diff --git a/config/config-example.php b/config/config-example.php
index 0aa3a61..b8a8b07 100644
--- a/config/config-example.php
+++ b/config/config-example.php
@@ -1,27 +1,27 @@
 <?php
-define('TEST_MODE', true); // Use false for production
-define('CRAUTO_PASS_MIN_LENGTH', 12);
-define('CRAUTO_SIR_TMP_DIR_CLEANUP', 30);
-define('CRAUTO_LDAP_URL', 'ldap://ldap1.sso.local');
-define('CRAUTO_LDAP_BIND_DN', 'cn=Directory Manager');
-define('CRAUTO_LDAP_PASSWORD', 'secret1');
-define('CRAUTO_LDAP_STARTTLS', true);
-define('CRAUTO_LDAP_USERS_DN', 'ou=People,dc=sso,dc=local');
-define('CRAUTO_LDAP_GROUPS_DN', 'ou=Groups,dc=sso,dc=local');
-define('CRAUTO_LDAP_INVITES_DN', 'ou=Invites,dc=sso,dc=local');
-define('CRAUTO_OIDC_ISSUER', 'https://wso2.sso.local:9443/oauth2/oidcdiscovery');
-define('CRAUTO_OIDC_CLIENT_ID', 'crauto'); // This is useless
-define('CRAUTO_OIDC_CLIENT_KEY', '3VEQd6YM2a9qXtCGQJs8nGfm2Dsa'); // This is important (generated by WSO2 IS)
-define('CRAUTO_OIDC_CLIENT_SECRET', 'Fd4BxUyaYYlByimKfAwv6_rDyl0a'); // This is even more important (generated by WSO2 IS)
+const TEST_MODE = true; // Use false for production
+const TEST_MODE_SSO = 1; // Use 1, 2 or 3 to log in as different test accounts, only used if TEST_MODE is true
+const CRAUTO_PASS_MIN_LENGTH = 12;
+const CRAUTO_SIR_TMP_DIR_CLEANUP = 30;
+const CRAUTO_LDAP_URL = 'ldap://ldap1.sso.local';
+const CRAUTO_LDAP_BIND_DN = 'cn=Directory Manager';
+const CRAUTO_LDAP_PASSWORD = 'secret1';
+const CRAUTO_LDAP_STARTTLS = true;
+const CRAUTO_LDAP_USERS_DN = 'ou=People,dc=example,dc=test';
+const CRAUTO_LDAP_GROUPS_DN = 'ou=Groups,dc=example,dc=test';
+const CRAUTO_LDAP_INVITES_DN = 'ou=Invites,dc=example,dc=test';
+const CRAUTO_OIDC_ISSUER = 'https://sso.example/oauth2/oidcdiscovery';
+const CRAUTO_OIDC_CLIENT_KEY = '3VEQd6YM2a9qXtCGQJs8nGfm2Dsa'; // This is important (generated by WSO2 IS)
+const CRAUTO_OIDC_CLIENT_SECRET = 'Fd4BxUyaYYlByimKfAwv6_rDyl0a'; // This is even more important (generated by WSO2 IS)
 // Also, you shouldn't commit the secret (and possibly the key) in a public repo. These are used only in development,
 // production key and secret are obviously different.
-define('VERIFY_CERTIFICATES', true); // Set to false for development with self-signed certificates
-define('CRAUTO_URL', 'http://[::1]:8200');
-define('CRAUTO_DEBUG_ALWAYS_REFRESH', false); // Set to true to use the refresh token to get a new id token on each request
-define('CRAUTO_DEFAULT_GROUPS', 'Test,Cloud,Admin');
-define('CRAUTO_WEBSITE_IGNORE_GROUPS', 'Docenti,Foo,Bar');
-define('CRAUTO_HOME_PAGE_SERVICES', [
+const VERIFY_CERTIFICATES = true; // Set to false for development with self-signed certificates
+const CRAUTO_URL = 'http://[::1]:8200';
+const CRAUTO_DEBUG_ALWAYS_REFRESH = false; // Set to true to use the refresh token to get a new id token on each request
+const CRAUTO_DEFAULT_GROUPS = 'Test,Cloud,Admin';
+const CRAUTO_WEBSITE_IGNORE_GROUPS = 'Docenti,Foo,Bar';
+const CRAUTO_HOME_PAGE_SERVICES = [
 	['Description description description', 'https://url.example.com', 'something'],
 	['Description', 'https://url.example.com'],
 	['Description without link']
-]);
+];
diff --git a/public/index.php b/public/index.php
index 04ce537..5f979c3 100644
--- a/public/index.php
+++ b/public/index.php
@@ -5,10 +5,28 @@
 require '..' . DIRECTORY_SEPARATOR . 'vendor' . DIRECTORY_SEPARATOR . 'autoload.php';
 Authentication::requireLogin();
 
+$error = null;
+$attributes = [];
+try {
+	$ldap = new Ldap(
+		CRAUTO_LDAP_URL,
+		CRAUTO_LDAP_BIND_DN,
+		CRAUTO_LDAP_PASSWORD,
+		CRAUTO_LDAP_USERS_DN,
+		CRAUTO_LDAP_GROUPS_DN,
+		CRAUTO_LDAP_STARTTLS
+	);
+	$attributes = $ldap->getUser($_SESSION['uid'], ['signedsir']);
+} catch (LdapException $e) {
+	$error = $e->getMessage();
+}
+
 $template = Template::create();
 $template->addData(['currentSection' => 'index'], 'navbar');
 echo $template->render('index', [
+	'error' => $error,
 	'uid' => $_SESSION['uid'],
 	'id' => $_SESSION['id'],
-	'name' => $_SESSION['cn']
+	'name' => $_SESSION['cn'],
+	'signedSir' => Ldap::optionalBooleanToBool($attributes, 'signedsir')
 ]);
diff --git a/public/personal.php b/public/personal.php
index 82dec1f..8c1ab85 100644
--- a/public/personal.php
+++ b/public/personal.php
@@ -35,12 +35,12 @@
 		header('Content-Type: application/json');
 		header('Content-Transfer-Encoding: Binary');
 		header('Content-Description: File Transfer');
-		header("Content-Disposition: attachment; filename=${_SESSION['uid']}.json");
+		header("Content-Disposition: attachment; filename={$_SESSION['uid']}.json");
 		echo json_encode($attributes, JSON_PRETTY_PRINT);
 		exit;
 	}
 
-	if (isset($_POST) && !empty($_POST)) {
+	if (!empty($_POST)) {
 		Validation::handleUserEditPost($editableAttributes, $ldap, $_SESSION['uid'], $attributes);
 		http_response_code(303);
 		header('Location: personal.php');
diff --git a/public/sir.php b/public/sir.php
index f8dae35..063317a 100644
--- a/public/sir.php
+++ b/public/sir.php
@@ -9,7 +9,7 @@
 
 require '..' . DIRECTORY_SEPARATOR . 'vendor' . DIRECTORY_SEPARATOR . 'autoload.php';
 Authentication::requireLogin();
-if (!Authentication::isAdmin()) {
+if (!Authentication::isAdmin() && !isset($_GET['uid']) && $_GET['uid'] !== $_SESSION['uid']) {
 	$template = Template::create();
 	echo $template->render('403');
 	exit;
diff --git a/public/sugo.php b/public/sugo.php
new file mode 100644
index 0000000..ff70350
--- /dev/null
+++ b/public/sugo.php
@@ -0,0 +1,49 @@
+<?php
+
+namespace WEEEOpen\Crauto;
+
+require '..' . DIRECTORY_SEPARATOR . 'vendor' . DIRECTORY_SEPARATOR . 'autoload.php';
+Authentication::requireLogin();
+
+$ldap = new Ldap(
+	CRAUTO_LDAP_URL,
+	CRAUTO_LDAP_BIND_DN,
+	CRAUTO_LDAP_PASSWORD,
+	CRAUTO_LDAP_USERS_DN,
+	CRAUTO_LDAP_GROUPS_DN,
+	CRAUTO_LDAP_STARTTLS
+);
+
+$selectedUser = null;
+if (Authentication::isAdmin()) {
+	$users = $ldap->getUsers(['givenname', 'sn', 'signedsir', 'nsaccountlock', 'mail']);
+	if (isset($_GET['uid'])) {
+		$selectedUser = $_GET['uid'];
+	}
+} else {
+	$users = [$ldap->getUser($_SESSION['uid'], ['givenname', 'sn', 'signedsir', 'nsaccountlock', 'mail'])];
+	$selectedUser = $_SESSION['uid'];
+}
+
+$mappedUsers = [];
+foreach ($users as $user) {
+	$mappedUsers[] = [
+		'uid' => $user['uid'],
+		'cn' => $user['cn'],
+		'needsToSign' => Ldap::optionalBooleanToBool($user, 'signedsir'),
+		'isLocked' => Ldap::optionalBooleanToBool($user, 'nsaccountlock'),
+		'email' => $user['mail']
+	];
+}
+
+usort($mappedUsers, function (array $a, array $b): int {
+	return strcasecmp($a['uid'], $b['uid']);
+});
+
+$template = Template::create();
+$template->addData(['currentSection' => 'sugo'], 'navbar');
+
+echo $template->render('sugo', [
+	'users' => $mappedUsers,
+	'selectedUser' => $selectedUser
+]);
diff --git a/src/Authentication.php b/src/Authentication.php
index 396e6e6..6a38adf 100644
--- a/src/Authentication.php
+++ b/src/Authentication.php
@@ -76,15 +76,38 @@ public static function authenticate()
 			session_start();
 		}
 
-		if (defined('TEST_MODE') && TEST_MODE) {
+		if (TEST_MODE) {
 			error_log('TEST_MODE, faking authentication');
-			$_SESSION['uid'] = 'test.administrator';
-			$_SESSION['id'] = 'fake:example:68048769-c06d-4873-adf6-dbfa6b0afcd3';
-			$_SESSION['cn'] = 'Test Administrator';
-			$_SESSION['groups'] = ['HR'];
-			$_SESSION['expires'] = PHP_INT_MAX;
-			$_SESSION['refresh_token'] = 'refresh_token';
-			$_SESSION['id_token'] = 'id_token';
+			switch (TEST_MODE_SSO) {
+				case 1:
+				default:
+					$_SESSION['uid'] = 'test.administrator';
+					$_SESSION['id'] = 'fake:example:68048769-c06d-4873-adf6-dbfa6b0afcd3';
+					$_SESSION['cn'] = 'Test Administrator';
+					$_SESSION['groups'] = ['HR'];
+					$_SESSION['expires'] = PHP_INT_MAX;
+					$_SESSION['refresh_token'] = 'refresh_token';
+					$_SESSION['id_token'] = 'id_token';
+					break;
+				case 2:
+					$_SESSION['uid'] = 'alice';
+					$_SESSION['id'] = 'fake:example:9e071e1e-d0dd-4d58-9ac2-087ea0b41e97';
+					$_SESSION['cn'] = 'Alice Test';
+					$_SESSION['groups'] = ['Cloud', 'Gente', 'Riparatori'];
+					$_SESSION['expires'] = PHP_INT_MAX;
+					$_SESSION['refresh_token'] = 'refresh_token';
+					$_SESSION['id_token'] = 'id_token';
+					break;
+				case 3:
+					$_SESSION['uid'] = 'brodino';
+					$_SESSION['id'] = 'fake:example:c476f0de-e554-439e-af4f-35c8bed02b9b';
+					$_SESSION['cn'] = 'Bro Dino';
+					$_SESSION['groups'] = ['Admin', 'Gente'];
+					$_SESSION['expires'] = PHP_INT_MAX;
+					$_SESSION['refresh_token'] = 'refresh_token';
+					$_SESSION['id_token'] = 'id_token';
+					break;
+			}
 		} else {
 			$oidc = self::getOidc();
 			//$oidc->setCertPath('/path/to/my.cert');
@@ -110,7 +133,7 @@ public static function signOut()
 		$token = $_SESSION['id_token'];
 		session_destroy();
 
-		if (defined('TEST_MODE') && TEST_MODE) {
+		if (TEST_MODE) {
 			error_log('TEST_MODE, no need to log out');
 		} else {
 			$oidc->signOut($token, CRAUTO_URL . '/logout_done.php');
@@ -307,6 +330,15 @@ private static function setAttributes(OpenIDConnectClient $oidc, $claims = null,
 		$refresh_token = $oidc->getRefreshToken();
 		$id_token = $idt ?? $oidc->getIdToken();
 
+		$ldap = new Ldap(
+			CRAUTO_LDAP_URL,
+			CRAUTO_LDAP_BIND_DN,
+			CRAUTO_LDAP_PASSWORD,
+			CRAUTO_LDAP_USERS_DN,
+			CRAUTO_LDAP_GROUPS_DN,
+			CRAUTO_LDAP_STARTTLS
+		);
+
 		$_SESSION['uid'] = $uid;
 		$_SESSION['id'] = $id;
 		$_SESSION['cn'] = $cn;
diff --git a/src/Ldap.php b/src/Ldap.php
index 74f4abd..e0d96fb 100644
--- a/src/Ldap.php
+++ b/src/Ldap.php
@@ -5,6 +5,7 @@
 use DateTime;
 use DateTimeZone;
 use InvalidArgumentException;
+use LDAP\Result;
 
 class Ldap
 {
@@ -24,6 +25,7 @@ class Ldap
 			'createtimestamp' => '20191025105022Z',
 			'modifytimestamp' => '20191025155317Z',
 			'safetytestdate' => '20160909',
+			'degreecourse' => 'Ingegneria dell\'Ingegno',
 			'signedsir' => 'true',
 			'haskey' => 'true',
 			'schacpersonaluniquecode' => 's111111',
@@ -33,7 +35,8 @@ class Ldap
 			'weeelabnickname' => ['io'],
 			'websitedescription' => "Il capo supremo\nSu due righe",
 			'description' => '',
-			'nsaccountlock' => null
+			'nsaccountlock' => null,
+			'mail' => 'admin@example.com',
 		],
 		'alice' => [
 			'uid' => 'alice',
@@ -44,6 +47,7 @@ class Ldap
 			'createtimestamp' => '20191025105022Z',
 			'modifytimestamp' => '20191025155317Z',
 			'safetytestdate' => '20991104',
+			'degreecourse' => 'Architettura (dei calcolatori però)',
 			'signedsir' => null,
 			'haskey' => null,
 			'schacpersonaluniquecode' => 's22222',
@@ -53,7 +57,8 @@ class Ldap
 			'weeelabnickname' => [],
 			'websitedescription' => 'Persona',
 			'description' => '',
-			'nsaccountlock' => 'true'
+			'nsaccountlock' => 'true',
+			'mail' => 'alice@example.com',
 		],
 		'brodino' => [
 			'uid' => 'brodino',
@@ -64,6 +69,7 @@ class Ldap
 			'createtimestamp' => '20191025105022Z',
 			'modifytimestamp' => '20191025155317Z',
 			'safetytestdate' => '20201104',
+			'degreecourse' => 'Ingegneria dell\'Ingegnerizzazione',
 			'signedsir' => 'true',
 			'haskey' => null,
 			'nsaccountlock' => 'true',
@@ -72,7 +78,8 @@ class Ldap
 			'sshpublickey' => [],
 			'weeelabnickname' => [],
 			'description' => '',
-			'telegramnickname' => 'brodino'
+			'telegramnickname' => 'brodino',
+			'mail' => 'brodino@example.com',
 		],
 		'bob' => [
 			'uid' => 'bob',
@@ -92,7 +99,8 @@ class Ldap
 			'sshpublickey' => [],
 			'weeelabnickname' => [],
 			'description' => '',
-			'nsaccountlock' => null
+			'nsaccountlock' => null,
+			'mail' => 'bob@example.com',
 		],
 		'broski' => [
 			'uid' => 'broski',
@@ -103,6 +111,7 @@ class Ldap
 			'createtimestamp' => '20191025105022Z',
 			'modifytimestamp' => '20191025155317Z',
 			'safetytestdate' => '20201025',
+			'degreecourse' => 'Ingegneria dell\'Ingegnerizzazione',
 			'signedsir' => null,
 			'haskey' => null,
 			'nsaccountlock' => null,
@@ -111,7 +120,29 @@ class Ldap
 			'sshpublickey' => [],
 			'weeelabnickname' => [],
 			'description' => '',
-			'telegramid' => '123456789'
+			'telegramid' => '123456789',
+			'mail' => 'bro@example.com',
+		],
+		'brobruh' => [
+			'uid' => 'brobruh',
+			'cn' => 'Bro Bruh',
+			'givenname' => 'Bro',
+			'sn' => 'Bruh',
+			'memberof' => ["cn=Admin,ou=Groups,dc=weeeopen,dc=it", "cn=Gente,ou=Groups,dc=weeeopen,dc=it"],
+			'createtimestamp' => '20191025105022Z',
+			'modifytimestamp' => '20191025155317Z',
+			'safetytestdate' => '20210926',
+			'degreecourse' => 'Ingegneria Disinformatica',
+			'signedsir' => null,
+			'haskey' => null,
+			'nsaccountlock' => 'true',
+			'schacpersonaluniquecode' => 's333444555666',
+			'telegramnickname' => null,
+			'sshpublickey' => [],
+			'weeelabnickname' => [],
+			'description' => '',
+			'telegramid' => '12345678912345',
+			'mail' => 'bro@bruh.example',
 		],
 	];
 	private const EXAMPLE_GROUPS = ['Admin', 'Persone', 'Cloud'];
@@ -264,7 +295,7 @@ public function getUsers(array $attributes): array
 	 * @param string $uid UID to search
 	 * @param array|null $attributes Attributes to include in search result ("null" for all)
 	 *
-	 * @return resource|null $sr from ldap_search or none if no users are found
+	 * @return array|Result|null $sr from ldap_search or none if no users are found
 	 * @throws LdapException if cannot search or more than one user is found
 	 */
 	private function searchByUid(string $uid, ?array $attributes = null)
@@ -484,6 +515,11 @@ public static function groupDnToName(string $dn): string
 		throw new InvalidArgumentException("$dn is not a group DN");
 	}
 
+	public static function optionalBooleanToBool(array $attributes, string $var): bool
+	{
+		return isset($attributes[$var]) && $attributes[$var] === 'true';
+	}
+
 	public function groupNamesToDn(array $names): array
 	{
 		if (count($names) <= 0) {
diff --git a/src/Template.php b/src/Template.php
index 13c92d0..063b9f3 100644
--- a/src/Template.php
+++ b/src/Template.php
@@ -31,6 +31,6 @@ public static function telegramColumn($nickname, $id): string
 	public static function shortListEntry(string $uid, string $cn, ?string $schacpersonaluniquecode): string
 	{
 		$schacpersonaluniquecode = $schacpersonaluniquecode ?? 'no matricola';
-		return /** @lang HTML */ "<a href=\"/people.php?uid=$uid\">$cn</a>, $schacpersonaluniquecode <a class=\"btn btn-sm btn-outline-dark m-1 p-1\" href=\"/sir.php?uid=$uid\"><i class=\"fa fa-download mr-1\"></i>Get SIR</a>";
+		return /** @lang HTML */ "<a href=\"/people.php?uid=$uid\">$cn</a>, $schacpersonaluniquecode <a class=\"btn btn-sm btn-outline-dark m-1 p-1\" href=\"/sugo.php?uid=$uid\"><i class=\"fa-solid fa-signature\"></i>Sign SIR</a>";
 	}
 }
diff --git a/templates/index.php b/templates/index.php
index 0d4bd64..b153128 100644
--- a/templates/index.php
+++ b/templates/index.php
@@ -2,11 +2,21 @@
 /** @var $uid string */
 /** @var $id string */
 /** @var $name string */
+/** @var $signedSir bool */
+/** @var $error string|null */
 $this->layout('base', ['title' => 'Welcome']) ?>
 
 <h1>Crauto</h1>
 <small>Creatore e Rimuovitore Autogestito di Utenti che Tutto Offre</small>
 <p>Hi <?= $name ?>, your username is <?= $uid ?> and your ID is <?= $id ?></p>
+<?php if ($error !== null) : ?>
+	<div class="alert alert-danger" role="alert">
+		Error: <?= $this->e($error) ?>
+	</div>
+<?php endif ?>
+<?php if (!$signedSir) : ?>
+	<p class="alert alert-warning">You need to sign your SIR! <a href="/sugo.php?uid=<?= urlencode($uid)?>" class="btn btn-sm btn-warning">Sign the SIR</a></p>
+<?php endif ?>
 <h2>Enabled services</h2>
 <p>What can I access with this account?</p>
 <ul>
diff --git a/templates/navbar.php b/templates/navbar.php
index 547cc35..aa39e9a 100644
--- a/templates/navbar.php
+++ b/templates/navbar.php
@@ -31,6 +31,9 @@
 							<a class="nav-link  <?= $currentSection === 'groups' ? 'active' : '' ?>" href="/groups.php">Groups</a>
 						</li>
 					<?php endif ?>
+					<li class="nav-item">
+						<a class="nav-link <?= $currentSection === 'sugo' ? 'active' : '' ?>" href="/sugo.php">SIR</a>
+					</li>
 					<li class="nav-item">
 						<a class="nav-link" href="/logout.php">Logout</a>
 					</li>
diff --git a/templates/sugo.php b/templates/sugo.php
new file mode 100644
index 0000000..864974d
--- /dev/null
+++ b/templates/sugo.php
@@ -0,0 +1,253 @@
+<?php
+
+/** @var string|null $selectedUser */
+/** @var array $users */
+$this->layout('base', ['title' => 'Welcome'])
+?>
+
+<script src="https://unpkg.com/vue@3/dist/vue.global.js"></script>
+<script src="https://unpkg.com/pdf-lib/dist/pdf-lib.min.js"></script>
+
+<div id="app" class="sugo"></div>
+<script>
+	const app = Vue.createApp({
+		data() {
+			return {
+				users: <?= json_encode($users) ?>,
+				selectedUser: <?= $selectedUser ? json_encode($selectedUser, JSON_UNESCAPED_UNICODE) : 'null' ?>,
+				document: null,
+				finalDocument: null,
+				loading: false,
+				screen: '<?= $selectedUser ? "sign" : "chooseUser" ?>',
+				mouseDown: false,
+				toEmail: null,
+			}
+		},
+		watch: {
+			screen() {
+				if (this.screen === 'sign') {
+					history.pushState(null, '', '/sugo.php?uid=' + encodeURIComponent(this.selectedUser));
+				} else {
+					history.pushState(null, '', '/sugo.php');
+				}
+			}
+		},
+		mounted() {
+			if (this.screen === 'sign') {
+				this.sign();
+			}
+		},
+		computed: {
+			needsToSign() {
+				return this.users.filter(user => user.needsToSign);
+			},
+			isLocked() {
+				return this.users.filter(user => user.isLocked);
+			},
+			everyoneElse() {
+				return this.users.filter(user => !user.needsToSign && !user.isLocked);
+			},
+			selectedUserData() {
+				return this.users.find(user => user.uid === this.selectedUser);
+			}
+		},
+		methods: {
+			async sign() {
+				if (!this.selectedUser || this.loading) {
+					return;
+				}
+				this.loading = true;
+				this.document = await fetch('/sir.php?uid=' + encodeURIComponent(this.selectedUser), {credentials: 'same-origin'}).then(res => {
+					if (!res.ok) {
+						throw new Error('An error occurred fetching the original document');
+					}
+					return res;
+				}).then(res => res.arrayBuffer()).catch(() => {
+					alert('An error occurred fetching the original document');
+					this.loading = false;
+				});
+				this.screen = 'sign';
+				this.loading = false;
+			},
+			handleMouseDown(e) {
+				e.preventDefault();
+				this.mouseDown = true;
+				const ctx = this.$refs.signature.getContext('2d');
+				ctx.beginPath();
+				ctx.moveTo(e.offsetX, e.offsetY);
+			},
+			handleMouseMove(e) {
+				e.preventDefault();
+				if (!this.mouseDown) return;
+				const ctx = this.$refs.signature.getContext('2d');
+				ctx.lineWidth = 3;
+				ctx.lineTo(e.offsetX, e.offsetY);
+				ctx.stroke();
+			},
+			handleMouseUp(e) {
+				e.preventDefault();
+				this.mouseDown = false;
+				const ctx = this.$refs.signature.getContext('2d');
+			},
+			handleTouchStart(e) {
+				e.preventDefault();
+				this.mouseDown = true;
+				const ctx = this.$refs.signature.getContext('2d');
+				ctx.beginPath();
+				ctx.moveTo(e.touches[0].clientX - this.$refs.signature.getBoundingClientRect().left, e.touches[0].clientY - this.$refs.signature.getBoundingClientRect().top);
+			},
+			handleTouchMove(e) {
+				e.preventDefault();
+				if (!this.mouseDown) return;
+				const ctx = this.$refs.signature.getContext('2d');
+				ctx.lineWidth = 3;
+				ctx.lineTo(e.touches[0].clientX - this.$refs.signature.getBoundingClientRect().left, e.touches[0].clientY - this.$refs.signature.getBoundingClientRect().top);
+				ctx.stroke();
+			},
+			handleTouchEnd(e) {
+				e.preventDefault();
+				this.mouseDown = false;
+				const ctx = this.$refs.signature.getContext('2d');
+			},
+			clear() {
+				const ctx = this.$refs.signature.getContext('2d');
+				ctx.clearRect(0, 0, 500, 250);
+			},
+			async generatePdf() {
+				// saving this at the beginning so that we can hide the canvas
+				let signatureData = this.$refs.signature.toDataURL("image/png");
+				this.loading = true;
+
+				let pdf = await PDFLib.PDFDocument.load(this.document).catch(() => {
+					alert('An error occurred while loading the original document');
+					this.loading = false;
+				});
+				let pages = pdf.getPages();
+				let thirdPage = pages[2];
+				// add the date
+				/*let now = new Date();
+				thirdPage.drawText(now.toLocaleDateString("en-GB"), {
+					x: 125,
+					y: 255,
+					size: 12,
+				});*/ // disabled because this is now added by the server
+				// add the signature
+				let signatureBuffer = Uint8Array.from(atob(signatureData.split(',')[1]), c => c.charCodeAt(0));
+				let signatureImage = await pdf.embedPng(signatureBuffer);
+				thirdPage.drawImage(signatureImage, { // guanti
+					x: 355,
+					y: 592,
+					width: 80,
+					height: 40,
+				});
+				thirdPage.drawImage(signatureImage, { // cappa
+					x: 260,
+					y: 460,
+					width: 80,
+					height: 40,
+				});
+				thirdPage.drawImage(signatureImage, { // end of document
+					x: 360,
+					y: 110,
+					width: 180,
+					height: 90,
+				});
+				this.finalDocument = await pdf.save();
+				//this.toEmail = this.selectedUserData.email;
+				//this.screen = 'sendEmail';
+				this.download(); // temp
+				this.loading = false;
+			},
+			send() { // currently unused as we don't have an email endpoint
+				if (!this.toEmail || this.loading) {
+					return;
+				}
+				this.loading = true;
+				let formData = new FormData();
+				formData.append('email', this.toEmail);
+				formData.append('document', new Blob([this.finalDocument], {type: 'application/pdf'}), 'sir.pdf');
+				fetch('/?page=email', {
+					method: 'POST',
+					body: formData,
+				}).then(res => {
+					if (res.status === 206) {
+						this.screen = 'chooseUser';
+						this.loading = false;
+					} else {
+						alert('An error occurred');
+						this.loading = false;
+					}
+				});
+			},
+			async downloadBlank() {
+				await this.sign();
+				this.loading = true;
+				this.finalDocument = this.document;
+				this.download();
+				this.loading = false;
+			},
+			download() {
+				let pdfBlob = new Blob([this.finalDocument], {type: 'application/pdf'});
+				let pdfUrl = URL.createObjectURL(pdfBlob);
+				let a = document.createElement('a');
+				a.href = pdfUrl;
+				a.download = `sir-${this.selectedUser}.pdf`;
+				a.click();
+				URL.revokeObjectURL(pdfUrl);
+				if (this.users.length === 1) {
+					// just redirect to the home page
+					window.location.href = '/';
+				}
+				this.screen = 'chooseUser';
+			},
+		},
+		template: `
+			<div>
+				<h1>Sign the SIR</h1>
+				<div v-if="loading">Loading...</div>
+				<template v-else-if="screen === 'chooseUser'">
+					<form class="form-inline">
+						<div class="form-group mb-2">
+						<label class="sr-only" for="personSelect">Person</label>
+						<select class="form-control form-select" v-model="selectedUser">
+							<optgroup label="Needs to sign">
+								<option v-for="user in needsToSign" :value="user.uid"><b>{{ user.cn }}</b> ({{ user.uid }})</option>
+							</optgroup>
+							<optgroup label="Active users">
+								<option v-for="user in everyoneElse" :value="user.uid"><b>{{ user.cn }}</b> ({{ user.uid }})</option>
+							</optgroup>
+							<optgroup label="Locked accounts">
+								<option v-for="user in isLocked" :value="user.uid"><b>{{ user.cn }}</b> ({{ user.uid }})</option>
+							</optgroup>
+						</select>
+						<button @click="sign" class="btn btn-primary ml-2">Sign</button>
+						<button @click="downloadBlank" class="btn btn-outline-secondary ml-2">View</button>
+						</div>
+					</form>
+				</template>
+				<div v-else-if="screen === 'sign'">
+					<div style="display: flex; justify-content: space-between;">
+						<button v-if="users.length > 0" @click="screen = 'chooseUser'" class="btn btn-outline-secondary">Back</button>
+						<button @click="clear" class="btn btn-secondary">Clear</button>
+						<button @click="generatePdf" class="btn btn-primary">Download</button>
+					</div>
+					<div style="position: absolute; width: 500px; display: flex; border: dashed 2px black; margin-top: 40px; margin-left: auto; margin-right: auto; left: 0; right: 0;">
+						<div style="height: 2px; width: 100%; position: absolute; bottom: 75px; background: #bbb;"></div>
+						<canvas ref="signature" width="500" height="250" style="z-index: 1000;" @mousedown="handleMouseDown" @mousemove="handleMouseMove" @mouseup="handleMouseUp" @mouseleave="handleMouseUp" @touchstart="handleTouchStart" @touchmove="handleTouchMove" @touchend="handleTouchEnd"></canvas>
+					</div>
+				</div>
+				<template v-else-if="screen === 'sendEmail'">
+					<div>
+						<label for="email">Email:</label><br>
+						<input type="email" id="email" v-model="toEmail"><br><br>
+						<button @click="send">Send</button>
+					</div>
+					<div>
+						<button @click="download">Download</button>
+					</div>
+				</template>
+			</div>
+		` // there is some unused code for sending the email, for now we only allow downloads
+	});
+	app.mount('#app');
+</script>
\ No newline at end of file
diff --git a/templates/userlist.php b/templates/userlist.php
index a806edb..9c754ed 100644
--- a/templates/userlist.php
+++ b/templates/userlist.php
@@ -35,7 +35,7 @@
 	</div>
 <?php endif ?>
 
-<!-- Non blocked user table -->
+<!-- Non Locked user table -->
 <table class="table" data-toggle="table">
 	<thead class="thead-dark">
 	<tr>
@@ -138,7 +138,7 @@
 
 <h2>Locked accounts</h2>
 
-<!-- Blocked user table -->
+<!-- Locked user table -->
 <table class="table" data-toggle="table">
 	<thead class="thead-dark">
 	<tr>