How to apply Digital Signature in a InfoPath formular?
Posted by PANVEGA on March 3, 2009
When creating a InfoPath template you can trust with Digital Signature in 2 ways.
- When developing an IP template you can add a certificate to your XSN template and publish and apply it on your server. So that every client knows that the formular comes from a trusted location.
- The other Certification procedure is a client site created certificate which should be send to the server CA (Certificate Authority). This is very usefully when many e.g. employees travel and work remotely, the forms must be available to be completed and signed in a Web browser or IP CLient form.
1. Deploy a certificate to your XSN template on the Server
In the InfoPath you can create a fully trusted server site form template by signing the XSN with a code signing certificate. Here’s what you do:
- While in the InfoPath designer, select Tools | Form Options | Security
- Uncheck the “Automatically determine security level based on form’s design”
- Select Full Trust
- Click the Sign this form button
The first time your users fill out the form that you have signed with a certain certificate, they will see a Security Warning dialog that notifies them that the form template is digitally signed and asks if they trust the publisher. Once they have checked the box to trust the publisher, they will be able to open any form template that asks for full trust and is signed with that same certificate.
If users find that the option to trust the publisher is disabled, that means that the root of the certificate used is not trusted on the user’s machine.
When you received your code-signing certificate, you asked the CA (Certificate Authority) for it. What the CA delivered to you is a certificate that is now in your personal folder that is trusted by you and by anybody who trusts the CA that issued it. So, for example, if you get a code signing certificate from Verisign, any user will have the option to trust you as a publisher as long as they also have Verisign in the list of Trusted Root Certification Authorities on their machine. Once a user has trusted the root of a certificate, the option to trust the publisher will be enabled in the Security Warning dialog that is displayed when they fill out a fully-trusted, signed form.
2. Client site digital signatures
I gonna show in a few steps how to enable digital signatures in an InfoPath form so that users can sign the form in Microsoft Office InfoPath 2007 or in Internet Explorer.
You can enable digital signatures when designing a form so that users can add digital signature when filling it out. This digital signature proves that the form originated from the signer and has not been changed. Also the signature can include some comments from the author. After signing, the data in the form cannot be changed without cancellation digital signature.
When adding a digital signature, the user must use a digital certificate. Digital certificate is an attachment for a file, macro project, or e-mail message that assures authenticity, provides secure encryption, or supplies a verifiable signature. Digital certificates, which you can get through commercial certification authorities or from your internal security administrator, establish the authenticity of the signature.
you need the following things:
- A digital certificate CA (Certificate Authority) with which to sign the form. You can obtain from VeriSign. In this case, VeriSign is the certification authority.
- Access to a Microsoft Office SharePoint Server site on a server that is running InfoPath Forms Services.
For the user’s certificate to be trusted, the certificate of the certification authority must be installed in the Trusted Root certificate folder on the server. When you use a VeriSign certificate, it is installed with Windows Server 2003. If you are using a different certification authority, install the certificate in the Trusted Root folder on the server.
You can use different Web browsers to open InfoPath forms from a server running InfoPath Forms Services; however, you can only use Internet Explorer to digitally sign InfoPath forms.
InfoPath lets you show digital signature UI (“click here to sign this form”) under a signable section; however, this section doesn’t have to include any controls! This means that you can have your signable section with controls at the top of the form, some extra content in the middle, and then another section bound to the same nodes in the data source without any controls in it.
When you enable digital signatures for an entire form, the form users must enter all the data they require before they sign the form. After the first signature is added, all controls in the form and the form’s XML Document Object Model (DOM) become read-only, and the text [Signed] appears in the title bar. Other users who open the form cannot enter data; they can only add, remove, or verify counter-signatures.
Creating and Signing the Form Template
You will first create a form template that can be signed, and then sign it with a digital certificate in Internet Explorer.
To create a form template that can be signed in Internet Explorer
- Start Office InfoPath 2007.
- In the Getting Started dialog box, click Design a Form Template.
- In the Design a Form Template dialog box, click the Form Template option, and then select Blank.
- Check the Enable browser-compatible features only check box, and then click OK.
- On the Design Tasks task pane, click the Controls link.
- On the Controls task pane, drag a section into the view.This will be the main section for your form.
- Drag controls into this section to customize the employee review form.
- Right-click the tab at the bottom of the main section labeled Section and select Section Properties.
- In the Section Properties dialog box, select the Digital Signatures tab.
- Select the Allow users to digitally sign this section check box.
- In the Sign the following data in the form when this section is signed list, select Add data that can be signed.
- In the Set of Signable Data dialog box, select the Allow only one signature option, and then click OK.
- On the File menu, click Save, and save the form to the computer desktop.
- On the File menu, click Publish.
- In the Publishing Wizard, select To a SharePoint server with or without InfoPath Forms Services, and then click Next.
- Type the URL of your SharePoint Server site, and click Next.
- Click the Document Library option, select the Enable this form to be filled out by using a browser option, and then click Next.
- Click the Create a new document library option, and click Next.
- In the Name text box, type EmployeeReview as the name for your document library, and then click Next.
- You are not promoting any properties in the form, so click Next to skip this screen. Then click Publish.
- Click the Open this form in a browser link.The form is displayed in an Internet Explorer window.
- Switch back to InfoPath and select the Open this document library check box.
- On the last page of the Publishing Wizard, click Close.
To digitally sign the InfoPath form in Internet Explorer
- Navigate to your form by entering the following URL. Replace <ServerName> with the name of your SharePoint server.http://<ServerName>/_layouts/FormServer.aspx?xsnlocation=http:// <ServerName>/EmployeeReview/forms/template.xsn&OpenIn=browser
- A License Agreement dialog box appears.
- Select the I accept check box, and click Next.
- Click Install to install the digital signature control software.
- Fill out the Signing Web page dialog box, and click Sign when you are finished.To enable the I have verified this content before signing check box, you must select the digital certificate that you obtained from the certificate authority.
- The signature is now visible on the form.
Note: You can signature a whole form only to InfoPath Client templates. On Webbased forms you have to apply to your created section.
1) Show must-sign warning:
– condition: signatures2 node is blank (this will evaluate to true when no signature was added)
– action: show a dialog box message “you must sign the form before submitting it”
– check “stop processing rules when this rule finishes”
2) Submit to main data source:
– condition: always applies (unless the first rule fired – we wouldn’t get to this execution point then)
– actions: submit to main data source + show dialog box message “submission was successful”