Page Comparison

OAuth2 enables you to configure an external authentication method, such as LinkedIn or Facebook. In this section you find how to configure them.

...

Image Modified

Authenticate with Facebook

...

The configured Ressource URI returns a JSON object with the specified parameter. These parameters can be defined in the fields to force a specific LinkedIn user to authenticate (e.g. email address). HINT: to see what data is returned in the Ressource URI send yourself an envelope and have a look in the audit trail. It contains the returned object with its parameter. Note: Parameter in Ressource URI of LinkedIn is not the same in the result (email vs. emailAddress).

Image Modified

The Ressource URI will return data of the profile. With the “Graph API Explorer” you can build and test your own profile requests. With the optional configuration of “Fields” you can define fields, which are checked for authentication. So you can force a specific user (e.g. identified via email, id or birthdate) to authenticate. Other users are not accepted.

...

Please see the following figure for more information about the configuration in eSAW:

Image Modified

(Hint: in some older product versions, this settings had been located in Settings-Organization, section "OAuth Settings").

...

If authentication was successful, the signer will be logged in and SAW Viewer will grant access to the document.
After a successful login, the granted access for the OAuth Application is shown in Settings->Api Tokens and Apps in the section Apps and Connectors:
Image Modified  

For more information about the signing process in eSAW please also see the next video:

...

• Request to create an OAuth application for the LIP OAuth Wrapper for a code grant flow with eSignAnyWhere. You need to receive, as result of the request, a client_id and client_secret.
  Note that the LIP OAuth Wrapper is an optional add-on to eSignAnyWhere and must therefore be installed on the eSAW instance as a precondition.
• eSignAnyWhere redirect URI which needs to be whitelisted in the MyNamirial configuration
  
  • https://<your-esaw-instance>/...
• Provide your eSignAnyWhere organization's customization ID, and which LiveID+ organization and LiveID+ process should be linked with it

Step 3: Configure eSignAnyWhere

1. Login to eSignAnyWhere with a user that has administrative permissions on your Organization.
2. Open the Settings > Identity Providers page and add new OAuth Settings for Signer Authentication.

https://<your-esaw-instance>/OAuthWrapperLiveIdPlus/Jwk/getJwks

And then configure the following field mappings:

...

It will therefore necessary to mention the "OAuth Redirect URI" to SignD, to perform the necessary whitelisting. The URI can be seen in your eSAW Instance, Settings - Identity Providers, when creating a new Signer Authentication.
As a result, you will receive client_id and client_secret.

Step 2: Configure eSignAnyWhere

1. Login to eSignAnyWhere with a user that has administrative permissions on your Organization.
2. Open the Settings > Identity Providers page and add new OAuth Settings for Signer Authentication.

...

https://eid2.oesterreich.gv.at

...

After setting these values, the JWT and field mapping configuraiton should look similar to the following screenshot.

Image Modified

Please note that the disposable certificate identification number will be updated with this configuration. If you want to override the identification number as it is shown in the configuration please also make sure to add a disposable certificate for the signer.

Image Modified

Production Environment - USP Service "E-ID Serviceprovider"

Registration steps are similar to the one explained above for the test environment. Note that it requires for production use an acceditation and approval process triggered via USP, which may take some time.
Configuration is similar to the settings described above for "E-ID Serviceprovider (Q)" but with following changes (in short: "eid" instead of "eid2" in all URIs):

https://eid.oesterreich.gv.at

...

Please also see the next figures for the OAuth2 configuration and the JWT configuration:

Image Modified

Image Modified

Add the following field mapping configurations:

...

1. Sign in to the Azure portal.

2. If you have access to multiple tenants, use the Directories + subscriptions filter  in the top menu to switch to the tenant in which you want to register the application.

3. Search for and select Azure Active Directory.

4. Under Manage, select App registrations > New registration.

5. Enter a display Name for your application (e.g. "my-eSAW-Authenticator").
   Users of your application might see the display name when they use the app, for example during sign-in.
   You can change the display name at any time and multiple app registrations can share the same name.

6. Specify who can use the application (e.g.: "Accounts in this organizational directory only")

7. Don't enter anything for Redirect URI (optional). You'll configure a redirect URI in the next section.

8. Select Register to complete the initial app registration.

When registration finishes, the Azure portal displays the app registration's Overview pane.

You need two details from that page that you should now copy for later usage:

• Application (client) ID
• Directory (tenant) ID

...