Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated introduction


Signing Federation for Nexus GO Federated Signing


In a federated signing model, different identity providers (IdPs) and services can be connected to the signing service in a flexible way. 
Excerpt

Nexus GO Federated Signing is a web service for remote signing of PDF documents and XML data. The service ensures a high level of privacy and trust, since the documents or data never have to leave the own environment. The service especially suits organizations that handle sensitive data or act on regulated markets, such as bank, finance and public sector. The solution is certified for use in Swedish public sector, according to specifications in the Swedish eID Framework (E-legitimationsnämndens Tekniska Ramverk).

Nexus GO Federated Signing provides secure authentication and

a

remote

signature service

signing to e-services

by

from various service providers

,

in a federation model.

This gives flexibility in terms of what identities and services are used, while keeping the signature service secure and under control.The

User authentication is managed by connecting one or more identity providers (IdPs) to the federation, for example Nexus Smart ID Identity provider or external IdPs such as Swedish eIDs (Svensk e-legitimation), European eIDAS eIDs or private eIDs, such as Forgerock. The federation is based on web technology. Users access the federation, e-services, authentication and signing services through a web browser.

The signing service can be combined with the Nexus Smart ID solution for various use cases, for example by using the Digital ID module to issue identities. 

For more information on the Swedish eID Framework (E-legitimationsnämndens Tekniska Ramverk), see the following link: 

How does it work? 

Users access web-based services through their web browsers. The online service is able to log in users, and allow users to sign documents. Through use of different identity providers, different user categories can access e-services and the signing service in the federation.

The federation is defined in the metadata, which contains credentials and other information for each identity and service provider. The Discovery service provides a way for e-services to let their users select identity provider and authentication method. Nexus GO Discovery can be used for this purpose. 

An example scenario is described below:

User signs a document

  1. A user wants to sign a document in the e-service, and presses the service's sign button in the web browser.
  2. The e-service selects an identity provider (IdP) for the user to authenticate to Nexus GO Federated Signing. This can be done with a Discovery service, such as Nexus GO Discovery
  3. The e-service builds a signing request and submits it to Nexus GO Federated Signing. The request includes the identity from the selected IdP, as defined by its entity ID in the federation. 
  4. Nexus GO Federated Signing redirects the user's web browser to the selected identity provider for verification.
  5. The user verifies its identity by authenticating with the identity provider. A SAML assertion, including the user's attributes, and other data, is returned to Nexus GO Federated Signing, through the user's web browser. 
  6. Nexus GO Federated Signing verifies the SAML assertion from the identity provider using credentials in the federation's metadata.
  7. Nexus GO Federated Signing signs the document request with a one-time key pair, and builds a certificate with the user attributes, to tie the user to the signing credentials.
  8. Nexus GO Federated Signing returns the signed document request, and the signing certificate, to the e-service.
  9. The e-service builds the signature and signing certificate into the document. 

How do I order the service? 

See Get started with Nexus GO Federated Signing.


Related information

Children Display