Versions Compared

Old Version 13

changes.mady.by.user Unknown User (scheipner)

Saved on

compared with

New Version 14

changes.mady.by.user Unknown User (bimminger)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Login to eSignAnyWhere with a user that has administrative permissions on your Organization.
  2. Open the Settings > Identity Providers page and add new OAuth Settings for User Authentication.
Provider NameIf "Share on login page" is enabled, this name will be displayed on the login page, so make sure it identifies your organization.
e.g.: Azure AD for <Organization name>
Direct access urlIf "Share on login page" is disabled, this link is needed to login to eSignAnyWhere with OAuth 2.0.
Make sure you bookmark this link.
Redirect UrlThis is already set and has to be white listed on Azure AD. We already entered this URL in Step 2, make sure it is the correct URL.

Client Id

your "Application (client) ID" from Step 1
Client Secret:your secret's value from Step 3
Scope:openid email
Authorization URI:your authorization_endpoint from Step 4 or simply
https://login.microsoftonline.com/<Directory (tenant) ID>/oauth2/v2.0/authorize
Token URI:your token_endpoint from Step 4 or simply
https://login.microsoftonline.com/<Directory (tenant) ID>/oauth2/v2.0/token
Logout URI:can be blank
Share on login pageDepending on the server settings this property might not be visible to you. If enabled your provider name will show up on the login page.
Ressource Parameter:oauth2_access_token
Ressource URI:

your userinfo_endpoint from Step 4 or simply

https://graph.microsoft.com/oidc/userinfo (oauth_token)

Click on "Add field" and enter "email" and map it to "User Email Address"

  1. Click on Update to save the configuration
  2. Click on the slider to enable the OAuth provider

...

Facebook Developer: https://developers.facebook.com
Permissions: https://developers.facebook.com/docs/facebook-login/permissions/
Facebook API: https://developers.facebook.com/docs/graph-api/using-graph-api/

OAuth 2.0 (eSAW)

Info

On-Premise only can configure the app (step 1 mentioned below). Otherwise please contact us.

Step 1: Create a new OAuth App

...

in eSAW AdminWeb 


Info

Only customers running their own On-Premise instance configure the OAuth Application (i.e. the authentication method on the identity provider side) themselves. On Private-SaaS and Shared-SaaS instances, ask Namirial staff to create this app on the OAuth identity provider side for your instance.

Contact us

Create a new app in eSAW. You can find the OAuth settings in the section OAUTH APPS. You can configure the app with the following settings:

  • Logo (optional)
  • Name
  • Description
  • Redirect Urls
    • The allow-list of redirect URIs depends on which external environments want to authenticate using eSignAnyWhere Login as authentication method.
    • When configuring Signer Authentication for eSignAnyWhere using the eSignAnyWhere OAuth Identity Provider, the URI is shown in the WebUI where you are configuring the authentication method (see Step 2, value "Redirect Url").
      When configuring WebUI User Authentication for eSignAnyWhere using the eSignAnyWhere OAuth Identity Provider (e.g. to log in using eSAW credentials from another instance), the URI is shown in the WebUI where you are configuring the authentication method (similar to step2, but in the section "User Authentication").
  • In the settings you can also find the Client id and the Client Secret which are both necessary in the next steps.
Step 2: Configure Signer Authentication using eSignAnyWhere

This configuration allows the sender of an envelope to define that the signer has to authenticate with an eSAW WebUI login before getting access to the document.

Open the Settings > Identity Providers page and add a new OAuth 2.0 provider. Enter the eSAW app credentials as below.

Client ID:your Linked Client ID
Client Secret:your LinkedIn Client Secret
Scope:
Authorization URI:https://<your-instance-url>/Auth/Authorize
Token URI:https://<your-instance-url>/ApiToken/Retrieve
Logout URI:
Ressource Parameter:oauth_token
Ressource URI:https://<your-instance-url>/api/v5/user/me?fields=Email


The Ressource URI allows to define a validation rule, to ensure that the recipient himself performs the login (and not just any  account on that instance).
Therefore, configure a validation rule of the value "Email" (returned from the resource uri) against the recipient's email address. The resource Uri returns a JSON object with the specified parameter. These parameters can be defined in the fields to force a specific eSAW user to authenticate (e.g. email address).

Example response of the user/me endpoint, containing the data which can be used for data validation rules:

Create a new app in eSAW. You can find the OAuth settings in the section OAUTH APPS. You can configure the app with the following settings:

  • Logo
  • Name
  • Description
  • Redirect Urls
  • In the settings you can also find the Client id and the Client Secret which are both necessary in the next steps.
Step 2: Configure eSignAnyWhere

Open the Settings > Organization page and add a new OAuth 2.0 provider. Enter the eSAW app credentials as below. Please see the following figure for more information about the configuration in eSAW:
Image Removed

We recommend to configure Resource Uris. If you configure a resource Uri it returns a JSON object with the specified parameter. These parameters can be defined in the fields to force a specific eSAW user to authenticate (e.g. email address). HINT: to see what data is returned in the Resource URI send yourself an envelope and have a look in the audit trail. It contains the returned object with its parameter. You can find a sample configuration in the next figure:
Image Removed

In the figure shown above the resource URI will return data of the profile with the following URI: https://demo.esignanywhere.net/api/v5/user/me. With the optional configuration of “Fields” you can define fields, which are checked for authentication. So you can force a specific user (e.g. identified via email, id or birth date) to authenticate. Other users are not accepted. In the figure above we configured one filed with the email address of the user and added the field in the URI. As response for this URI we get the following data shown in the audit trail:
Image Removed

Code Block
languagejava
themeEclipse
{
"idId": "39cbe455xxxxxx",
"emailEmail": "some@emailj.doe@example.com",  
"first_nameFirstName": "John",
"LastName": "FirstnameDoe",
"last_name": "Lastname",
}}


Please see the following figure for more information about the configuration in eSAW:

Image Added

(Hint: in some older product versions, this settings had been located in Settings-Organization, section "OAuth Settings").


HINT: to see what data is returned in the Resource URI send yourself an envelope and have a look in the audit trail. It contains the returned object with its parameter. You can find a sample configuration in the next figure:


The response of the resource URI will also be logged in the audit trail (which might be important in scenarios where you just enforce that someone performs the login, in case you do not validate for a specific user email):

Image Added

If the user is not allowed to authenticate the following error will appear:

If authentication was successful you can find the app successful, the signer will be logged in and SAW Viewer will grant access to the document.
After a successful login, the granted access for the OAuth Application is shown in Settings->Api Tokens and Apps in the section Apps and Connectors. Please see the next figure:
 

For more information about the signing process in eSAW please also see the next video:

Multimedia
nameOAuth_full_edit.mp4
width1000
height500

Force a specific user to authentication via API

You can force a specific user to authentication via checks in the authenticator (based e.g. on userid or email). Via API you configure the authentication with a “check”.

...