I need to disable the "Decline to Sign" option in the other actions drop down to restrict the user to decline. Is there any option in DocuSign to do that?
I don't believe it's possible to remove the "Decline" button at the envelope level or recipient level. But you can control the visibility of the Decline button via the Brand-level setting DocuSign_DeclineAllow (set to a boolean value) in the Signing Resource File.
See this answer for more information.
https://support.docusign.com/en/guides/docusign-signing-resource-file-v2-0 might help.
DocuSign_DeclineAllow
is the field name
Note that the signer can simply close the signing ceremony's browser tab...so they can always, effectively, "decline to sign."
The usual way to handle this is to not allow the user to proceed until after they've signed. Hiding the Decline to Sign button is security through obscurity (which is no security at all).
Related
We are currently implementing Docusign within an application. We send contracts to our customer, and set the Signer to our contact person. We want the customer to be able to sign using a different name as we originally supplied in the signer, if some other person within the company does the actual signing.
So we want the signer to change the signer name and initials in the 'Adopt your signature' dialog if needed, but these fields are greyed out and disabled for editing. According to the docs this should be possible: https://support.docusign.com/en/guides/signer-guide-signing-adopt-new
Example: We have a contact named Alice with email address info#example.com. We send the Signing request, and colleague Bob will read the request from the info# mailbox, and sign it. I want Bob to be able to enter his name in the 'Adopt your signature' dialog. I have no knowledge of the existence of Bob within the company.
What I've tried sofar:
In the Docusign admin settings (Settings -> Signing Settings -> Signature Adoption Configuration), the 'Lock recipient name' checkbox is disabled, but this does not result in any changes.
I've also tried to set the agentCanEditName flag on the signer (https://developers.docusign.com/docs/esign-rest-api/reference/envelopes/enveloperecipients/#core-recipient-parameters/) in the API, also without results.
So I have no idea how to allow the signer to change his/her own name, apart from using 'Other actions-> Assign to someone else' from the top menu. Any suggestions?
After sending the question to Docusign support, the conclusion was that they don;t support this. The only way to implement this is by:
Instruct the signer to use the reassign the signing responsibility (https://support.docusign.com/en/guides/signer-guide-signing-change-signer)
Use in-person signing, where the host can opt to change the signer (https://support.docusign.com/en/guides/ndse-user-guide-in-person-signing).
Unfortunately, both methods require prior knowledge about the signing process from the signer. Simply editing a form field during the signer process is not possible.
Thank you for reaching out. Signing groups maybe what you're looking for: https://support.docusign.com/en/guides/ndse-user-guide-signing-groups
It allows one person from a group to sign the documents vs a specific person.
Have you tried to use allowReassign: "true" in the envelopeDefinition. This offer the ability for a signer to forward the envelope to someone else and seems to be close to what you are looking for: https://support.docusign.com/en/guides/signer-guide-signing-change-signer
That being said, back to your problem, I'm not sure what is the real problem but several features are incompatible with Allowing recipient to change their name that might be the case with your call/Account. Do you have anything special enabled?
When a user tries to log in but fails with a bad password and then clicks the forgot password link, they are directed to a URL containing their PII email.
The hint is not injected until the link is clicked, so it can probably be fudged with some custom JS, but we would like to use configuration rather than customisation..
e.g.
https://b2ctenant.b2clogin.com/b2ctenant.onmicrosoft.com/B2C_1A_customflow/api/CombinedSigninAndSignup/forgotPassword?csrf_token=xxxx&tx=StateProperties=xxxx&p=B2C_1A_customflow&hint=blablablah#example.com
This PII has potential to be captured/logged/etc, which we would really like to avoid.
So, can we turn that off?
Yes, we understand this is a convenience/quality-of-life feature to help clients, but revealing their PII seems a poor trade-off.
If you initiate Password Reset by clicking on the "Forgot your password?" link at the sign-in page, clicking this link doesn't automatically trigger a password reset user flow. Instead, the error code AADB2C90118 is returned to your application. Your application needs to handle this error code by running a specific user flow that resets the password. You should be able to handle the URL and forgot password from the application.
The Azure AD B2C guidelines for using custom JS (https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-flow-javascript-overview#guidelines-for-using-javascript) direct prohibit binding the click event on anchors/links, but we can use the mousedown event.
With that, we can use a JS snippet as below to clear the signInName field, and so prevent the link from containing the hint parameter:
$("#forgotPassword").mousedown(function () {
$("#signInName").val("");
});
This addresses the issue with customisation, so now we wait to see if we can replace it with an official configuration option.
I am using DocuSign with my web application. Whenever I try to sign in the document, the first time I am asked for adopting a signature. From next time onwards, docusign uses the same saved signatire every time even if I need to sign a new document. I need a feature where the recipient should be asked to adopt and sign everytime he visits a new document. But this is not happening. Is there any way we can do it? If not, do we have an option in DocuSign recipient view where the recipient can select a new signature at his will?
The querstion in DocuSign remembers signature. Want to turn that feature off
is similar to mine. I tried the answers mentioned in the post but it did not help.
It sounds like you are using captive recipients and embedded signing. In this scenario, the signer is captive to your application. So, if you define a recipient a 2nd time using the same name, email and client user ID, DocuSign will use the signature the recipient adopted the first time around.
Two ways around this.
First, make the client user ID random. This way, the recipient is always unique and will always adopt a new signature.
Second, delete the signers signature from your account after the envelope is completed. This way, they would have to adopt again even if you use the same client user id.
There's definitely an option for this. Unfortunately I don't know which one it is.
Plus it might be one of the account options that is set by DocuSign Customer Service.
If you're working with a salesrep, ask him or her to have the setting updated for your developer account.
If you simply want to ensure (for your demos and development) that the signer will always be asked to adopt a signature, you can do that by always using a new {name, email} tuple.
Eg if you send a doc to {Joe Signer, joe#signer.com} the first time, send to {Joe A. Signer, joe#signer.com} the second time.
I use this technique during demos to ensure that the demonstration will include the signature adoption step.
I am working with a php codeigniter application. I have embeded docusign in my application. My questions is can i disable the close button on the top of the document. So that users are not allowed to close the document without signing in it.
No there is no way to disable the Close button, and there never will be. Think about what you are asking:
You are sending an electronic signature request to someone, asking for their legally binding signature on a document.
Once they open, you want to make it so that they can't close without signing the document.
This is a form of coercion, it's like holding a gun to someone's head forcing them to sign a document saying they owe you $1,000,000. The DocuSign service will never allow this and will always allow people to decline to sign.
It's not possible to disable the close button within the DocuSign envelope. Even if it were possible to do so, it's never going to be possible to force a user to complete any task within your application. i.e., a user could do any of the following at any time:
exit/close your application altogether without signing the document
walk away from their computer/device without signing the document
lose internet connectivity rendering them unable to complete signing & submit the Envelope
shut down their computer/device altogether without signing the document
Disabling the Close button would do nothing to keep any of these things from happening.
I've written an add-on for a web application that inserts a "Remember Me" checkbox into login forms. One of my users expressed surprise that they are not remembered after logging out! Clearly someone who has logged out should stay logged out, and despite a specific request I will not fill the password field as that means storing the password in clear text.
My question is should the email address/username be pre-filled for a login form if a user has previously marked the "Remember Me" box?
Obviously if done on a public computer that would be effectively broadcasting their personal details to the next stranger who used that computer, but a user shouldn't use the "Remember Me" option on public computers anyway.
What are the security considerations of doing this? Do users expect some of their details to be remembered after logging out?
Edit: It occurs to me that browsers all have a feature to remember form values and login details anyway, perhaps making this unnecessary.
You should absolutely not pre-populate the email / login if someone has used the "remember me" feature. Keep in mind that this feature - also often called "keep me signed in" - is designed to persist the logged-in state across sessions. It's a usability feature to save the user from re-authenticating every time they visit the site.
It's not a means of persisting any part of the login credentials after explicitly signing out. Yes, the browser can remember form field values such as the login name but most security guidance explicitly recommends disabling this (refer to OWASP Top 10 for .NET developers part 3: Broken authentication and session management).
In terms of security systems, I certainly don't think there's any user expectation to pre-populate this data simply because the vast majority of websites don't operate in this fashion. Lowering the barrier to entry is fine if it's done with explicit consent, but not when the user has specifically signed out or ended their session and not when the behaviour is inconsistent with what they'd expect.
"Remember me" is not the same thing as "keep me signed in."
Many banking sites use "remember me" to save the username (but not the session) even after the user has logged out (ING Direct and Citizens Bank are a couple of examples). They usually hide part of the name for security purposes.
To make things clear for your users, you probably want to change the wording to "stay signed in" or something similar.
Assuming their email address is the being used as their user identifier, this is the behavior I expect and frequently see from many applications that I don't expect high levels of security from.
A more secure implementation it to store an encrypted identifier and only ask for the password when the user tries to login. This is the behavior I see and expect from sites that hold my financial sites. Ensuring the browser doesn't remember the password field is important for such sites.
It is good practice to place a warning about not using "Remember me" on public computers next to the check box.