Advanced User Guide

Customization of eSignAnyWhere

---

This advanced feature is for customizing the eSignAnyWhere Viewer for the signers. You can change the colors and logo to align them to your CI and set eSAW Viewer behavior. Therefore you have upload a ZIP-Archive with the new design settings. You can download a design template and change it. Moreover you are able to set a redirect URL when a document is finished.

If the feature is available for your organisation, you can:

• set a redirect URL for finished documents
• upload a design
• reset to default design
• download a design template
• download current design

The Customisation.zip file contains:

• variables.xml: contains the style configuration of eSignAnyWhere. The comments in the file will help you to modify it.
• global_variables.xml: contains settings for the eSAW Viewer
• /files/logo_sidebar_collapsed.svg & /files/logo_sidebar_expanded.svg: Logos in the top-left of your eSignAnyWhere customization

If you have modified the files just put them in an archive and upload via UI. You can use instead of svg also png, gif or jpg.

Example: Change Default Color (purple to blue) and Logo

Open variables.xml and look for “defaultColor” and replace #661864 with #000044 (dark blue).

Replace

<variable name="defaultColor" value="#{[color:#661864]}#"  ... />

with

<variable name="defaultColor" value="#{[color:#000044]}#"  ... />

(simplified version)

For changing the Logo you have to put your Logo in the subfolder /files. Then you have to change the variables.xml to set the new files (e.g. my-logo-large.png and my-logo-small.png).

<variable name="logoCollapsedUrl" value="#{[image:my-logo-small.png]}#" ... />
<variable name="logoExpandedUrl" value="#{[image:my-logo-large.png]}#" ... />

Save the files and pack it in a zip-file (e.g. “my-style.zip”), with same structure as the downloaded Customization.zip, and upload it as new design in your organization settings.

Email Templating

---

The Email-Template is the basic email-layout (header, logo, text, footer, etc.) and the messages the recipients information (e.g. “Please sign the following document”).

To modify your Email Templates and Messages you may use one of the following placeholder in the email:

{{Content}} – the is the root placeholder for all templates inside the main template.
#Password# – this replaces the generated user password
#Url# – sets a specific url
#UserFirstName# – replaces with the user’s first name
#UserLastName# – replaces with the user’s last name
#EnvelopeName# – replaced with the envelope name.
#EnvelopeMessage# – replaced with the envelope’s message.
#PersonalMessage# – replaced by the recipient personal message.
#NumberOfRecipientsWhoSigned# – replaced with the total number of recipients who signed that envelope
#TotalNumberOfRecipients# – replaced with the total number of recipients of that envelope.
#RecipientList# – replaced with a formatted list of all envelope recipients
#RecipientEmail# – replaced with the recipient email address.
#RecipientFirstName# – replaced with the recipient’s first name.
#RecipientLastName# – replaced with the recipient’s last name.
#SenderFirstName# – replaced with the envelope sender first name
#SenderLastName# – replaced with the envelope sender last name
#ContactUrl# – replaced with the contact url defined in the organization settings page
#SupportUrl# – replaced with the support url defined in the organization settings page
#ExpirationDate# – replaced with the envelope expiration date.

Please note, that not all placeholders are available for all notification types.

Email templates :

1. TEMPLATE: this is the root email template (this usually contains the logo and the email footer).
2. New Account: Sent, when a user is registering a new account. Parameters: #UserFirstName# , #UserLastName#, #Url#
3. User invitation: Sent, when user is invited by org administrator. Parameters: #UserFirstName#, #UserLastName, #Url#
4. Sign: This is the email sent to signers. Contains the url which opens the document to sign. Parameters: #EnvelopeMessage#, #Url#
5. Expired Sender: Is sent to envelope sender when envelope has expired. Parameters: #EnvelopeName#, #Url#
6. Expired Recipient: Is sent to recipient when envelope has expired. Parameters: #EnvelopeName#
7. Envelope Signed: Is sent to envelope sender after a envelope has been signed. Parameters: #RecipientFirstName#, #RecipientLastName#, #EnvelopeName#, #Url#
8. Envelope Rejected: Is sent to envelope sender after a envelope has been rejected. Parameters: #RecipientFirstName#, #RecipientLastName#, #EnvelopeName#, #Url#
9. Envelope Completed: Is sent to envelope sender after a envelope is completed. Parameters: #EnvelopeName#, #Url#
10. Envelope Canceled: Is sent to recipient(s) when a envelope. Parameters: #RecipientFirstName#, #RecipientLastName#, #EnvelopeName#, #Url#
11. Forgot password: Sent, when user wants to recover his password. Parameters: #UserFirstName#, #UserLastName# , #Url#
12. Send documents to CC recipients: Sent, when a envelope is completed, the finished documents are sent to CC recipients. Parameters: #EnvelopeName#, #RecipientList#, #Url#
13. ParallelFinishedSign: Sent to recipient when a parallel envelope is ready to be signed. Parameters: #EnvelopeName#, #Url#
14. SendBackupNotification: Sent when a backup file is ready. Parameters: #Url#
15. Envelope Signed Acknowledge: Sent to envelope sender after envelope was acknowledged by one recipient. Parameters: #EnvelopeName#, #RecipientFirstName#, #RecipientLastName#, #Url#
16. Acknowledge: Sent to acknowledge recipients. Parameters : #SenderFirstName#, #SenderLastName#, #Url#

Simple Example

Messages exists of the placeholders (see above) and basic HTML tags. Therefore a HTML knowledge for modifing the messages is useful (<br />, <p>...</p>, <strong>...</strong>, <h3>...</h3>).

<h4>The envelope "#EnvelopeName#" has been signed by the following recipients:</h4>
<p>#RecipientList#</p>

Bulk Envelopes

---

This is an additional eSignAnywhere feature and is available with version 3.1. Bulk envelopes allows you to send an envelope to multiple signers. The workflow splits with the bulk recipient, so that you will receive unique signed documents for each bulk recipient. This feature is perfect for let one document (e.g. a new company policy) sign by many recipients. This feature is not available with basic subscription, so please contact your Namirial sales.

1. Design the Workflow

New buttons “Add Bulk” and “Bulk CSV Template” are available. You can add one bulk per envelope and you are defining the bulk recipients via CSV file. The “Bulk CSV Template” generates your desired bulk recipient configuration. So you are able to define Authentication or Information for Remote or Disposable Certificates in the CSV. Please note that you have a maximum of 1000 recipients per bulk.

The Bulk Recipient in the Recipient List.

You can see the uploaded recipient list and the number of recipients found in the uploaded CSV file.

2. Designer

In the designer the bulk recipients behave like a normal recipient. You can place and define its signature fields, form fields or predefined fields.

3. Manage Bulk Envelopes

The bulk envelopes are listed normal in the document overview with special bulk envelope features. The statistics are added (number of completed, rejected, … envelopes of the bulk). Moreover you still can control each unique workflow.

Bulk Envelopes API

Sending a bulk is basically creating multiple independent envelopes, which are linked together by an identifiert (bulk id). The API allows accessing the bulk and its envelopes. Please note that only one bulk per envelope is allowed.

Sending a bulk via SendEnvelopes or CreateDraft is simple.

<envelope>
  ...
  <steps>
    ...
    <step> <!-- a bulk step is a step with multiple recipients -->
      ...
      <recipients>
        <recipient>
		...
        </recipient>
        <recipient>
        ...
        </recipient>
      </recipients>
    </step>
    ...
  </steps>
  ...
</envelope>

Result of sending a Bulk is different of sending an envelope. You will receive a bulk identifier in addition.

<apiResult version="0.0.0.0">
   <baseResult>ok</baseResult>
   <okInfo>
      <bulk id="dc4cdaa9-c204-470f-986d-94786ff159f7">
         <envelopeId eMail="mail1@eflowauto.test">2daf11a0-6802-474b-bb48-df4b199b026a</envelopeId>
         <envelopeId eMail="mail2@eflowauto.test">18c7245f-2a78-45b8-9262-3ffe05a62fd1</envelopeId>
      </bulk>
   </okInfo>
</apiResult>

The Callbacks got an additional bulk parameter to provide the bulk id:

http://www.mycallback.at?envelope=##EnvelopeId##&bulk=##BulkId##&action=##Action##

Finding Envelopes (v1) of Bulk: per default only bulk parent are returned. If you want to get the children of a bulk use the bulk parameter:

<findEnvelopesDescriptor>
   <status>Active</status>
   <bulk>dc4cdaa9-c204-470f-986d-94786ff159f7</bulk> <!-- new filter parameter -->
</findEnvelopesDescriptor>

The FindEnvelopes_v2 will return in the Extended version also details about the bulk id.

GetEnvelopesById also returns the bulk id. If you are calling with the bulk id, a list of all bulk recipients and its envelopes ids is returned.

GetEnvelopesById with a Bulk ID:

<apiResult version="0.0.0.0">
   <baseResult>ok</baseResult>
   <okInfo>
      <envelopeStatus>
...
         <id>5b69258c-2327-43ba-80ad-53b4b6a2f3eb</id>
         <bulk>5b69258c-2327-43ba-80ad-53b4b6a2f3eb</bulk>
...
         <bulkRecipients>
            <bulkRecipient eMail="test1@eflowauto.test" id="e9b53acc-9378-4308-99be-0fca92465dac">
...
            </bulkRecipient>
            <bulkRecipient eMail="test2@eflowauto.test" id="5701da00-2b8c-4e2a-8698-a66c43c3e4c7">
...
            </bulkRecipient>
         </bulkRecipients>
      </envelopeStatus>
   </okInfo>
</apiResult>

GetEnvelopeId with an envelope id, which is part of a bulk:

<apiResult version="0.0.0.0">
   <baseResult>ok</baseResult>
   <okInfo>
      <envelopeStatus>
...
         <id>e9b53acc-9378-4308-99be-0fca92465dac</id>
         <bulk>5b69258c-2327-43ba-80ad-53b4b6a2f3eb</bulk> <!-- bulk id is set - see find result above -->
...
         <bulkRecipients>
            <bulkRecipient eMail="" id="">
...
            </bulkRecipient>
         </bulkRecipients>
      </envelopeStatus>
   </okInfo>
</apiResult>

SAML Support

---

SAML is supported for signer authentication (similar to OAuth2) and for eSAW backend users. Due its complexity of the configuration, we highly recommend you to contact us about the SAML configuration.

Examples of Use Cases

• ADFS integration for eSAW backend users
• Signer authentication with external SAML service

How to configure OAuth2 Authentication

---

OAuth2 enables you to configure an external authentication method, such as LinkedIn or Facebook. In this section you find how to configure them.

The signer will see an additional external authentication option. A pop-up appears, where the signer has to enter his credentials to authenticate. eSignAnyWhere will receive a temporary token to receive some authentication information, which will be stored in the audit log of the envelope. You can integrate any external OAuth 2.0 service. For example the open source project OAuthServer (https://oauthserver.codeplex.com/) would enable you to connect your AD/LDAP via OAuth 2.0 and eSignAnyWhere, or you can implement your own OAuth 2.0 service.

The following two OAuth2 configuration examples (LinkedIn & Facebook) show you how to configure it. Because these two guides are external services the procedure may change by time. They should show you the basic concept how to configure OAuth2.

Attention: to force a specific user the response must be JSON.

OAuth2 – LinkedIn

Step 1: Create a new LinkedIn App

Go to your LinkedIn Account and create a new LinkedIn App. You have to enter a name (e.g. “my-eSAW-Authenticator”, a description, URL and some additional information). Once you have created your LinkedIn App you have to finish the configuration.

Step 2: Configure LinkedIn App

In your LinkedIn App you will find your (secret) client-id and client-secret, and the available scopes (e.g. r_basicprofile r_emailaddress). It is important to separate the scopes with space ” “.

You have to add a OAuth 2.0 forwarding URL. The URL for eSignAnyWhere is https://www.significant.com/esawviewer/HttpHandlers/AuthHandler.ashx.

Step 3: Configure eSignAnyWhere

Open the Settings > Organization page and add a new OAuth 2.0 provider. Enter the LinkedIn credentials as below (see LinkedIn documentation for current configuration!). The Identifier is your unique identifier for using with API. The ressources URIs are called for data, which will be stored in the audit-log.

Client ID:	your Linked Client ID
Client Secret:	your LinkedIn Client Secret
Scope:	r_basicprofile r_emailaddress
Authorization URI:	https://www.linkedin.com/oauth/v2/authorization
Token URI:	https://www.linkedin.com/oauth/v2/accessToken
Logout URI:	https://www.linkedin.com
Ressource Parameter:	oauth2_access_token
Ressource URI:	https://api.linkedin.com/v1/people/~:(id,firstName,lastName,headline,email-address)?format=json

Ressources

LinkedIn and OAuth2: https://developer.linkedin.com/docs/oauth2

OAuth 2.0 – Facebook

Step 1: Create a new Facebook App

Go to Facebook Developer, login and create a new Facebook App. You have to enter your App Name (e.g. “my-eSAW-Authenticator”), a contact email-address and a category.

Step 2: Configure your Facebook App

In your Facebook App dashboard and subpages you will find the API ID (similar to Client Token) and the App Secret (similar to Client Secret). You have to add a Facebook Login product to your app (OAuth2). In the settings page of your Facebook Login you can configure the OAuth Redirect URI (https://www.significant.com/esawviewer/HttpHandlers/AuthHandler.ashx).

For the scope you will need to add permissions, which can be found here. For this example we are using the following permissions: public_profile email user_about_me. It is important to separate the scopes with space ” “.

Step 3: Configure eSignAnyWhere

Open the Settings > Organization page and add a new OAuth 2.0 provider. Enter the Facebook credentials as below (see Facebook documentation for current configuration!). The Identifier is your unique identifier for using with API. The ressources URIs are called for data, which will be stored in the audit-log (see Facebook documentation).

Client ID:	your Facebook App ID
Client Secret:	your Facebook App Secret
Scope:	public_profile email user_about_me
Authorization URI:	https://www.facebook.com/v2.8/dialog/oauth
Token URI:	https://graph.facebook.com/v2.8/oauth/access_token
Logout URI:	http://facebook.com
Ressource Parameter:	oauth_token
Ressource URI:	https://graph.facebook.com/v2.5/me?fields=id,name,first_name,middle_name,last_name,email,birthday

The configured Ressource URI returns a JSON object with the specified parameter. These parameter can be defined in the fields to force a specific LinkedIn user to authenticate (e.g. email address). HINT: to see what data is returned in the Ressource URI send yourself an envelope and have a look in the audit trail. It contains the returned object with its parameter. Note: Parameter in Ressource URI of LinkedIn is not the same in the result (email vs. emailAddress).

 

The Ressource URI will return data of the profile. With the “Graph API Explorer” you can build and test your own profile requests. With the optional configuration of “Fields” you can define fields, which are checked for authentication. So you can force a specific user (e.g. identified via email, id or birthdate) to authenticate. Other users are not accepted.

{
  "id": "5761459xxxxxx",
  "name": "Firstname Lastname",
  "first_name": "Firstname",
  "last_name": "Lastname",
  "email": "some@email.com",
  "birthday": "01/01/2000"
}

Ressources

Facebook Developer: https://developers.facebook.com
Permissions: https://developers.facebook.com/docs/facebook-login/permissions/
Facebook API: https://developers.facebook.com/docs/graph-api/using-graph-api/

Force a specific user to authentication

You can force a specific user to authentication via checks in the authenticator (based e.g. on userid or email). Via API you configure the authentication with a “check”.

<authentications>
  <authentication>
    <!-- CustomAuthenticationProvider will be mapped to GenericOAuthProvider -->
    <method>CustomAuthenticationProvider</method>
    <parameter>nameofprovider</parameter>
    <checks>
      <check compareOperation="equals" fieldId="userprofile" value="a232656-6656-5665"></check>
    </checks>
  </authentication>
  <authentication>
    <method>CustomOAuthProvider</method>
    <parameter>nameofprovider</parameter>
      <checks>
      <check compareOperation="equals" fieldId="useremail" value="jordan@xyzmo.com"></check>
          <check compareOperation="equals" fieldId="userprofile" value="a232336-6656-5665"></check>
    </checks>
  </authentication>       
</authentications>

Advanced Document Tags

---

Start and Endmarker in the Document [[tags]]

Attention: If you are using the Advanced Tags via API you have to call PrepareSendEnvelopeSteps_v1 to use them. Please also check the How To use Advanced Tags Guide.

Parameters

!	required (optional)
*	read only (optional)
fieldname	String (required)
:signer1	Assigned to signer; “signer” or “signer1”, “signer2”, … (required)
:objecttype	Type, e.g. signature, combobox, … (mandatory)
:property	additional parameters (allow using of some short notation (e.g. l,r,c instead left, right, center, …))

Signature Fields

[[!sigField1:signer1:signature(sigType="Click2Sign,Draw2Sign",batch=1):label("some label"):size(width=10,height=10))]]
sigType, batch, label, size are optional.

Supported signature types: Click2Sign, Draw2Sign, Type2Sign, RemoteSignature, BiometricSignature, LocalCertificateSignature, DisposableCertificate

Attachments

[[myAttachment:signer:attachment:label("some label"):size(width=10,height=10)]]

label, size are optional.

Textfield

[[*myText:signer2:text(maxLength=100,password=1):default("default text"):font(name=Arial, color=#FF0000, size=12):alignment(left|right|center):size(width=10,height=10)]]

maxLength, mask, default, font, alignment, size are optional.

Checkbox

A required checked checkbox is for only one signer.

[[!chk1:signer:checkbox:size(width=10,height=10):checked]]

checked, size are optional.

RadioButton

All items of a group have to have the same name. Group of three RadioButtons for one recipient:

[[testRbnGroup:signer:radio(Red):size(width=10,height=10):checked]]
[[testRbnGroup:signer:radio(Green):size(width=10,height=10)]]
[[testRbnGroup:signer:radio(Blue):size(width=10,height=10)]]

checked, size are optional.

DropDown

[[myDrop:signer:dropdown(options="Red,Green,Blue",values="R,G,B",editable=1):default("R"):font(name=Arial, color=#FF0000, size=12):alignment(left|right|center):size(width=10,height=10)]]

values, editable, default, size, font, alignment are optional.

List

[[myList:signer:list(options="Red,Green,Blue",values="R,G,B",multiSelect=1):default("R"):font(name=Arial, color=#FF0000, size=12):alignment(left|right|center):size(width=10,height=10)]]

values, multiSelect, default, size, font, alignment are optional.

Offset

You can define a offset by using

:offset(x=-10.5,y=-50.6)

The offset starts at the lower left position, is using points as unit and numbers (double) as input. A positive x value moves to right and a positive y value moves up. Note: this is support eSAW version 3.0+.

Variables

Use to reuse some fragments and allow an easier placement of the text markup into floating text.

Definition:

[[#myFontSettings=:font(name=Arial, color=#FF0000, size=12):alignment(left|right|center)]]

Usage:

[[myList:signer:list(options="Red,Green,Blue",values="R,G,B",multiSelect=1):default("R")$myFontSettings:size(width=10,height=10)]]

Input Validation

Input Validation is available with version 3.1. It might be helpful to check the workstep configuration documentation for accepted formats.

• Date
  • Requires a date field for signer1

  • [[!someDate:signer1:date(format="dd. MMMM yyyy"):range(from="13. März 2018",to="18. December 2019")]]

  • range is optional and must match with defined format
• Email
  • optional for email field

  • [[someMail:signer:email()]]

• Number

  • [[someNumber:signer:number(decimalPlaces=2,decimalSeparator=comma,thousandsSeparator=point,symbol="€",symbolLocation=endWithBlank):range(from="-300,00 €",to="5.000,00 €")]]

  • range, decimalSeparator, thousandsSeparator, symbol, symbolLocation, are optional
  • decimalSeparator: comma, point, apostrophe, none
  • thousandsSeparator: comma, point, apostrophe, blank, none
  • symbolLocation: start, startWithBlank, end, endWithBlank
  • range must match with defined format
• phone

  • [[somePhone:signer:phone(type=international)]]

  • type: international, internationalLeadingZero, internationalLeadingPlus
• time

  • [[someTime:signer:time(format="HH:mm"):range(from="12:00",to="18:00")]]

  • range is optional
  • range must match the defined format

QES

If you are using the QES you have to identify the signer first. This can be done via several ways. Contact your seller for more details.

QES with Disposable Certificate

To use the disposable certificate you just click the settings for the recipient to edit her/his information for the certificate. You need the following information:

• Country of residence
• Mobile phone (required for sending the one-time-password via SMS)
• Social security number
• Document number
• Document issued by
• Document issued on
• Document expiry date
• Document type (e.g. Driving License or Passport)

In the designer you have to select the signature field type as “Dispoable Certificate”.

The signer will receive its email as usual and when wants to sign a disposable certificate signature field he will get a one-time-password via SMS. The counter on the disposable certificate starts by signing the first signature.

 

When the document is finished you can validate, for example, the qualified electronic signature in Adobe Reader.

QES with Remote Certificate

If the user has a long lived certificate you can use the Digital Remote Signature option. It is similar to the disposable certificate, but you must not provide so much information, be the user is already registered. It is not required to define the User Id or Device Id, then the signer must enter the data himself.

In the designer you must select the Digital Remote Signature for the signature type.

P7M Signers

---

It is possible to define P7M signers in eSignAnywhere (version 3.1+). This allows you to define at the end of a signing workflow to define signers with P7M. Due technical reasons it is not possible to add non-P7M signers after the first P7M signer. P7M is an advanced feature and must be enabled for you, so please contact your Namirial Sales.

The P7M signer can be defined in the recipient list (P7M Signer Type). The P7M signer has no assigned signature fields in the document, so you will not be able to assign signature fields, form fields or predefined fields for him or her.

When a workflow with a P7M signer is finished you will not receive a PDF document, but a signed P7M container with the PDF.

The workstepconfig must be extended with a invisibleSignature, Task and a document information:

<signatureTemplate>
	<InvisibleSig>
		<id>pkcs1</id>
		<TargetDocument>
			<DocRefNumber>1</DocRefNumber>
			<completed>0</completed>
		</TargetDocument>
		<TargetDocument>
			<DocRefNumber>2</DocRefNumber>
			<completed>0</completed>
		</TargetDocument>
		<TargetDocument>
			<DocRefNumber>3</DocRefNumber>
			<completed>0</completed>
		</TargetDocument>
	</InvisibleSig>
</signatureTemplate>

Taskdefinition:

<WorkstepTasks SequenceMode="SequenceOnlyRequiredTasks">
	<Task enabled="1" completed="0" required="0" id="pkcs1" displayName="" DocRefNumber="1" type="SignPkcs7" finishPercentage="0" />
</WorkstepTasks>

EnvelopeDocumentInforamtion

<WorkStepInformation>
    ...
    <EnvelopeInformation>
        <EnvelopeDocumentInformation numberOfPages="1" DocRefNumber="1" name="" isOptionalDocument="0" isPkcs7="0" enabled="1" />
        <EnvelopeDocumentInformation numberOfPages="1" DocRefNumber="2" name="" isOptionalDocument="0" isPkcs7="0" enabled="1" />
        <EnvelopeDocumentInformation numberOfPages="1" DocRefNumber="3" name="" isOptionalDocument="0" isPkcs7="0" enabled="1" />
    </EnvelopeInformation>
	...
</WorkStepInformation>

Automatic Remote Signatures

---

With eSignAnyWhere version 3.2 the automatic remote signatures are integrated. So you can setup, as user manager, automatic remote signature profiles for automatic signature.

If you create a workflow, a new type “automatic” recipient is available. The automatic remote signature is applied automatically to the document, if it is the automatic recipient turn. The workflow continues automatically with the next recipient after the automatic recipient.

1) Automatic Remote Signature Profiles

The profiles for automatic remote signatures are managed via the organization’s settings page.  For creating an automatic remote signature profile you need a description (e.g. firstname lastname), the username and the password.

Attention: if a power user wants to use the automatic remote signatures, the user must have enabled the user right “Allow automatic eSealing” (see “Settings” > “Users”).

2) Creating a workflow with automatic remote signatures

In the eSAW UI you can add an automatic signer via button in the recipient list. The profile can be selected for the automatic signature. Attention: the power user must have the right “Allow automatic eSealing” enabled (see “Settings” > “Users”).

Creating the Automatic Remote Signature Recipient via API

Via API you have to use a new recipient type (“Automatic”). Moreover the workstepConfiguration must contain information about the automatic remote signature. As additional option, you can user more than one profile for the workstep configuration at once via API. Note: this leads to a missing information in eSAW UI!

1) Envelope XML with new recipient type “Automatic”

<envelope>
  ...
  <steps>
    <step>
      <emailBodyExtra></emailBodyExtra>
      <orderIndex>1</orderIndex>
      <recipientType>Automatic</recipientType>
      <workstepConfiguration skipThirdPartyChecks="0">
      ...
      </workstepConfiguration>
      </step>
  </steps>
</envelope>

2) Workstep Configuration

2.1) Define Signature Field in WorkstepConfiguration

<sig id="GENERIC_SIG_IDENTIFIER">
  <DocRefNumber>1</DocRefNumber>
  <param name="enabled">1</param>
  <AllowedSignatureTypes>
    <sigType id="automatic" type="AutomaticSignature" preferred="0">
	  <trModType>RemoteSignature</trModType>
	  <ImageRenderingLanguage>en</ImageRenderingLanguage>
	  <SealingProfileId>SEALING_PROFILE_IDENTIFIER_FROM_ORGANIZATION_SETTINGS</SealingProfileId>
    </sigType>
  </AllowedSignatureTypes>
</sig>

2.3) Finalize Action in WorkstepConfiguration Policy

<Policy version="1.1.0.0">
  <FinalizeActions>
	<AutomaticSignature sigId="GENERIC_SIG_IDENTIFIER" />
  </FinalizeActions>
</Policy>