Runtime delegated signing
Follow these steps to implement runtime delegated signing in your service
What does runtime delegated signing mean?
By runtime delegated signing, we mean an app where those who need to sign are granted rights during the form-filling process.
Typically, the app will ask the form owner to provide the social security number and last name of the individuals who need to sign, or alternatively, the organization number if someone with signing authority within a company needs to sign.
Once the form is fully completed, the user presses “Submit for singing”. The app will then delegate rights and send a message to the inbox in Altinn. The recipient may also be notified via email and SMS, depending on the configuration.
Prerequisites
Runtime delegated signing depends on then message service (Correspondence) in Altinn, which requires separate configuration.
The message service is used to tell the signee that they have been asked to sign a form in Altinn, and to send them a receipt of what they signed when the signature has been submitted.
See how to get started in this guide.
Example Application
In the following repository, you can find an example of an application with user-driven signing.
The main flow is:
- The form filler enters the personal identification number and last name of the individuals who need to sign, or alternatively, the organization number if it is a company.
- Once the form is completed, the filler clicks a “Go to signing” button, which moves the process to the signing step.
- During the signing step, the application calls an implementation of the interface
ISigneeProvider, which you must implement, to determine who should be delegated access to sign. - The signers are delegated rights and receive a notification that they have a signing task.
- The signers find the form in their inbox, open it, review the data, and click “Sign.”
- The submitter also signs if the app is configured this way and then submits the form. Automatic submission is currently not supported.
Below are the key configuration steps for setting up such an application.
1. Add and configure a singing task in the app process
Extend the Application Process with a Signing Task
A signing task must be added to App/config/process/process.bpmn, as shown in the example below.
We recommend doing this using the Altinn Studio process editor, so that the BPMN diagram is generated, to show the apps process. However, as of now, the process editor will only partially configure this task correctly, so some manual adjustments are required.
Signing uses two user actions.
sign: The actual signing action.reject: If the signing step should be cancellable, a gateway must also be added to control where the process should continue. See the example below.
If the Altinn user interface is used by the application, these actions will be triggered by button clicks in the signing stage. If only the API is used, they must be triggered manually via the /actions endpoint or the process next endpoint.
<bpmn:task id="SigningTask" name="Signering">
<bpmn:extensionElements>
<altinn:taskExtension>
<altinn:taskType>signing</altinn:taskType>
<altinn:actions>
<altinn:action>sign</altinn:action>
<altinn:action>reject</altinn:action>
</altinn:actions>
<altinn:signatureConfig>
<!-- The actual data that should be signed. Can be attachments, the form data in xml or PDF from earlier step. -->
<altinn:dataTypesToSign>
<altinn:dataType>ref-data-as-pdf</altinn:dataType>
</altinn:dataTypesToSign>
<!-- This data type is used to store the signatures -->
<altinn:signatureDataType>signatures</altinn:signatureDataType>
<!-- This data type is used to store the signees and related information -->
<altinn:signeeStatesDataTypeId>signeesState</altinn:signeeStatesDataTypeId>
<!-- This ID tells the app which implementation of the C# interface ISigneeProvider that should be used for this singing step -->
<altinn:signeeProviderId>signees</altinn:signeeProviderId>
<!-- If you want a PDF summary of the singing step, enter a datatype of type application/pdf here -->
<altinn:signingPdfDataType>signing-step-pdf</altinn:signingPdfDataType> <!-- optional -->
<!-- If the signee should receive a receipt with the documents that were signed in their Altinn inbox, enter a correspondence resource her. Setup of this is documented separately. -->
<altinn:correspondenceResource>app-correspondence-resource</altinn:correspondenceResource> <!-- optional -->
<!-- We have made a default validator that can be enabled here. It checks that all signees have signed and that minCount on the signature datatype is fulfilled. If default validation is not enabled, custom validation of the signatures should be added. -->
<altinn:runDefaultValidator>true</altinn:runDefaultValidator>
</altinn:signatureConfig>
</altinn:taskExtension>
</bpmn:extensionElements>
<bpmn:incoming>SequenceFlow_1oot28q</bpmn:incoming>
<bpmn:outgoing>SequenceFlow_1if1sh9</bpmn:outgoing>
</bpmn:task>
Add data types for storing signing related data
These data types should be added to dataTypes in App/config/applicationmetadata.json.
The first data type is used by the signing stage to store the actual signatures generated when a user completes the signing action.
{
"id": "signatures",
"allowedContentTypes": [
"application/json"
],
"allowedContributors": [
"app:owned"
],
"minCount": 1
}
This data type is used to store information about the signers who should be delegated signing rights and their status.
{
"id": "signeeState",
"allowedContentTypes": [
"application/json"
],
"allowedContributors": [
"app:owned"
],
"maxCount": 1,
"minCount": 1
}
It is important to set allowedContributors to "app:owned". This ensures that these data items cannot be edited via the app’s API but only by the app itself. Before version 8.6, this was misspelled allowedContributers.
The IDs of the data types can be changed, but they must match the IDs set in signatureDataType and signeeStatesDataTypeId in the process step, as shown in the next section.
Access control
Give readm write and optionally sign to the role that should fill out the form.
In order for the service to be able to delegate access rights to the signees, the app needs to have the right to delegate the read and sign actions.
Below is an example which you can use in your policy.xml file.
- Replace
ttdwith the correct org. - Replace
app_ttd_signering-brukerstyrtwith your own org and app name inserted into this template:app_{org}_{app-name}. - Replace
signering-brukerstyrtwith your app name - Modify the RuleId attribute to fit nicely into your policy.xml.
<xacml:Rule RuleId="urn:altinn:org:ttd:signering-brukerstyrt:ruleid:7" Effect="Permit">
<xacml:Description>
A rule defining all instance delegation rights the App itself is allowed to perform for instances of the app ttd/signering-brukerstyrt. In this example the app can delegate the Read and Sign actions for task SingingTask.
</xacml:Description>
<xacml:Target>
<xacml:AnyOf>
<xacml:AllOf>
<xacml:Match
MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
<xacml:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">
app_ttd_signering-brukerstyrt
</xacml:AttributeValue>
<xacml:AttributeDesignator
AttributeId="urn:altinn:resource:delegation"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false"
/>
</xacml:Match>
</xacml:AllOf>
</xacml:AnyOf>
<xacml:AnyOf>
<xacml:AllOf>
<xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ttd</xacml:AttributeValue>
<xacml:AttributeDesignator
AttributeId="urn:altinn:org"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false"
/>
</xacml:Match>
<xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">signering-brukerstyrt</xacml:AttributeValue>
<xacml:AttributeDesignator
AttributeId="urn:altinn:app"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false"
/>
</xacml:Match>
<xacml:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SingingTask</xacml:AttributeValue>
<xacml:AttributeDesignator
AttributeId="urn:altinn:task"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false"
/>
</xacml:Match>
</xacml:AllOf>
<xacml:AnyOf>
<xacml:AllOf>
<xacml:Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml:AttributeValue>
<xacml:AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false"
/>
</xacml:Match>
</xacml:AllOf>
<xacml:AllOf>
<xacml:Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">sign</xacml:AttributeValue>
<xacml:AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false"
/>
</xacml:Match>
</xacml:AllOf>
</xacml:AnyOf>
</xacml:Target>
</xacml:Rule>
This step needs to be done manually. Support for configuration in Altinn Studio Designer will come later. Take a look at the “Manual setup”-tab for this section for guidance.
2. Add a singing layout set
Add a folder under App/ui for your singing task called signing or some other logical name.
Update App/ui/layout-sets.json with a new page group, using the same id as the folder you just created.
{
"$schema": "https://altinncdn.no/toolkits/altinn-app-frontend/4/schemas/json/layout/layout-sets.schema.v1.json",
"sets": [
{
"id": "form",
"dataType": "model",
"tasks": [
"Task_1"
]
},
{
"id": "signing",
"dataType": "model",
"tasks": [
"SigningTask"
]
}
]
}
In the folder you created, add a new file called signing.json.
There are standard components that can be used to build a layout set for a signing step. You are not required to use these components, but it’s recommended.
- SigneeList:
- Lists the signees and their signing status.
- SigningDocumentList:
- Lists the data being signed. For example attachments, xml-data or a PDF summary from an earlier step.
- SigningStatusPanel:
- Determines the current status of the singing task and present relevant information and buttons to the end user, for instance the “Sign”-button.
If you choose not to use the SigningActions to display the “Sign”-button, you must as a minimum add an action button with action sign, to allow the end user to sign.
Example of usage of the standard components:
{
"$schema": "https://altinncdn.no/schemas/json/layout/layout.schema.v1.json",
"data": {
"layout": [
{
"id": "headerSigningFounders",
"type": "Header",
"size": "M",
"textResourceBindings": {
"title": "Her kan man ha en overskrift"
}
},
{
"id": "signee-list",
"type": "SigneeList",
"textResourceBindings": {
"title": "Personer som skal signere",
"description": "Personer som skal signere beskrivelse",
"help": "Dette er personer som skal signere"
}
},
{
"id": "signing-documents",
"type": "SigningDocumentList",
"textResourceBindings": {
"title": "Dokumenter som skal signeres",
"description": "Dokumenter som skal signeres beskrivelse"
}
},
{
"id": "signing-state",
"type": "SigningActions"
}
]
}
}
This step needs to be done manually. Support for configuration in Altinn Studio Designer will come later. Take a look at the “Manual setup”-tab for this section for guidance.
3. Optional - Custom validation
You can use the default validator as mentioned in step 2. It verifies that the number of signatures meets at least the
minCount set in the data model configuration. Custom validation can be set up by implementing the IValidator or ITaskValidator
interface as described in How to add custom validation.
Note that if you configure the app to execute the sign action on the process next call, the action will be done before the validation.
A fictitious example is a validator which verifies that at minimum one signature is done on behalf of an organisation:
public class SigningTaskValidator : IValidator
{
private readonly IProcessReader _processReader;
public SigningTaskValidator(IProcessReader processReader)
{
_processReader = processReader;
}
/// <summary>
/// We implement <see cref="ShouldRunForTask"/> instead.
/// </summary>
public string TaskId => "*";
/// <summary>
/// Only runs for tasks that are of type "signing".
/// </summary>
public bool ShouldRunForTask(string taskId)
{
AltinnTaskExtension? taskConfig;
try
{
taskConfig = _processReader.GetAltinnTaskExtension(taskId);
}
catch (Exception)
{
return false;
}
return taskConfig?.TaskType == "signing";
}
public bool NoIncrementalValidation => true;
/// <inheritdoc />
public Task<bool> HasRelevantChanges(IInstanceDataAccessor dataAccessor, string taskId, DataElementChanges changes)
{
throw new UnreachableException(
"HasRelevantChanges should not be called because NoIncrementalValidation is true."
);
}
/// <inheritdoc />
/// <remarks>Validates that at minimum one signature is done on behalf of an organisation.</remarks>
public async Task<List<ValidationIssue>> Validate(
IInstanceDataAccessor instanceDataAccessor,
string taskId,
string? language
)
{
AltinnSignatureConfiguration signatureConfiguration =
(_processReader.GetAltinnTaskExtension(taskId)?.SignatureConfiguration)
?? throw new ApplicationConfigException("Signing configuration not found in AltinnTaskExtension");
string signatureDataTypeId =
signatureConfiguration.SignatureDataType
?? throw new ApplicationConfigException("SignatureDataType is not set in the signature configuration.");
IEnumerable<DataElement> signatureDataElements = instanceDataAccessor.GetDataElementsForType(
signatureDataTypeId
);
SignDocument[] signDocuments = await Task.WhenAll(
signatureDataElements.Select(async signatureDataElement =>
{
ReadOnlyMemory<byte> data = await instanceDataAccessor.GetBinaryData(signatureDataElement);
string signDocumentSerialized = Encoding.UTF8.GetString(data.ToArray());
return JsonSerializer.Deserialize<SignDocument>(signDocumentSerialized)
?? throw new JsonException("Could not deserialize signature document.");
})
);
var organisationHasSigned = signDocuments.Any(doc => doc?.SigneeInfo?.OrganisationNumber is not null);
if (organisationHasSigned is false)
{
return
[
new ValidationIssue
{
Code = "SignatureIssues",
Severity = ValidationIssueSeverity.Error,
Description = "An organisation must sign the document.",
},
];
}
return [];
}
}
4. Optional - Setup text resources
This section is only relevant for those who want to override the standard texts in the communication with the signees.
The standard values for the communication texts are as follows:
| Tekst | StandardVerdi |
|---|---|
| Inbox message to signee - title | “{appName}: Task for signing” |
| Inbox message to signee - summary | “Your signature is requested for {appName}.” |
| Inbox message to signee - content | “You have a task waiting for your signature. <a href="{instanceUrl}">Click here to open the application. If you have any questions, you can contact {appOwner}.” |
| Sms to signee - content | “Your signature is requested for {appName}. Open your Altinn inbox to proceed.” |
| Email to signee - emne | “{appName}: Task for signing” |
| Email to signee - content | “Your signature is requested for {appName}. Open your Altinn inbox to proceed. If you have any questions, you can contact {appOwner}.” |
| Receipt to signee - title | “{appName}: Signature confirmed” |
| Receipt to signee - summary | “Your signature has been registered for {appName}.” |
| Receipt to signee - content | “The signed documents are attached. They may be downloaded. If you have any questions, you can contact {appOwner}.” |
| Tekst | StandardVerdi |
|---|---|
| Inbox message to signee - title | “{appName}: Oppgave til signering” |
| Inbox message to signee - summary | “Din signatur ventes for {appName}.” |
| Inbox message to signee - content | “Du har en oppgave som venter på din signatur. <a href="{instanceUrl}">Klikk her for å åpne applikasjonen. Hvis du lurer på noe, kan du kontakte {appOwner}.” |
| Sms to signee - content | “Din signatur ventes for {appName}. Åpne Altinn-innboksen din for å fortsette.” |
| Email to signee - emne | “{appName}: Oppgave til signering” |
| Email to signee - content | “Din signatur ventes for {appName}. Åpne Altinn-innboksen din for å fortsette. Hvis du lurer på noe, kan du kontakte {appOwner}.” |
| Receipt to signee - title | “{appName}: Signeringen er bekreftet” |
| Receipt to signee - summary | “Du har signert for {appName}.” |
| Receipt to signee - content | “Dokumentene du har signert er vedlagt. Disse kan lastes ned om ønskelig. Hvis du lurer på noe, kan du kontakte {appOwner}.” |
| Tekst | StandardVerdi |
|---|---|
| Inbox message to signee - title | “{appName}: Oppgåve til signering” |
| Inbox message to signee - summary | “Signaturen din vert venta for {appName}.” |
| Inbox message to signee - content | “Du har ei oppgåve som ventar på signaturen din. <a href="{instanceUrl}">Klikk her for å opne applikasjonen. Om du lurer på noko, kan du kontakte {appOwner}.” |
| Sms to signee - content | “Signaturen din vert venta for {appName}. Opne Altinn-innboksen din for å gå vidare.” |
| Email to signee - emne | “{appName}: Oppgåve til signering” |
| Email to signee - content | “Signaturen din vert venta for {appName}. Opne Altinn-innboksen din for å gå vidare. Om du lurer på noko, kan du kontakte {appOwner}.” |
| Receipt to signee - title | “{appName}: Signeringa er stadfesta” |
| Receipt to signee - summary | “Du har signert for {appName}.” |
| Receipt to signee - content | “Dokumenta du har signert er vedlagde. Dei kan lastast ned om ønskeleg. Om du lurer på noko, kan du kontakte {appOwner}.” |
If you wish to override the standard texts:
Add a text resource file under ‘App/config/texts’ for each language you want to support.
Here you define text resources to be used in communication with the user.
With the CommunicationConfig property on the provided signee in your implementation of the ISigneeProvider interface,
you may override the content sent to the Altinn inbox, in addition to notifications sent the signer of a signing task.
You can name these whatever you want and connect them to CommunicationConfig in the next step (step 4).
Example of text resources for notifications with custom texts for email, as well as receipt:
{
"id": "signing.correspondence_title_common",
"value": "Task - Sign founding documents"
},
{
"id": "signing.correspondence_summary_stifter_person",
"value": "You have been added as a signer."
},
{
"id": "signing.correspondence_summary_stifter_organisation",
"value": "Organisjonen har blitt lagt til som signatar."
},
{
"id": "signing.correspondence_body_stifter_person",
"value": "You have been added as a signer for founding documents. <br /> $instanceUrl$ <br /><br />"
},
{
"id": "signing.correspondence_body_stifter_organisation",
"value": "Your organisation has been added as a signer for founding documents. <br /> $instanceUrl$ <br /><br />"
},
{
"id": "signing.notification_content",
"value": "Hello $correspondenceRecipientName$,\n\nYou have received founding documents for signing in Altinn. Log in to Altinn to sign the documents.\n\nBest regards,\nBrønnøysund Register Centre"
},
{
"id": "signing.email_subject",
"value": "Founding documents received for signing in Altinn. Go to Altinn inbox to sign."
},
Overriding the receipt is not possible on the signee level, but generally for all signees. Here the key of the text resources must match the following keys in order to take effect.
signing.correspondence_receipt_title - title
signing.correspondence_receipt_summary - summary
signing.correspondence_receipt_body - content
{
"id": "signing.correspondence_receipt_title",
"value": "Receipt: Signing of founding documents"
},
{
"id": "signing.correspondence_receipt_summary",
"value": "You have signed the founding documents"
},
{
"id": "signing.correspondence_receipt_body",
"value": "The documents you have signed are attached. These can be downloaded if desired. <br /><br />If you have any questions, contact the Brønnøysund Register Centre at phone 75 00 75 00."
},
This step needs to be done manually. Support for configuration in Altinn Studio Designer will come later. Take a look at the “Manual setup”-tab for this section for guidance.
5. Tell the app who the signees are
To allow the app to determine who should receive access to read and sign, the C# interface ISigneeProvider must be implemented.
The implementation must return a set of individuals and/or organizations that should receive rights to sign. This can be based on the data model, as shown in the example below.
The Id property in this implementation must match the ID specified in altinn:signeeProviderId.
Note that CommunicationConfig is optional. Here you may override the standard texts used in communication with the signees,
as explained in section 3. You may also override the email address and phone number for the signees. By default, a message
will be sent to the signees altinn inbox with a link to the relevant application instance and a notification
will be sent via email. To turn on SMS notifications, set SMS = new Sms{ MobileNumber = “”}. If not overridden, the email
addresses and the phone numbers used are populated as described in Recipient lookup
and Address lookup.
#nullable enable
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Altinn.App.Core.Features;
using Altinn.App.Core.Features.Signing;
using Altinn.App.Models.Skjemadata;
using Altinn.Platform.Storage.Interface.Models;
namespace Altinn.App.logic;
public class FounderSigneesProvider : ISigneeProvider
{
public string Id { get; init; } = "founders";
public async Task<SigneeProviderResult> GetSignees(GetSigneesParameters parameters)
{
DataElement dataElement = parameters.InstanceDataAccessor
.GetDataElementsForType("Skjemadata")
.Single();
var formData = await parameters.InstanceDataAccessor.GetFormData<Skjemadata>(dataElement);
List<ProvidedSignee> providedSignees = [];
foreach (StifterPerson stifterPerson in formData.StifterPerson)
{
var personSignee = new ProvidedPerson
{
FullName = string.Join(
" ",
[stifterPerson.Fornavn, stifterPerson.Mellomnavn, stifterPerson.Etternavn]
),
SocialSecurityNumber = stifterPerson.Foedselsnummer?.ToString() ?? string.Empty,
// CommunicationConfig is optional
CommunicationConfig = new CommunicationConfig
{
InboxMessage = new InboxMessage
{
TitleTextResourceKey = "signing.correspondence_title_common",
SummaryTextResourceKey = "signing.correspondence_summary_stifter_person",
BodyTextResourceKey = "signing.correspondence_body_stifter_person"
},
Notification = new Notification
{
Email = new Email
{
EmailAddress = stifterPerson.Epost,
SubjectTextResourceKey = "signing.email_subject",
BodyTextResourceKey = "signing.notification_content"
},
Sms = new Sms
{
MobileNumber = stifterPerson.Mobiltelefon,
BodyTextResourceKey = "signing.notification_content"
}
}
},
};
providedSignees.Add(personSignee);
}
foreach (StifterVirksomhet stifterVirksomhet in formData.StifterVirksomhet)
{
var organisationSignee = new ProvidedOrganization
{
Name = stifterVirksomhet.Navn,
OrganizationNumber =
stifterVirksomhet.Organisasjonsnummer?.ToString() ?? string.Empty,
// CommunicationConfig is optional
CommunicationConfig = new CommunicationConfig
{
InboxMessage = new InboxMessage
{
TitleTextResourceKey = "signing.correspondence_title_common",
SummaryTextResourceKey = "signing.correspondence_summary_stifter_organisasjon",
BodyTextResourceKey = "signing.correspondence_body_stifter_organisasjon"
},
Notification = new Notification
{
Email = new Email
{
EmailAddress = stifterVirksomhet.Epost,
SubjectTextResourceKey = "signing.email_subject",
BodyTextResourceKey = "signing.notification_content".Replace(
"{0}",
stifterVirksomhet.Navn
),
},
Sms = new Sms
{
MobileNumber = stifterVirksomhet.Mobiltelefon,
BodyTextResourceKey = "signing.notification_content".Replace(
"{0}",
stifterVirksomhet.Navn
),
}
}
}
};
providedSignees.Add(organisationSignee);
}
return new SigneeProviderResult { Signees = providedSignees };
}
}
This step needs to be done manually. Support for configuration in Altinn Studio Designer will come later. Take a look at the “Manual setup”-tab for this section for guidance.
6. Testing
Authorization caching may cause delays in users seeing delegated forms in their Altinn inbox if they were logged in when delegation occurred. To avoid this, delegate access to a user not used in testing for the last hour.