Account Settings
      Back to home
      1. Help Center
      2. Admin Portal
      3. Account Settings

      Consent Management (On-Premises)

      How to set up Consent Management as part of Web Enrollment

      Before your users can enroll using Web Enrollment, it is important that they understand and agree to the storage and use of their biometric data by Alcatraz security products. Receiving users' consent allows you to alleviate their privacy concerns and to conform to any applicable legislation.
      Asking for user consent is optional.

      How Does Consent Management Work


      Alcatraz utilizes Docusign™ to allow your users to sign the consent electronically.
      After you set up Consent Management, Web Enrollment will start the enrollment process with presenting the consent document to the user. Signing the consent takes the user to the actual enrollment step. Declining the consent ends the enrollment without creating an Alcatraz biometric profile for the user.
      Read the sections below to complete the steps required for setting up consent management.

      Creating a Docusign Account


      You need to create your organization a Docusign account before you can enable consent.

      Docusign provides paid services. Contact a Docusign representative and ask for the best plan for your organization's needs.

      Setting Up Your Docusign Account


      After you create an account with Docusign, you need to configure it to allow integration with Alcatraz products.

      Creating a New App


      While you can use an existing Docusign app to integrate with Alcatraz, we recommend creating a new one.
      Take these steps to create a new Docusign app for integrating with Alcatraz:
      1. Log in to Docusign.
      2. In the top menu, click Admin.
      3. In the left navigation, click Integrations > Apps and Keys.
      4. On the page that appears, under Apps and Integration Keys, click the Add App and Integration Key button.
        p-consent-new-docusign-app
      5. In the dialog box that appears, enter a name for the app (such as Alcatraz) and then click Create App.
        A page with app settings appears.
      6. Under General Info, take a note of the Integration Key.
        You will need it later when enabling consent in Alcatraz Admin Portal.
        p-consent-new-docusign-app-integration-key
      7. Under Authentication, take the following actions:
        1. Under User Application, ensure that you set the options as follows:
          • Is your application able to securely store a client secret? is set to Yes.
          • Authentication Method for your App > Require Proof Key for Code Exchange (PKCE) is unchecked.
          • No keys are present under Secret Keys.
        2. Under Service Integration, generate new RSA keys or upload your own, if you have an existing certificate infrastructure:
          • To generate new RSA keys:
            1. Click Generate RSA.
            2. In the dialog box that opens, do the following:
              1. Copy the Public Key by clicking the Copy to clipboard button next to it.
              2. On your computer, create an empty plain-text file and paste the public key in it.
              3. Save the public key file as public.pem.
              4. Go back to Docusign.
              5. Copy the Private Key by clicking the Copy to clipboard button next to it.
              6. On your computer, create an empty plain-text file and paste the private key in it.
              7. Save the private key file as private.pem.
                An ID representing the key appears in the RSA Keypairs (ID) list.
          • To upload existing RSA keys:
            1. Click Upload RSA.
            2. In the Upload Public RSA Key dialog box that opens, paste the contents of your public key.
            3. Click Upload Key.
              An ID representing the key appears in the RSA Keypairs (ID) list.
              p-consent-new-docusign-app-auth
      8. Under Additional Settings, do the following:
        1. In Redirect URLs, click Add URI and then enter https://localhost:8000 in the text box that appears.
        2. Leave Link to Privacy Policy empty.
        3. Leave Link to Terms of Use empty.
        4. Under CORS Configuration, leave everything unchanged.
        5. Under Origin URLs, leave everything unchanged.
        6. Under Allowed HTTP Methods, ensure that all boxes are unchecked.
          p-consent-new-docusign-app-additional-settings-1
      9. Click Save.
        Your Docusign app is complete.
      10. At the top of the screen, locate the My Account Information section and take a note of User ID.
        You will need this value when setting up Alcatraz Admin Portal.
        p-consent-new-docusign-app-user-id

      Granting Scopes to the App


      After creating the app, you need to grant it the necessary permissions. Docusign grants permissions using scopes. The Alcatraz integration requires these scopes:
      • signature
      • impersonation
      • click.manage
      • click.send
      Take these steps to grant your Dosusign app the required scopes:
      1. Construct the grant URL:
        <SERVER>/oauth/auth?response_type=code&scope=signature%20impersonation%20click.manage%20click.send&client_id=<INTEGRATION_KEY>&redirect_uri=https://localhost:8000

        Where:
        Replace <SERVER> with the appropriate Docusign API server address:
        For your production Docusign environment: https://account.docusign.com
        For your development Docusign environment (for testing, for example): https://account-d.docusign.com
        Replace <INTEGRATION_KEY> with your app's Integration Key that you took a note of earlier.

        Production environment example:
        https://account.docusign.com/oauth/auth?response_type=code&scope=signature%20impersonation%20click.manage%20click.send&client_id=xxxxf4cf-0c7f-4e80-aebd-c779e25dxxxx&redirect_uri=https://localhost:8000
      2. Paste the URL in your web browser's address bar and press Enter.
      3. If prompted by Docusign, log in to your Docusign account.
      4. On the Your App Name is requesting access screen that appears, click Allow Access.
        p-consent-new-docusign-app-scopes

      On success, your web browser shows a message to the effect that it can't connect. This is normal. You can close the browser tab after seeing it.
      p-consent-new-docusign-app-scopes-result
      If you see an error instead of the Your App Name is requesting access screen, try the following:
      • If you get the The redirect URI is not registered properly with Docusign error, then double-check if the redirect URL that you entered when creating the Docusign app is the same as the one at the end of the URL.
      • If you get the The client id provided is not registered with Docusign error, then double-check if you have properly inserted the Integration Key of the correct Docusign app inside the URL.
      Next, continue with creating a template for the consent agreement that your users will have to sign.

      Creating a Consent Template


      The consent template is an agreement that your users will have to sign before they complete the Web Enrollment procedure. It takes the form of a PDF document that Docusign presents to the user for signing. The document's content, both textual and visual, as well as its language, are at your discretion.
      Take these steps to create and upload a consent template:
      1. Create or source a PDF document containing the legal text required by your organization.
      2. Log in to Docusign.
      3. In the top navigation, click Templates
      4. In the left navigation, click Start > Envelope Templates > Create a Template.
        p-consent-docusign-new-template
        A template wizard appears.
      5. In Template Name, give the template a meaningful name.
        Example: `Web Enrollment Consent Template`
      6. Under Add documents, click Upload > Browse, and then, in the file browser that appears, select the PDF file that you prepared.
      7. Click Next.
      8. Under Add recipients, do the following:
        1. In Role, enter Signer.
        2. In the drop-down list on the right of Role, select Needs to Sign.
        3. Leave Name empty.
        4. Leave Email empty.

          NOTE: Web Enrollment does not support the multiple recipients option Add Recipient.

          p-consent-docusign-new-template-recipient
      9. Under Add Message, specify the content of the email:
        NOTE: Web Enrollment does not support the multiple recipients-related Custom message and language for each recipient option.
        1. In Subject and Message, enter any text.
          Web Enrollment does not utilize the Subject and Message text in any way.
          p-consent-docusign-new-template-message
        2. In Envelope Types, select a suitable type describing the purpose of the consent template or if you cannot find one, select Other and type a type of your choosing in the box that appears below.
          p-consent-docusign-new-template-envelope
      10. Click Next.
        A visual document editor appears, showing the content of your PDF document.
      11. Ensure that the drop-down list above the fields side-bar shows Signer.
        p-consent-docusign-new-template-signer
      12. Using drag and drop, add the signature-related fields that you want your users to fill in when accepting your biometric data processing consent.
        For example, drag the following onto the canvas:
        Signature (appears on the template as Sign)
        Name (appears on the template as Full Name)
        Date Signed
        p-consent-docusign-new-template-fields
      13. Click Save and Close to complete the template.
      14. In the list of templates, click your template's name.
        A template details screen appears.
      15. Under the template name, click Template ID to reveal the unique template ID and take a note of it.
        You will need this value when setting up Alcatraz Admin Portal.
        p-consent-docusign-new-template-id

      Next, continue with setting up Alcatraz Admin Portal.

      Setting Up Alcatraz Admin Portal


      After you finish setting up your Docusign account, you can proceed with setting up Alcatraz Admin Portal to integrate with Docusign.
      Take these steps to configure Alcatraz Admin Portal to integrate with Docusign:
      1. Log in to Alcatraz Admin Portal as an Account Administrator.
      2. In the left menu, go to Accounts > Account Settings.
      3. Under Account Configuration, expand Web Enrollment.
      4. Toggle Enable Web Enrollment on.
      5. Check Consent Management.
      6. Click Custom Consent and fill in the following fields:
        NOTE: Alcatraz Consent is a backwards-compatibility option designed only for existing consent management users. As an existing user, you can either specify your own Docusign account and continue using consent management with it, or do nothing and keep using Alcatraz Consent.
        • In Account Domain, enter the Docusign authentication service URL:
          • To use your production Docusign environment: account.docusign.com
          • To use your development Docusign environment (for testing purposes for example): account-d.docusign.com
        • In Integration Key, enter the Integration Key that you took a note of in Setting Up Your Docusign Account.
        • In User ID, enter the User ID that you took a note of in Setting Up Your Docusign Account.
        • In Template ID, enter the Template ID that you took a note of in Creating a Consent Template.
        • In Upload RSA Private Key, click and select the private.pem file that you created in Setting Up Your Docusign Account.
          p-consent-platform-settings-on-prem
      7. Optionally, click Test Docusign Connection to see if the entered values result in a successful connection.
      8. Click Submit.
      9. In the dialog box that opens, review your settings and then click Confirm to complete the setup.
      With this procedure, consent management is ready for use.