Configuration¶
This section describes how you configure Lime eSign. You need to configure Lime eSign in these places:
- Lime Admin configuration
- Application configuration
- Only if on-premise and using Record Access: Environment configuration
Lime Admin¶
Runtime Config¶
Use Lime Admin to configure the Runtime Config. Each config parameter is described in and validated by Lime Admin.
Warning
If you have a database structure that differs from the Base solution, you need to change the corresponding properties.
Server URL¶
This is the public server URL. Since users outside the organization should be able to sign in most cases, this part of the server should be public. See Public Access for more information. Do not include the application name in the serverUrl config parameter. The url should not have a trailing slash.
PAdES¶
PAdES is a standard for digital signatures in PDF documents. It is not enabled by default, but can be enabled by checking the Enable PAdES checkbox. PAdES is only supported when using an eID as signing method, such as BankID. An API key to a service called PDF Manager must also be set in the application config before enabling PAdES. How to retrieve an API key is described here.
From Address on Emails¶
Regarding the fromAddress configuration parameter, you must follow these rules:
- If they are using the shared site at Lime Marketing for TRAML: The
fromAddressmust be set to "noreply@esign.lime-crm.com". - If they are using their own Lime Marketing site (should only be used if the customer is already using TRAML for other things): The
fromAddressmust be set to a configured and valid sending domain (check this at Administration -> Sending domains in their Lime Marketing app). Then use "esign@validcustomersendingdomain.abc".
Please note that the "reply-to address" on the emails sent out, is set to the email of the initiator. This means that any replies to the email will actually be sent to the initiator, and not to the address specified as fromAddress. Therefore, it doesn't matter if the fromAddress actually exists or not. In fact, it is better that it does not exist at all, otherwise access rules might kick in when sending it to a coworker belonging to the same domain.
Warning
Not following the above rules will result in that the emails sent out are marked as spam, since we are sending them from another source (Lime Marketing) than the domain of the from address.
Signing Service¶
You can choose which signing integration service to use under Signing Methods. Please read the installation instructions here to learn more about the services differences. The available signing methods depend on the chosen service. In case of the Criipto service a signing method has to be enabled in Lime Admin as well as on the signature administrative pages.
Example Configuration¶
This is an example that works out of the box with a Lime CRM Base Solution.
signerParent: The limeobject that should be able to sign, for example Person or Coworker.
verificationProperties: Extra properties that will be displayed on the verification page. Name and email are already default presented on the verification page, so they should not be configured as verification properties.
additionalLimetypes: Serves two purposes: The limetypes that the signing process could be initiated from (requires that you also add the web component in the view config / LBS app in the Actionpad there) and which relations that should be copied from the original document to the signed document and history notes.
potentialSignerSources: The path to the additionalLimetypes where the signerParent can be retrived. This determines which possible signers should be available. Default = true sets the signers to preselected.
{
"impersonateUser": "portal@limeesign",
"eSignGroup": "limeesignusers",
"serverUrl": [insert public server base URL here],
"enablePades": false,
"email": {
"templateNoButton": "esign-without-action-button",
"templateOneButton": "esign-with-action-button",
"fromAddress": [insert from email address here],
"fromName": [insert from name here],
"includeCoworker": true
},
"actions": {
"communicationLanguage": {
"default": "app_language",
"available": []
},
"signingSend": {
"emailSigners": true,
"emailInitiator": true
},
"signerSign": {
"emailSigners": true,
"emailInitiator": true
},
"signerOpen": {
"emailInitiator": true
},
"signingComplete": {
"emailInitiator": true,
"emailSigners": true
},
"signingCancel": {
"emailInitiator": true,
"emailSigners": false
},
"signingError": {
"emailInitiator": true
}
},
"signingMethods": {
"service": "criipto",
"serviceMethods": {
"bankid_se": {
"enabled": true,
"default": false
},
"bankid_no": {
"enabled": true,
"default": false
},
"mitid_da": {
"enabled": true,
"default": false
},
"ftn_fi": {
"enabled": true,
"default": false
}
},
"checkbox": {
"enabled": true,
"default": true
}
},
"signerParents": [
{
"propertyName": "name",
"propertyEmail": "email",
"propertyInactive": "inactive",
"limetype": "coworker",
"verificationProperties": [
{
"label": "Company",
"value": [insert company name here]
}
],
"propertySigner": "signer"
},
{
"propertyName": "name",
"propertyEmail": "email",
"propertyInactive": "inactive",
"limetype": "person",
"verificationProperties": [
{
"limeProperty": "company",
"label": "Company"
},
{
"limeProperty": "position",
"label": "Position"
}
],
"propertySigner": "signer"
}
],
"additionalLimetypes": [
{
"limetype": "deal",
"propertyHistory": "history",
"propertySigning": "signing",
"propertyDocument": "document"
},
{
"limetype": "person",
"propertyHistory": "history",
"propertySigning": "signing",
"propertyDocument": "document"
},
{
"limetype": "company",
"propertyHistory": "history",
"propertySigning": "signing",
"propertyDocument": "document"
}
],
"potentialSignerSources": [
{
"path": "document.person",
"default": true
},
{
"path": "coworker"
},
{
"path": "document.company.person"
}
],
"history": {
"limetype": "history",
"propertyNote": "note",
"propertyType": "type",
"propertyCoworker": "coworker",
"propertyDocument": "document",
"propertySigner": "signer",
"propertySigning": "signing"
},
"signing": {
"limetype": "signing",
"propertySigningStatus": "signingstatus",
"propertyCoworker": "coworker",
"propertyMethods": "methods",
"propertyOriginalDocument": "originaldocument",
"propertySignedDocument": "signeddocument",
"propertyOriginalDocumentFingerprint": "originaldocumentfingerprint",
"propertySignedDocumentFingerprint": "signeddocumentfingerprint",
"propertyTitle": "title",
"propertySentDate": "sentdate",
"propertySignedDate": "signeddate",
"propertyOrder": "order",
"propertyMetaData": "metadata"
},
"signer": {
"limetype": "signer",
"propertyName": "name",
"propertyEmail": "email",
"propertySignerStatus": "signerstatus",
"propertyRole": "role",
"propertyOrder": "order",
"propertySentDate": "sentdate",
"propertyNotifiedDate": "notifieddate",
"propertyLastOpenedDate": "lastopeneddate",
"propertyApprovedDate": "approveddate",
"propertySignedDate": "signeddate",
"propertyMethod": "method",
"propertyToken": "token",
"propertyMethodData": "methoddata",
"propertySigning": "signing"
},
"coworker": {
"limetype": "coworker",
"propertyName": "name",
"propertyEmail": "email",
"propertyPhone": "mobilephone"
},
"document": {
"limetype": "document",
"propertyComment": "comment",
"propertyType": "type",
"propertyDocument": "document",
"propertySigning": "signing",
"propertyCoworker": "coworker"
}
}
Web Component¶
eSign's web component must be manually added in Lime Admin. Add lwc-esign-main in the following places:
- Views➡Document➡Card➡Widgets
Repeat for each limetype that you have configured as additionalLimetypes in the runtime configuration.
Web Client Views¶
Add the signing property to the document card and to other configured limetypes:
{
"property": "signing"
}
Filters¶
Info
If you are running Lime CRM in isolated cloud or on-premise, make sure that you have the package limepkg-filter-editor installed.
Use the Config Importer to import this file.
Info Tile¶
Use the Config Importer to import this file.
Add the Info Tile My signings older than 7 days to the desired startpage of Lime CRM. This Info Tile helps raise awareness of signing processes that may require action, such as sending reminders.
Application Config¶
Lime eSign is using the application level configuration in order to configure secrets for BankID and TRAML.
Info
Previously, the BankID SE and Signatures signing services shared the same secrets config node for api_key and token. Since version v8.33.0, Signatures has its own node, signatures. If a solution using Signatures is upgraded, it's recommended that the bankid node is renamed to signatures. However, eSign will fallback to look in the bankid node if the signatures node is not present!
Windows on-premise Installations¶
For Windows on-premise installations, the application level configuration is expressed in the file %ProgramData%\Lundalogik\LIME Pro Server\application_config.yaml. If it does not already exist, just create it.
The application_config.yaml file is shared by all services. That means that you should have eSign's and TRAML's application configuration in the same file, like this:
<application-display-name>:
secrets:
limepkg-esign:
bankid: # If using the BankID SE signing service
api_key: <limebankidapikey>
token: <limebankidtoken>
signatures: # If using the Signatures signing service
api_key: <signaturesapikey>
token: <signaturestoken>
pdfmanager:
api_key: <limepdfmanagerapikey>
limepkg_transactional_message_library:
api_key: the-lime-marketing-api-key-in-uuid-format
config:
limepkg_transactional_message_library:
api_url: https://app.bwz.se/customername/bedrock/api/
Restart the web server and the task handler.
Cloud¶
Add following to the Secrets part of the application configuration.
limepkg-esign:
bankid: # If using the BankID SE signing service
api_key: <limebankidapikey>
token: <limebankidtoken>
signatures: # If using the Signatures signing service
api_key: <signaturesapikey>
token: <signaturestoken>
pdfmanager:
api_key: <limepdfmanagerapikey>
Environment Config¶
Environment configuration is only valid for on-premise servers and only used by Lime eSign for customers using Record Access.
Object Access / Record Access¶
Only object access is supported by Lime eSign. Customers with record access on any limetype that is used by eSign must disable the API blacklisting of tables with record access. This is described more here but is summarized below.
Which limetypes that are used by eSign depends on how you configure the add-on. For typical limetypes, see the installation instructions and configuration example.
Add the following piece of YAML:
security:
types_with_record_access_are_accessible: true
To both:
%ProgramData%\Lundalogik\LIME Pro Server\Web Server\configs\config.yml and
%ProgramData%\Lundalogik\LIME Pro Server\Task Handler\configs\config.yml
This will allow eSign (and other add-ons, API users or regular users retrieving their Session ID and calling the API) to access the limetypes even though they have Record Access. Without this setting, eSign will not work. If the customer's security needs are extremely high, there is no other way than to implement their access rules also in Object Access.