Customer preparations before installing Signing and Signing Workflow
This document describes the preparation steps the customer needs to carry out, both from a technical but also from a functional point of view, before setting up PhenixID Signing Services and Workflow.
Prepare functional and graphical requirements
Select which data (attributes) about the user should be displayed (userID and email must always be present).
(Data to be presented must be able to lookup from a user database, such as Active Directory.)
Select the labels for each attribute.
Setup two domains:
- One for PhenixID Signing Services, for example sign.kommun.se
- One for PhenixID Signing Workflow, for example signera.kommun.se
DNS should point to the load balancer / proxy component, see below.
Prepare a database on your SQL server according to this instruction.
Load balancer / proxy
- Install https-certificates on load balancer
- DNS records must point to the load balancer
- External load balancer must terminate SSL and reverse proxy http traffic to the backend servers (ie PhenixID Signing Services and PhenixID Signing Workflow) on backend port 8080
Prepare SMTP integration, used to send out notifications.
Please view https://document.phenixid.net/searches?utf8=%E2%9C%93&text=PhenixID+AND+Signing+AND+Workflow+AND+%22how+to+configure+signing+workflow%22&commit=Search and browse to the SMTP part for detailed info.
Authentication, authorization and signing methods
Authentication, authorization and signing is based on federation. Connect Signing Services and Signing Workflow to your Identity Provider.
- Signing Workflow
- Prepare a key and corresponding certificate for securing saml messages. Key should be in unencrypted DER format. Certificate in PEM format.
- On your IdP, prepare NameID and SAML attribute profiles to match https://document.phenixid.net/searches?utf8=%E2%9C%93&text=PhenixID+AND+Signing+AND+Workflow+AND+%22how+to+configure+signing+workflow%22&commit=Search -> SAML attribute mapping.
- Signing Services
- On your IdP, prepare NameID and SAML attribute profiles to make sure the identity information that is to be added to the signatures is included (according to decisions based on the Signature certificate content, see above).
User directory lookup
Based on the requirments of the Person Search -> Internal and Person Search -> External (see above), one or more user directory lookups are needed:
- Prepare LDAP host/ip, port, service account DN, service account password and search base.
- Prepare SQL jdbc url (driver, ip, port, database name), userID and password to connect to the database. Prepare SQL statements to be executed.
- Navet (Skatteverket)
- Prepare keystore, keystore password, organization number and customerID.
Prepare communication access / firewall openings:
- Web clients -> LB/Proxy 443
- LB/Proxy -> PhenixID Signing Workflow 8080
- LB/Proxy -> PhenixID Signing Services 8080
- PhenixID Signing Workflow -> SMTP-host port 25 / 587 (change to whatever port you use for SMTP)
- PhenixID Signing Workflow -> PhenixID Signing Services 7443
- PhenixID Signing Workflow -> SQL Database server port XX (the port used for the sql connection)
- Based on the user lookup requirements, additional communication access will be needed:
- If LDAP: PhenixID Signing Services -> LDAP 389/636
- If SQL: PhenixID Signing Services -> SQL XX
- If Skatteverket (Navet): PhenixID Signing Services -> Navet endpoint 443