This article describes how to get started with Nexus GO Federated Signing. To get you up and running, Nexus will configure the service for you, including the identity providers (IdP) and service providers (SP) you want to use.
You can easily implement signing operations in your web application using the Signing service and Support service that are provided in Nexus GO Federated Signing. For more information, see here in the section Nexus GO Federated Signing.
Order and get started with the service
To start using Nexus GO Federated Signing, you must order the service from Nexus, and prepare the configuration files that are required by the Signing service, which is hosted by Nexus, and the Support service, which in this example is hosted by you:
- Prepare the signing validation certificate and the metadata for the signing federation:
Prepare metadata for the one or multiple SAML IdPs to be used. See the following example:Example: EntitiesDescriptor.xml
Create a signing key and self-signed signing certificate.
Here is an example on how to create a signing key and certificate with OpenSSL:
- The private signing key will be used by the Support service to sign the requests sent to the Signing service.
- The public signing certificate will be used by the Signing service to validate the integrity and authenticity of the signed requests sent by the Support service.
- On Windows you may have to use the format: "//CN=sign-support TEST" in the OpenSSL command.
Select an entity ID to identify your web application (the signing requester), preferably including your domain name, for example urn:sign-requester:test.example.com.
- Contact Nexus to order the Signing service and the Support service, and provide the following information as defined in the previous step:
IdP metadata, for example EntitiesDescriptor.xml
Signing certificate, for example signing-certificate.pem
Make sure you do not include the private key file.
- Entity ID, for example urn:sign-requester:test.example.com
- Validation certificate, used to validate the signing response
- Signing service entity ID
- Signing URL, see the sequence diagram here for more information
- Signing service SAML service provider (SP) metadata, so that you can add trust to the signing SP in your IdP
When you have received a reply from Nexus, create a configuration file called profile.json:
Copy the following content to a new file profile.json:Example: profile.json
- Edit the file profile.json as follows:
signRequesterEntityIdto the unique entity ID of the signing requester
signResponseReturnUrlto the endpoint in your web application (the signing requester) that should receive the signing response.
signServiceEntityIdto the unique entity ID of the Signing service, that has been provided by Nexus
- Copy the following files to the folder to be mounted, for example c:/sign-support/test/files/. See the Support service Docker container example below.
- The provided validation certificate
- Your signing certificate and signing key
- Add trust to the Signing service SP:
- Add trust to the provided SP SAML metadata in your IdP.
Start the Support service Docker container, for example:
The Support service Docker image is available here: https://hub.docker.com/r/technologynexus/sign-support/
Now you are ready to sign PDF and XML documents.
To explore the Support service API, open the following URL in your browser: