification to each signer when it is their turn to sign.

external users can login directly to SigningHub to view and sign documents using AD or other authentication options.
Internal users can either:

  • Open the document within SharePoint and use the tightly integrated SigningHub “View and Sign” page to read and then digitally sign the document, or
  • Login directly to SigningHub to view and sign the document.

Users can sign with one of these signature types:

  • An e-signature secured with a SigningHub long-term digital witness signature;
  • An e-signature secured with the user’s own unique long-term digital signature;
  • An e-signature image only.

When using unique digital signature keys for each user, these keys can be held:

  • Securely on the SigningHub server in software, or for greater trust, within HSM hardware (including the Azure Key Vault Cloud HSM);
  • Securely within a local smartcard or USB token typically for High-Trust or Qualified Certificates (or less securely in the Windows software key store);
  • Securely within a mobile device (ask for third party interoperability options).

SigningHub works with SharePoint Online or SharePoint Server 2013 (Foundation, Standard, or Enterprise). The user only requires a modern HTML5 browser such as Internet Explorer 9+, Firefox 3+, Chrome 10+, Safari 10+ etc. If local signing is to be supported then JRE 8 also needs to be enabled in the user’s browser to support our signed Java Go>Sign Applet.

Signing and Sharing

The SigningHub for SharePoint App enables SharePoint users to prepare documents for review and digital signature approval. A new signature field is created for each signer or existing fields can be assigned before the document is shared. Each signature field identifies the email address of the signer and an email notification is sent to each signer when it is their turn to sign the document.

To simplify and automate the document preparation phase, the document owner can select an existing Enterprise or private workflow template. The template configures the document for sign-off by adding signature fields in the correct position with correct signer details etc. The document owner can still make updates to the template if required before sending the document, for example changing the signer details.

The template also identifies if each signature field is to be e-signed, e-signed with a long-term witness digital signature or e-signed with a unique per-user long-term digital signature. The owner can also set specific permissions for each user such as allowing or denying options to print, download, embargo dates, force the use of strong authentication before signing.

The User Experience

The SigningHub for SharePoint user experience can be described in terms of:

  • Preparing Documents for Sign-off
  • Checking Document Status
  • Signing and Verifying Documents

Preparing Documents for Sign-off

In this initial step of document preparation, the user logs into SharePoint and opens a document library:

The user selects a document requiring sign-off and clicks the Share button from the SigningHub ribbon or from the right-click menu. A new screen is shown that allows the recipients to be defined.

The Add Recipients button allows the document owner to add users who will be asked to view and sign this document. The list of users is taken from the SharePoint Online contact list or for on-premise deployment the recipient list can be obtained from Active Directory.

Once the user clicks on the “Prepare” button, the document is pushed to SigningHub and shown in an iFrame within SharePoint. From this view the user can select a particular document workflow template. This will automatically create the signature fields for all the signatories for this type of document and make all the necessary configurations for the approval workflow.

If required the document owner can still add additional signers using contacts held within SigningHub or override other template defined settings if the template permissions allow this.

Note: the SigningHub viewer shows the document in a flattened image mode so that a modern HTML5 browser on any desktop, tablet, or mobile device can be used.

Checking Document Status

SigningHub for SharePoint App enables SharePoint users to review the status of the documents they own. They can see if it is waiting for someone to sign, if someone has signed or refused to sign or if it completed. Simply by clicking the Check Status button a list of documents and their current status is displayed as shown below. Users can also view and sign the document using the View Document button.

Signing and Verifying Documents

SigningHub for SharePoint App provides two options for how users can sign a document:

  • Internal users can sign from within the SharePoint environment. There are two possibilities:
    • Sign an already shared document; user clicks the Check Status button in the SharePoint ribbon. From the document status screen, user clicks on the View Document button to view and sign the document.
    • Sign now; user selects a document and then clicks the Sign button in the SharePoint ribbon which opens the document to sign.
  • External users can follow the link in the email notification and see the document in the SigningHub “view and sign” browser window after authenticating themselves with SigningHub.

Ultimately both options operate the same way, in the first case the SigningHub view and sign screen is shown within a SharePoint iFrame and for the second case it is directly managed by SigningHub.

The “view and sign” screen is shown below. The yellow navigation guide is highlighting the next action which is to sign the next recipient’s highlighted signing field.

To sign the user can click the signature field or click the “Sign Now” button in the right hand panel. In either case, a signature confirmation panel is shown:

An e-signature image can be drawn using the mouse, or a stylus on a touch screen, or a font based script font signature can be used. Alternatively an uploaded scanned image of the user’s e-signature can also be used.

For e-signatures backed with unique per-user digital signatures, the signing password must also be entered, this authenticates the user’s access to the signing key and ensure the signature is a wilful signing act from a legal perspective. An optional, configurable “signature legal notice” can also be shown where required, for example to be FDA 21 CFR 11 compliant. A long-term digital signature is created and embedded in the document as defined by the user’s signature appearance. More secure user authentication using 2-factor techniques can also be used e.g. sending of a One Time Password (OTP) to the user’s registered mobile phone or other options.

When using a smartcard or USB token (a qualified signature creation device), the signing PIN will be requested and if entered correctly the signature will then be computed and applied.

Once a digital signature has been created and embedded, the signed document is re-displayed to the signer:

The signature appearance printed on the page is configurable and defined by the user’s service plan or by the user themselves. This can be an e-signature only, the e-signature image and company logo, or the e-signature with printed signature details as shown in the example above.

If there has been any unauthorised changes to the document then the signature is shown with a red “X” icon. All digitally signed documents can be verified within the SigningHub document viewer. They can also be downloaded and verified within Adobe® Reader software which is the ubiquitous software for reading PDFs. Other PDF viewers that understand ISO 32000 PDFs and ETSI PAdES digital signatures can also be used. As SigningHub can generate long-term signatures including timestamps and signer’s certificate status information all digital signatures can be verified many years into the future beyond the certificate expiry date – this is a key requirement for business documents that must be shown to be unchanged into the future. The next screen image shows what happens when this signature field is clicked and the signature is verified:

The details of the long-term signature are set out clearly to be easy to understand.

Completed Documents

Once the document workflow completes, SigningHub sends the fully signed document back to SharePoint and it is stored in a folder called “SigningHub Documents”. This folder is automatically created in the same SharePoint document library that contained the original unsigned document.

User Authentication Options

Internal Windows users are authenticated using their Active Directory corporate domain credentials and thus seamlessly access SigningHub from within SharePoint.

External users must logon to SigningHub and authenticate using one of the authentication options supported, this includes the use of external identity providers based on OAuth. SigningHub v6.2 will support the use of Active Directory Federation Service (ADFS) and other SAMLv2 providers.

Further Information

Speak to Ascertia at info@ascertia.com or your local reseller partner for more information.