diff --git a/public/index.php b/public/index.php
index 04ce537..95f1458 100644
--- a/public/index.php
+++ b/public/index.php
@@ -10,5 +10,6 @@
 echo $template->render('index', [
 	'uid' => $_SESSION['uid'],
 	'id' => $_SESSION['id'],
-	'name' => $_SESSION['cn']
+	'name' => $_SESSION['cn'],
+	'hasSignedSIR' => $_SESSION['signedsir'],
 ]);
diff --git a/public/sir.php b/public/sir.php
index f8dae35..063317a 100644
--- a/public/sir.php
+++ b/public/sir.php
@@ -9,7 +9,7 @@
 
 require '..' . DIRECTORY_SEPARATOR . 'vendor' . DIRECTORY_SEPARATOR . 'autoload.php';
 Authentication::requireLogin();
-if (!Authentication::isAdmin()) {
+if (!Authentication::isAdmin() && !isset($_GET['uid']) && $_GET['uid'] !== $_SESSION['uid']) {
 	$template = Template::create();
 	echo $template->render('403');
 	exit;
diff --git a/public/sugo.php b/public/sugo.php
new file mode 100644
index 0000000..544bbf3
--- /dev/null
+++ b/public/sugo.php
@@ -0,0 +1,58 @@
+<?php
+
+namespace WEEEOpen\Crauto;
+
+use DateTimeZone;
+
+require '..' . DIRECTORY_SEPARATOR . 'vendor' . DIRECTORY_SEPARATOR . 'autoload.php';
+Authentication::requireLogin();
+
+
+
+$ldap = new Ldap(
+	CRAUTO_LDAP_URL,
+	CRAUTO_LDAP_BIND_DN,
+	CRAUTO_LDAP_PASSWORD,
+	CRAUTO_LDAP_USERS_DN,
+	CRAUTO_LDAP_GROUPS_DN,
+	CRAUTO_LDAP_STARTTLS
+);
+
+$users = [];
+$selectedUser = null;
+if (Authentication::isAdmin()) {
+	$ldap = new Ldap(
+		CRAUTO_LDAP_URL,
+		CRAUTO_LDAP_BIND_DN,
+		CRAUTO_LDAP_PASSWORD,
+		CRAUTO_LDAP_USERS_DN,
+		CRAUTO_LDAP_GROUPS_DN,
+		CRAUTO_LDAP_STARTTLS
+	);
+	$users = $ldap->getUsers(['givenname','sn','signedsir','nsaccountlock', 'mail']);
+	if (isset($_GET['uid'])) {
+		$selectedUser = $_GET['uid'];
+	}
+} else {
+	$users = [$ldap->getUser($_SESSION['uid'], ['givenname','sn','signedsir','nsaccountlock', 'mail'])];
+	$selectedUser = $_SESSION['uid'];
+}
+
+$mappedUsers = [];
+foreach ($users as $user) {
+	$mappedUsers[] = [
+		'id' => $user['uid'],
+		'name' => $user['givenname'] . ' ' . $user['sn'],
+		'needsToSign' => !($user['signedsir'] ?? false),
+		'isBlocked' => !($user['nsaccountlock'] ?? false),
+		'email' => $user['mail']
+	];
+}
+
+$template = Template::create();
+$template->addData(['currentSection' => 'sugo'], 'navbar');
+
+echo $template->render('sugo', [
+	'users' => $mappedUsers,
+	'selectedUser' => $selectedUser
+]);
\ No newline at end of file
diff --git a/src/Authentication.php b/src/Authentication.php
index 396e6e6..70c4b76 100644
--- a/src/Authentication.php
+++ b/src/Authentication.php
@@ -81,6 +81,7 @@ public static function authenticate()
 			$_SESSION['uid'] = 'test.administrator';
 			$_SESSION['id'] = 'fake:example:68048769-c06d-4873-adf6-dbfa6b0afcd3';
 			$_SESSION['cn'] = 'Test Administrator';
+			$_SESSION['hasSignedSIR'] = false;
 			$_SESSION['groups'] = ['HR'];
 			$_SESSION['expires'] = PHP_INT_MAX;
 			$_SESSION['refresh_token'] = 'refresh_token';
@@ -307,9 +308,21 @@ private static function setAttributes(OpenIDConnectClient $oidc, $claims = null,
 		$refresh_token = $oidc->getRefreshToken();
 		$id_token = $idt ?? $oidc->getIdToken();
 
+		$ldap = new Ldap(
+			CRAUTO_LDAP_URL,
+			CRAUTO_LDAP_BIND_DN,
+			CRAUTO_LDAP_PASSWORD,
+			CRAUTO_LDAP_USERS_DN,
+			CRAUTO_LDAP_GROUPS_DN,
+			CRAUTO_LDAP_STARTTLS
+		);
+
+		$ldapInfo = $ldap->getUser($uid, ['signedsir']);
+
 		$_SESSION['uid'] = $uid;
 		$_SESSION['id'] = $id;
 		$_SESSION['cn'] = $cn;
+		$_SESSION['signedsir'] = $ldapInfo['signedsir'] ?? false; // This won't updated until the next login but good enough
 		$_SESSION['groups'] = $groups;
 		$_SESSION['expires'] = $exp;
 
diff --git a/src/Ldap.php b/src/Ldap.php
index 74f4abd..40d442f 100644
--- a/src/Ldap.php
+++ b/src/Ldap.php
@@ -33,7 +33,8 @@ class Ldap
 			'weeelabnickname' => ['io'],
 			'websitedescription' => "Il capo supremo\nSu due righe",
 			'description' => '',
-			'nsaccountlock' => null
+			'nsaccountlock' => null,
+			'mail' => 'admin@example.com',
 		],
 		'alice' => [
 			'uid' => 'alice',
@@ -53,7 +54,8 @@ class Ldap
 			'weeelabnickname' => [],
 			'websitedescription' => 'Persona',
 			'description' => '',
-			'nsaccountlock' => 'true'
+			'nsaccountlock' => 'true',
+			'mail' => 'alice@example.com',
 		],
 		'brodino' => [
 			'uid' => 'brodino',
@@ -72,7 +74,8 @@ class Ldap
 			'sshpublickey' => [],
 			'weeelabnickname' => [],
 			'description' => '',
-			'telegramnickname' => 'brodino'
+			'telegramnickname' => 'brodino',
+			'mail' => 'brodino@example.com',
 		],
 		'bob' => [
 			'uid' => 'bob',
@@ -92,7 +95,8 @@ class Ldap
 			'sshpublickey' => [],
 			'weeelabnickname' => [],
 			'description' => '',
-			'nsaccountlock' => null
+			'nsaccountlock' => null,
+			'mail' => 'bob@example.com',
 		],
 		'broski' => [
 			'uid' => 'broski',
@@ -111,7 +115,8 @@ class Ldap
 			'sshpublickey' => [],
 			'weeelabnickname' => [],
 			'description' => '',
-			'telegramid' => '123456789'
+			'telegramid' => '123456789',
+			'mail' => 'bro@example.com',
 		],
 	];
 	private const EXAMPLE_GROUPS = ['Admin', 'Persone', 'Cloud'];
diff --git a/templates/index.php b/templates/index.php
index 0d4bd64..e48da56 100644
--- a/templates/index.php
+++ b/templates/index.php
@@ -2,10 +2,12 @@
 /** @var $uid string */
 /** @var $id string */
 /** @var $name string */
+/** @var $signedsir bool */
 $this->layout('base', ['title' => 'Welcome']) ?>
 
 <h1>Crauto</h1>
 <small>Creatore e Rimuovitore Autogestito di Utenti che Tutto Offre</small>
+<?php if (!$signedsir) echo "<p class=\"alert alert-warning\">You still haven't signed your SIR! <a href=\"/sugo.php?uid=" . urlencode($uid) . "\" class=\"btn btn-outline-warning text-right\" >Generate document</a></p>"; ?>
 <p>Hi <?= $name ?>, your username is <?= $uid ?> and your ID is <?= $id ?></p>
 <h2>Enabled services</h2>
 <p>What can I access with this account?</p>
diff --git a/templates/navbar.php b/templates/navbar.php
index 547cc35..40698da 100644
--- a/templates/navbar.php
+++ b/templates/navbar.php
@@ -16,6 +16,9 @@
 					<li class="nav-item">
 						<a class="nav-link <?= $currentSection === 'personal' ? 'active' : '' ?>" href="/personal.php">Personal</a>
 					</li>
+					<li class="nav-item">
+						<a class="nav-link <?= $currentSection === 'sugo' ? 'active' : '' ?>" href="/sugo.php">Sugo</a>
+					</li>
 					<li class="nav-item">
 						<a class="nav-link <?= $currentSection === 'authentication' ? 'active' : '' ?>"
 						   href="/authentication.php">Authentication</a>
diff --git a/templates/sugo.php b/templates/sugo.php
new file mode 100644
index 0000000..cf38796
--- /dev/null
+++ b/templates/sugo.php
@@ -0,0 +1,226 @@
+<?php
+$this->layout('base', ['title' => 'Welcome']) ?>
+
+<script src="https://unpkg.com/vue@3/dist/vue.global.js"></script>
+<script src="https://unpkg.com/pdf-lib/dist/pdf-lib.min.js"></script>
+
+<div id="app" class="sugo"></div>
+<script>
+	const app = Vue.createApp({
+		data() {
+			return {
+				users: <?= json_encode($users) ?>,
+				selectedUser: <?= $selectedUser ? "'" . str_replace("'", "\'", $selectedUser) . "'" : "null" ?>,
+				selectedUserData: null,
+				document: null,
+				finalDocument: null,
+				loading: false,
+				screen: <?= $selectedUser ? "'sign'" : "'chooseUser'" ?>,
+				mouseDown: false,
+				toEmail: null,
+			}
+		},
+		watch: {
+			screen() {
+				if (this.screen == 'sign') {
+					history.pushState(null, '', '/sugo.php?uid=' + encodeURIComponent(this.selectedUser));
+				} else {
+					history.pushState(null, '', '/sugo.php');
+				}
+			}
+		},
+		mounted() {
+			if (this.screen == 'sign') {
+				this.sign();
+			}
+		},
+		computed: {
+			needsToSign() {
+				return this.users.filter(user => user.needsToSign);
+			},
+			isBlocked() {
+				return this.users.filter(user => user.isBlocked);
+			},
+			everyoneElse() {
+				return this.users.filter(user => !user.needsToSign && !user.isBlocked);
+			},
+			selectedUserData() {
+				return this.users.find(user => user.id == this.selectedUser);
+			}
+		},
+		methods: {
+			async sign() {
+				if (!this.selectedUser || this.loading) {
+					return;
+				}
+				this.loading = true;
+				this.document = await fetch('/sir.php?uid=' + encodeURIComponent(this.selectedUser), {credentials: 'same-origin'}).then(res => {
+					if (!res.ok) {
+						throw new Error('An error occurred fetching the original document');
+					}
+					return res;
+				}).then(res => res.arrayBuffer()).catch(() => {
+					alert('An error occurred fetching the original document');
+					this.loading = false;
+				});
+				this.screen = 'sign';
+				this.loading = false;
+			},
+			handleMouseDown(e) {
+				e.preventDefault();
+				this.mouseDown = true;
+				const ctx = this.$refs.signature.getContext('2d');
+				ctx.beginPath();
+				ctx.moveTo(e.offsetX, e.offsetY);
+			},
+			handleMouseMove(e) {
+				e.preventDefault();
+				if (!this.mouseDown) return;
+				const ctx = this.$refs.signature.getContext('2d');
+				ctx.lineWidth = 3;
+				ctx.lineTo(e.offsetX, e.offsetY);
+				ctx.stroke();
+			},
+			handleMouseUp(e) {
+				e.preventDefault();
+				this.mouseDown = false;
+				const ctx = this.$refs.signature.getContext('2d');
+			},
+			handleTouchStart(e) {
+				e.preventDefault();
+				this.mouseDown = true;
+				const ctx = this.$refs.signature.getContext('2d');
+				ctx.beginPath();
+				ctx.moveTo(e.touches[0].clientX - this.$refs.signature.getBoundingClientRect().left, e.touches[0].clientY - this.$refs.signature.getBoundingClientRect().top);
+			},
+			handleTouchMove(e) {
+				e.preventDefault();
+				if (!this.mouseDown) return;
+				const ctx = this.$refs.signature.getContext('2d');
+				ctx.lineWidth = 3;
+				ctx.lineTo(e.touches[0].clientX - this.$refs.signature.getBoundingClientRect().left, e.touches[0].clientY - this.$refs.signature.getBoundingClientRect().top);
+				ctx.stroke();
+			},
+			handleTouchEnd(e) {
+				e.preventDefault();
+				this.mouseDown = false;
+				const ctx = this.$refs.signature.getContext('2d');
+			},
+			clear() {
+				const ctx = this.$refs.signature.getContext('2d');
+				ctx.clearRect(0, 0, 500, 250);
+			},
+			async generatePdf() {
+				// saving this at the beginning so that we can hide the canvas
+				let signatureData = this.$refs.signature.toDataURL("image/png");
+				this.loading = true;
+
+				let pdf = await PDFLib.PDFDocument.load(this.document).catch(() => {
+					alert('An error occurred while loading the original document');
+					this.loading = false;
+				});
+				let pages = pdf.getPages();
+				let thirdPage = pages[2];
+				// add the date
+				/*let now = new Date();
+				thirdPage.drawText(now.toLocaleDateString("en-GB"), {
+					x: 125,
+					y: 255,
+					size: 12,
+				});*/ // disabled because this is now added by the server
+				// add the signature
+				let signatureBuffer = Uint8Array.from(atob(signatureData.split(',')[1]), c => c.charCodeAt(0));
+				let signatureImage = await pdf.embedPng(signatureBuffer);
+				thirdPage.drawImage(signatureImage, {
+					x: 360,
+					y: 110,
+					width: 180,
+					height: 90,
+				});
+				this.finalDocument = await pdf.save();
+				//this.toEmail = this.selectedUserData.email;
+				//this.screen = 'sendEmail';
+				this.download(); // temp
+				this.loading = false;
+			},
+			send() {
+				if (!this.toEmail || this.loading) {
+					return;
+				}
+				this.loading = true;
+				let formData = new FormData();
+				formData.append('email', this.toEmail);
+				formData.append('document', new Blob([this.finalDocument], {type: 'application/pdf'}), 'sir.pdf');
+				fetch('/?page=email', {
+					method: 'POST',
+					body: formData,
+				}).then(res => {
+					if (res.status == 206) {
+						this.screen = 'chooseUser';
+						this.loading = false;
+					} else {
+						alert('An error occurred');
+						this.loading = false;
+					}
+				});
+			},
+			download() {
+				let pdfBlob = new Blob([this.finalDocument], {type: 'application/pdf'});
+				let pdfUrl = URL.createObjectURL(pdfBlob);
+				let a = document.createElement('a');
+				a.href = pdfUrl;
+				a.download = 'sir.pdf';
+				a.click();
+				URL.revokeObjectURL(pdfUrl);
+				if (this.users.length == 0) {
+					// just redirect to the home page
+					window.location.href = '/';
+				}
+				this.screen = 'chooseUser';
+			},
+		},
+		template: `
+			<div>
+				<h1>Sign the SIR</h1>
+				<div v-if="loading">Loading...</div>
+				<template v-else-if="screen == 'chooseUser'">
+					<div>Select the person:</div>
+					<select class="form-select" v-model="selectedUser">
+						<optgroup label="Needs to sign">
+							<option v-for="user in needsToSign" :value="user.id"><b>{{ user.name }}</b> ({{ user.id }})</option>
+						</optgroup>
+						<optgroup label="Active users">
+							<option v-for="user in everyoneElse" :value="user.id"><b>{{ user.name }}</b> ({{ user.id }})</option>
+						</optgroup>
+						<optgroup label="Is blocked">
+							<option v-for="user in isBlocked" :value="user.id"><b>{{ user.name }}</b> ({{ user.id }})</option>
+						</optgroup>
+					</select>
+					<button @click="sign" class="btn btn-primary">Sign</button>
+				</template>
+				<div v-else-if="screen == 'sign'">
+					<div style="display: flex; justify-content: space-between;">
+						<button v-if="users.length > 0" @click="screen = 'chooseUser'" class="btn btn-outline-secondary">Back</button>
+						<button @click="clear" class="btn btn-secondary">Clear</button>
+						<button @click="generatePdf" class="btn btn-primary">Download</button>
+					</div>
+					<div style="position: absolute; width: 500px; display: flex; border: dashed 2px black; margin-top: 40px; margin-left: auto; margin-right: auto; left: 0; right: 0;">
+						<div style="height: 2px; width: 100%; position: absolute; bottom: 75px; background: #bbb;"></div>
+						<canvas ref="signature" width="500" height="250" style="z-index: 1000;" @mousedown="handleMouseDown" @mousemove="handleMouseMove" @mouseup="handleMouseUp" @mouseleave="handleMouseUp" @touchstart="handleTouchStart" @touchmove="handleTouchMove" @touchend="handleTouchEnd"></canvas>
+					</div>
+				</div>
+				<template v-else-if="screen == 'sendEmail'">
+					<div>
+						<label for="email">Email:</label><br>
+						<input type="email" id="email" v-model="toEmail"><br><br>
+						<button @click="send">Send</button>
+					</div>
+					<div>
+						<button @click="download">Download</button>
+					</div>
+				</template>
+			</div>
+		` // there is some unused code for sending the email, for now we only allow downloads
+	});
+	app.mount('#app');
+</script>
\ No newline at end of file