In a federated signing model, different identity providers (IdPs) and services can be connected to the signing service in a flexible way.
Nexus GO Federated Signing provides secure authentication and a remote signature service to e-services by various service providers, in a federation model. This gives flexibility in terms of what identities and services are used, while keeping the signature service secure and under control.
The federation is based on web technology. Users access the federation, e-services, authentication and signing services through a web browser.
How does it work?
Users access web-based services through their web browsers. The online service is able to log in users, and allow users to sign documents. Through use of different identity providers, different user categories can access e-services and the signing service in the federation.
The federation is defined in the metadata, which contains credentials and other information for each identity and service provider. The Discovery service provides a way for e-services to let their users select identity provider and authentication method. Nexus GO Discovery can be used for this purpose.
An example scenario is described below:
User signs a document
A user wants to sign a document in the e-service, and presses the service's sign button in the web browser.
The e-service selects an identity provider (IdP) for the user to authenticate to Nexus GO Federated Signing. This can be done with a Discovery service, such as Nexus GO Discovery.
The e-service builds a signing request and submits it to Nexus GO Federated Signing. The request includes the identity from the selected IdP, as defined by its entity ID in the federation.
Nexus GO Federated Signing redirects the user's web browser to the selected identity provider for verification.
The user verifies its identity by authenticating with the identity provider. A SAML assertion, including the user's attributes, and other data, is returned to Nexus GO Federated Signing, through the user's web browser.
Nexus GO Federated Signing verifies the SAML assertion from the identity provider using credentials in the federation's metadata.
Nexus GO Federated Signing signs the document request with a one-time key pair, and builds a certificate with the user attributes, to tie the user to the signing credentials.
Nexus GO Federated Signing returns the signed document request, and the signing certificate, to the e-service.
The e-service builds the signature and signing certificate into the document.