...
Add the following field mapping configurations:
Field property path | Validate/Update | Data Field |
---|---|---|
given_name | Update | Recipient First Name |
family_name | Update | Recipient Last Name |
['urn:pvpgvat:oidc.bpk'] | Update | Disposable Certificate document type |
Please note that the disposable certificate identification number will be updated with this configuration. If you want to override the identification number as it is shown in the configuration please also make sure to add a disposable certificate for the signer.
...
The OAuth provider might not be visible on the login page, depending on the setting "Share on login page" in Step 5.
Use the "Direct access url" instead.
OAuth 2.0 (ADFS 2016)
Step 1: Create an Application Group in AD FS 2016 and later
In AD FS Management: Choose Add Application Group from under Application Groups.
Give a name and choose Server application accessing a web API from the Template. It is under the category Client-Server applications.
Copy the Client Identifier and keep it somewhere. This is needed later.
Add the Redirect URI by pasting it and clicking add.
Click next and then enable the checkbox Generate a shared secret. Copy this secret and then click next.
Add the Client Identifier from step 3 under Identifier and click next.
Choose access control policy as required. Default is Permit everyone. Click Next.
Accept the default selection of openid under permitted scopes and click next. Other ones like email and allatclaims can also be selected if needed.
Check summary and close.
Step 2: Pass necessary values
- Choose the Application Group that was created earlier and click on Properties.
- Edit the Web API Application
- Choose the Issuance Transform Rules tab.
- Create a rule which passes the necessary values like Email, Display Name etc.
Step 3: Web Application Proxy
If you are using Shared SaaS or Private SaaS, please make sure that your ADFS endpoint is available publicly since the server needs to access the URIs. Also, the endpoint should have a public certificate.
Windows Application Proxy server can be setup as per the instructions at https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn383662(v=ws.11)
Step 4: Configure eSignAnyWhere
- Login to eSignAnyWhere with a user that has administrative permissions on your Organization.
- Open the Settings > Identity Providers page and add new OAuth Settings for User Authentication.
- Note in case of ADFS that there are no forward slashes at the end. A mistake with the URL will result in the setup not working.
Provider Name | If "Share on login page" is enabled, this name will be displayed on the login page, so make sure it identifies your organization. e.g.: ADFS Oauth for <Organization name> |
Direct access url | If "Share on login page" is disabled, this link is needed to login to eSignAnyWhere with OAuth 2.0. Make sure you bookmark this link. |
Redirect Url | This is already set and has to be added in the Application Group. We already entered this URL in Step 1. Make sure it is the correct URL. |
Client Id | your Client Identifier from Step 1 |
Client Secret: | The shared secret that you saved earlier. |
Scope: | openid email |
Authorization URI: | https://FQDN/adfs/oauth2/authorize |
Token URI: | https://FQDN/adfs/oauth2/token |
Logout URI: | can be blank |
Share on login page | Depending on the server settings this property might not be visible to you. If enabled your provider name will show up on the login page. |
JWKS URI: | https://FQDN/adfs/discovery/keys |
Issuer: | Click on "Add field" and enter "email" and map it to "User Email Address" |
- Click on Update to save the configuration
- Click on the slider to enable the OAuth provider
Step 5: Add OAuth provider to existing users
- Login to eSignAnyWhere with a user that has administrative permissions on your Organization.
- Open the Settings > Users page and edit the user you want to add the OAuth provider to
- Under OAuth assignments click on the + icon and choose your previously created OAuth provider
- The user will now get a validation email to finish the setup.
Step 6: Login to eSignAnyWhere using OAuth 2.0
The OAuth provider might not be visible on the login page, depending on the setting "Share on login page" in Step 4.
Use the "Direct access url" instead.
MyNamirial Account
Step 1: Request registration of a new Application in MyNamirial
...