...
To integrate Netheos identification into eSignAnyWhere, several components are in place. All the integration is available out of the box; the below architecture information is just for completeness and probably useful for a better understanding of the below.
Image Removed
Image Added
Identification and OAuth IDP Configuration Guide
...
The configuration step covers registering a new Application in the IDHub administrative back-end and configuring platform settings such as the connection to Netheos (Trust&Sign) for IDHub. This step has to be performed by Namirial staff.
Login to IDHub
The login is performed by using a MyNamirial account of a Namirial staff member. This account must be granted IDHub admin permissions before being able to use an account with these environments.
...
Netheos Tech Parameters
Netheos is an identification a user identity verification (IDV) platform developed by Namirial. It offers identification flows such as Facematch Video Fast ("FMV-Fast"), which allow automatic or semi-automatic identification, when necessary (e.g. legal requirements or due to technical requirements) with an agent who confirms the identification process. unattended video identification. The configuration is optional and will be necessary only when using IDHub to connect with Netheos.
...
If you are used to work with multiple windows in parallel, you can directly create the eSAW-side configuration now and copy/paste the values. Otherwise, if you follow this manual step-by-step, you will need this information later.
eSAW Parameters
![](/download/attachments/113682883/image-2024-4-19_10-11-3.png?version=1&modificationDate=1713514263495&api=v2)
Parameter | Description |
---|
Use eSAW | (yes/no): define if the OAuth provider is used with eSignAnyWhere. If declared to be used with eSignAnyWhere, it will fetch data from eSAW and - depending on further configuration - send evidence to the Audit Trail. |
Issuer JWKS URI Authorization URI Token URI | Meant to help configuring the OAuth identity provider in eSignAnyWhere. Copy these urls, you will need it in your eSAW configuration. If you are used to work with multiple windows in parallel, you can directly create the eSAW-side configuration now and copy/paste the values. Otherwise, if you follow this manual step-by-step, you will need this information later. |
Requires phone number for disposables | This checkbox changes the behavior of IDHub. If the phone number was not specified before, IDHub will actively ask the signer to provide his phone number. |
Identity Provider
This page requires to select which external identity provider to be offered through an OAuth interface for this specific identity provider configuration (= OAuth application).
...
In the processes tab, you see ongoing and completed identification processes (i.e. instances of identification).
Image Removed
Step 3: Configure eSignAnyWhere Identity Provider Configuration
...
Parameter | Value | Field Mapping Configuration | Comment |
---|
|
| Field Property Path | Mode | Data Field |
|
---|
Provider Name | e.g. "Netheos Facematch" |
|
|
| Will be shown in eSAW to select the authentication/identification method, and will be shown to the signer in authentication method selection. |
Client Id | (use the client ID created in step 2. It should have been provided by Namirial sales or presales team) |
|
|
| TEST ClientID for Christoph's Test Org: 09c11f68-2212-4a91-8070-105ba414fc71 |
Client Secret | (use the client secret created in step 2. It should have been provided by Namirial sales or presales team) |
|
|
| TEST Client Sectet for Christoph: Slack message LR to CB, Tue 26/04/2022 in combination with above's Client ID |
Scope | openid profile email trustsign |
|
|
|
|
Authorization URI | https://esaw-ts-api-demo.namirial.com/identityserver/connect/authorize |
|
|
|
|
Token URI | https://esaw-ts-api-demo.namirial.com/identityserver/connect/token |
|
|
|
|
Logout URI |
|
|
|
|
|
JSON Web Token (JWT) Configuration |
|
|
|
|
|
| JWKS URI | https://esaw-ts-api-demo.namirial.com/identityserver/.well-known/openid-configuration/jwks |
|
|
|
|
| Issuer | https://esaw-ts-api-demo.namirial.com/identityserver |
|
|
|
|
| Add 'nonce' parameter | Off |
|
|
|
|
| Validate audience | Off |
|
|
|
|
| Validate issuer | On |
|
|
|
|
| Validate lifetime | On |
|
|
|
|
| Field Mapping |
| given_name | Validate | Recipient First Name | Note that this is a validation rule to ensure that the signer is the one which the sender defined. When providing an UPDATE rule for the given field, IDHub currently returns "Invalid parameter 'firstName' format (Invalid value)":
Image Removed |
| Field Mapping |
| family_name | Validate | Recipient Last Name | Note that this is a validation rule to ensure that the signer is the one which the sender defined |
| Field Mapping |
| identification_type | Update | Disposable Certificate Identification Type |
|
| Field Mapping |
| document_type | Update | Disposable Certificate Document Type |
|
| Field Mapping |
| identification_number | Update | Disposable Certificate Identification Number |
|
| Field mapping |
| phone_number |
| Disposable Certificate Phone Number |
|
| Field Mapping |
| issuing_country | Update | Disposable Certificate Document Issuing Country |
|
| Field Mapping |
| issued_by | Update | Disposable Certificate Issued By20220530: not available in demo process! If left out, it has to be set by the sender in eSAW. Depending on TSP rules, it might be allowed to use a static value which references to Trust&Sign. |
|
| Field Mapping |
| document_number | Update | Disposable Certificate Document Number |
|
| Field Mapping |
| identification_country | Update | Disposable Certificate Identification Country |
|
| Field Mapping |
| issued_on | Update | Disposable Certificate Document issued On20220530: not available in demo process! Depending on TSP rules, it might be allowed to use some artificial value if Trust&Sign process that doesn't return this date is approved. |
|
| Field Mapping |
| expiry_date | Update | Disposable Certificate Document Expiry Date |
|
...
- Netheos (in this configuration) does NOT offer a phone number. Therefore, the checkbox in IDHub must be enabled to ask for the phone number must not . Otherwise it cannot be set as UPDATE rule in e.g. another identification configuration which is used as backup option.
Usage
- Create a new envelope
- Select the document(s) to be signed
- Open the Authentication/Identification section
- Add the OAuth Identification method "Netheos Trust&Sign"
- If indicated, place in the Designer page a signature field and select the signature method "Disposable Certificate".
Screenshots
Image Removed
Image Removed
Image Removed
Image Removed
Image Removed
Image Removed
(passport picture taking)
Image Removed
...
Backoffice Approval
In case the process is one with backoffice approval step, an operator has to log in at Netheos agent portal and approve the transaction.
...
|
Production | communicated during project |
![](/download/attachments/113682883/image2022-5-30_18-50-17.png?version=1&modificationDate=1653929417312&api=v2)
![](/download/attachments/113682883/image2022-5-30_18-51-28.png?version=1&modificationDate=1653929488889&api=v2)
Image Removed
Image Added
Technical Appendix
...