About configuring servicesAbout device servicesSession Logon service

Session Logon service

The Session Logon service is located on the Configure Services tab under the Device Services section.

It provides secure access to the application and avoids prompting for credentials multiple times. that is, it provides a single sign-on for ShareScan.

Session Logon is provided as a single point of authentication for the entire workflow. If Session Logon is configured and enabled for a device, you need to log on only once into ShareScan. The logon information is effective for the entire session. You do not have to enter your logon information each time you select a connector during the current session. The ShareScan Manager passes the logon information to the Connector using an internal interface called "Credentials" in Data Publishing.

If you need to access different servers, and the logon credentials are not the same on those servers, the system prompts you to enter logon information, even when Session Logon is enabled.

If you enable Session Logon for the Quick Connect, LDAP/SMTP, or Fax via SMTP connectors, refer to the connector-specific configuration section for information about selecting the authentication type.

Configuring Session Logon Service (also known as Single Sign-On Extender)

Via the Administration Console, the ShareScan Administrator ensures that you have the necessary access rights to all connectors to be used.

  1. Select the Yes check box next to the Configured setting in the ShareScan Session Logon Service configuration screen of the Administration Console. Specify Type and Domain in the Select Domain / NDS Server dialog and click OK. Select one of the three options (Session Logon, Bypass session logon (no authentication), Bypass session logon (authenticate user)) in the list next to Session logon mode setting.
  2. Sign in to the authentication application you are using. The Session Logon screen is displayed, with the User name field automatically filled in with the information from the card.
  3. Type your Active Directory password into the relevant field.
  4. Use all ShareScan workflows without further authentication needs until you press the Logout button. Pressing that button logs you out of ShareScan, thus you can use the device only for copying and print management, until you re-authenticate. If you log out of the authentication application, you cannot use the device until you re-authenticate.

  • If you change your password, you have to go through the above process once more.
  • The authentication is only valid for connectors using the same Active Directory credentials you supplied on the Session Logon screen, and for connectors that are configured not to ask for credentials. You still have to authenticate separately if your card-based credentials are not the same as your credentials for logging in to the backend service of a connector (for instance, OpenText Content Server).
  • You can test the username/password combination prior to enabling the service either via the built-in ShareScan Simulator, or at the device itself.

Session Logon settings

Setting

Description

Configured

Enables Session Logon in the Device pane when selecting the Yes check box; or disables Session Logon in the Device pane (this disables all the other fields and properties).

Session logon mode

The value of this setting specifies session logon behavior. Available options:

  • Session Logon: This option selects the standard service behavior, (that is, users must authenticate themselves via user name and password at the device).
  • Bypass session logon (no authentication): This option enables the ShareScan client to be configured to bypass the Session Logon screen when only the user identification is received from the device, Cost Recovery or ID Services and the password is not provided. While a network authentication is not performed by ShareScan Session logon, the received username is used by the individual connectors when needed.
  • Bypass session logon (authenticate user) (also known as Single Sign-On Extender): This option enables a network authentication to be performed by ShareScan using the username, password and domain provided by the device, Cost Recovery or ID Services.

Secure storage (password caching) of the user’s network passwords is enabled when Session logon mode is set to or Bypass session logon (authenticate user). This enables the user to swipe a card (or use any other available method to identify themselves) and have this log the user into eCopy ShareScan and to access network resources. If no password is provided, available or password caching is not enabled, the user is prompted to enter their password.

Directory services

Specifies the directory service that manages your list of users (Windows Active Directory or Novell Directory Services).

Domain

The domain associated with your login name and password (you can also specify another domain name):

  • Windows Active Directory: The current domain for the local machine is default.
  • Novell Directory services: You must specify the NDS Server and ID.

You can add more domains to your configuration (see below). The value you choose above defines which (AD or Novell) domains the service can access. If you have multiple domains configured, these can have different base DNs and LDAP query credentials per server.

Default

Sets the active domain as the default one.

Directory Access

Specifies the type of access required to retrieve user and group data from the directory.

Type

Specifies the type of access required to retrieve user and group data from the directory: Anonymous or Use credentials or Use ShareScan Manager service credentials.

User name and Password settings are required if you choose Use credentials.

If you select Use ShareScan Manager service credentials, User name and Password settings are required but only for testing the Session Logon service configuration.

At runtime always the actual ShareScan Manager service credential is used for retrieving user and group data from the directory.

You can also choose Directory service access is disabled. If you choose to do so, Search while typing is also disabled and so is LDAP-based authentication.

User name

The user name. Specify if you have chosen the Use credentials option above.

Password

The user password (hidden by asterisks). Specify if you have chosen the Use credentials option above.

Search while typing

Click Yes to enable the type-ahead feature when you start entering a user name at the device.

Search parameters

Specifies the parameters for searching the selected directory.

Search on

The search criterion by which the system searches the user list:

  • Windows Active Directory: First Name, Last Name, Display Name, or Account Name.
  • Novell Directory Services: First Name, Last Name, or User ID.

Automatic Base DN detection

If enabled, the Manager performs an auto-detection for the base DN in the domain when doing type-ahead search. In multi-domain environments, you can set a DN for each added domain. Domains without this will take the default domain settings.

Base DN

The Base DN or directory root which is the starting point of the search. This option defaults to the root of the main tree. Use this option to select the specific DN or context where you want the search to begin.

Restrict users to this DN

Limits the scope of the search to the specified DN.

Scope

The scope of the search at one level down from the Base DN or down to the lowest level of the tree: Base, One level, and Subtree.

Use Group Membership Lookup Strategy

Select how to determine all groups in which the user is a member. Options include:

  • Use the 'Token-Groups' user attribute (default): utilizing this attribute from Active Directory to detect all groups in which the user is a member (including direct and indirect membership data).
  • Use the 'Member' group attribute with 'in-chain' match operator: utilizing the "Member" group attribute with the LDAP_MATCHING_RULE_IN_CHAIN matching operator to get all membership info for a user. When this strategy is used, optionally, the "Group Container DN" Session Logon parameter can be specified to make the operation faster. This setting must contain the distinguished name(s) of container(s) which store(s) the security groups in the AD. When this parameter is not specified, ShareScan will perform the LDAP search from the root - this is slightly slower then starting the search from the security group container. The actual performance difference depends on the network environment / Active Directory configuration.

Group Container DN

The scope of the search at one level down from the Base DN or down to the lowest level of the tree: Base, One level, and Subtree.

Disable manual credential entry on Session Logon screen

Leave this option cleared to enable users to change the credentials at session logon. This is helpful when there is authentication on a device that does not communicate server to server.

This option is only required if neither ID services nor Cost Recovery is configured, and the user name is received from the device.

If this check box is selected, the user name and domain fields are disabled on the MFP screen, and only the data received from the device are shown. This also happens if ID service or Cost Recovery is active and configured.

Hide Logout button

Use this to hide the Logout button on the MFP device screen when you use an external authentication system for authentication, and you do not want the user to disconnect from Session Logon, as the authentication is performed by an external system.

Enable for all devices

Enabled: select the Yes check box to enable the service for all devices; clear the check box to disable the service for all devices.

The Test button allows you to quickly verify the Session Logon configuration without having to wait to add the device and test the same details at the Client. It is enforced to use the Test feature successfully before saving the settings of the Session Logon Service.

Adding a domain

Click the Add domain button if you want to have more than one domains covered by the Session Logon service. Specify Type and the Domain itself in the dialog window. If you have at least two domains listed in this service, you can pick a default one in the main configuration page.

Removing a domain

Select the domain you want to remove in the main configuration page (under Directory Services) and click the Remove domain button.

Test Session Logon settings

You can verify configuration by entering your name and password, selecting the domain, and then clicking the Test button.

Setting

Description

User name

The user name.

Password

The user password.

Domain

The domain in which you are testing the configuration.

Success/Failure message

A message indicating success or failure appears in the bottom of the pane. If the test fails, the following error message appears:

Error: Failed to authenticate the user - Logon failure: unknown user name or bad password.

Test

Attempts to log on using the specified credentials.

Cancel

Terminates the test session.

After Session Logon is configured, enabled for a device, and tested, Session Logon is the first screen that you see at the Client. You must enter a valid username and password to log on to the selected domain, or if Session logon mode is set to Bypass session logon (no authentication) or Bypass session logon (authenticate user) the credentials are received from external authentication and the Session Logon screen can be bypassed automatically. The ShareScan Manager verifies the credentials and passes them to the selected Connector.

The Connector must also verify the credentials passed to. If the authentication fails, the Connector must challenge you for the credentials again. The Connector must also display an appropriate error message.

The ShareScan Manager does not retain the credentials entered for testing.

Bypassing Session Logon

Alternatively, you can use the ShareScan Single Sign-On Extender, which enables secure storage (password caching) of the user’s network passwords for use in a single sign on workflow. This enables the user to swipe a card (or use any other available method to identify themselves) and have this log the user into eCopy ShareScan and to access network resources.

If no password is provided, available or password caching is not enabled, the user is prompted to enter their password.

Typical Session Logon workflows

This section describes several Session Logon workflows and their configuration settings.

These settings are at different locations in the ShareScan Administration Console:

  • Session Logon:
    1. Services tab > Device Services section;
    2. Devices tab > Settings pane (click device name in Device Configuration pane) (that is, Session Logon must be enabled both in the Services tab and the Devices tab)
  • Session Logon mode: Services tab > Device Services section
  • Bypass redirect screen option: (Connectors tab, connector's Setting pane)
  • Logoff automatically: (Connectors tab, connector's Setting pane)

Each workflow below uses an external authentication application. In these scenarios it is Equitrac but the order of the workflow steps is essentially the same with a different external authentication application.

Based on setting values (enabled or disabled), the workflows make up four major groups.

The length and complexity of a workflow depends on how a particular connector is configured. The enabled or disabled status of any of the User data entry during scan, Background Processing and Hide Preview screen options and combinations of these all have an impact on workflow execution time. The workflows described here have all these settings enabled.

In the Authentication section of connector profiles, the Authenticate User field should be set to either RunTime or Logon as for a more lifelike Session Logon behavior.

Group 1: All settings enabled

Variable: Session Logon mode (No Authentication / Authenticate User / Session Logon)

Workflow 1

Settings

  • Session Logon: Configured
  • Session Logon mode: Bypass Session Logon (No Authentication)
  • Bypass redirect screen option: Enabled
  • Logoff automatically: Enabled

Workflow Steps

User is logged in via bypassing Session Logon without authentication (password), then each connector that works on the basis of authentication will ask for authentication (password)

  1. User swipes card to log automatically into Equitrac (or a similar external authentication provider).
  2. User selects the ShareScan application on the device screen.
  3. The session logon screen is automatically bypassed, the password is not checked by Session Logon service.
  4. ShareScan main screen is shown.
  5. User inserts sheets, presses a connector button, scanning starts. If the connector requires user authentication; user has to provide the password.
  6. Connector screens are displayed. After clicking through the final connector screen: and the user is logged off automatically.
  7. The ShareScan Session Logon screen shows empty fields.

Workflow 2

Settings

  • Session Logon: Configured
  • Session Logon mode: Bypass Session Logon (Authenticate user)
  • Bypass redirect screen option: Enabled
  • Logoff automatically: Enabled

Workflow Steps

If user is logged in via bypassing Session Logon with authentication (fixed user name and password), then each connector that works on the basis of authentication will not require further authentication since it is done at the beginning of the workflow.

  1. User swipes card to log automatically into Equitrac (or a similar external authentication provider).
  2. User selects the ShareScan application on the device screen.
  3. The user name password and domain is checked by Session Logon service. If the correct credentials are provided by the external authentication, the session logon screen is automatically bypassed.
  4. ShareScan Main screen is shown.
  5. User inserts sheets, presses a connector button, scanning starts. If the connector requires user authentication; user has to provide the password.
  6. Connector screens are displayed. After clicking through the final connector screen: and the user is logged off automatically.
  7. The ShareScan Session Logon screen shows empty fields.

Workflow 3

Settings

  • Session Logon: Configured
  • Session Logon mode: Session Logon
  • Bypass redirect screen option: enabled
  • Logoff automatically: enabled

Workflow Steps

  1. User swipes card to log automatically into Equitrac (or a similar external authentication provider).
  2. User selects the ShareScan application on the device screen.
  3. Session Logon screen is shown, with the user's authentication data already filled in (password required).
  4. User presses Login after providing the password, ShareScan Main screen is shown.
  5. User inserts sheets, presses a connector button. Scanning starts.
  6. Connector screens are displayed and the user is logged off automatically.
  7. The ShareScan Session Logon screen shows empty fields.
Group 2: Logoff Automatically disabled

Variable: Session Logon mode (No Authentication / Authenticate User / Session Logon)

Workflow 4

Settings

  • Session Logon: Configured
  • Session Logon mode: Bypass Session Logon (no authentication)
  • Bypass redirect screen option: enabled
  • Logoff automatically: disabled

Workflow Steps

  1. User swipes card to log automatically into Equitrac (or a similar external authentication provider).
  2. User selects the ShareScan application on the device screen.
  3. The session logon screen is automatically bypassed, the password is not checked by Session Logon service.
  4. ShareScan Main screen is shown.
  5. User inserts sheets, presses a connector button, scanning starts. If the connector requires user authentication; user has to provide the password.
  6. Connector screens are displayed. After clicking through the final connector screen: the Main screen is displayed.
  7. User presses Logout and the ShareScan Session Logon screen shows empty fields.

Workflow 5

Settings

  • Session Logon: Configured
  • Session Logon mode: Bypass Session Logon (authenticate user)
  • Bypass redirect screen option: enabled
  • Logoff automatically: disabled

Workflow Steps

  1. User swipes card to log automatically into Equitrac (or a similar external authentication provider).
  2. User selects the ShareScan application on the device screen.
  3. The user name password and domain is checked by Session Logon service. If the correct credentials are provided by the external authentication, the session logon screen is automatically bypassed.
  4. ShareScan Main screen is shown.
  5. User inserts sheets, presses a connector button, scanning starts. If the connector requires user authentication; user has to provide the password.
  6. Connector screens are displayed. After clicking through the final connector screen: the Main screen is displayed.
  7. User presses Logout and the Session Logon screen shows empty fields.

Workflow 6

Settings

  • Session Logon: Configured
  • Session Logon mode: Session Logon
  • Bypass redirect screen option: enabled
  • Logoff automatically: disabled

Workflow Steps

  1. User swipes card to log automatically into Equitrac (or a similar external authentication provider).
  2. User selects the ShareScan application on the device screen.
  3. Session Logon screen is displayed, with the user's authentication data already filled in (password required).
  4. User presses Login after providing the password, ShareScan Main screen is shown.
  5. User inserts sheets, presses a connector button. Scanning starts.
  6. Connector screens are displayed. After clicking through the final connector screen the Main screen is displayed.
  7. User presses Logout and the Session Logon screen shows empty fields.
Group 3: Bypass redirect screen disabled (Logoff automatically inactive)

Variable: Session Logon mode (No Authentication / Authenticate User / Session Logon)

Workflow 7

Settings

  • Session Logon: Configured
  • Session Logon mode: Bypass Session Logon (no authentication)
  • Bypass redirect screen option: disabled

Workflow Steps

  1. User swipes card to log automatically into Equitrac (or a similar external authentication provider).
  2. User selects the ShareScan application on the device screen.
  3. The session logon screen is automatically bypassed, the password is not checked by Session Logon service.
  4. ShareScan Main screen is shown.
  5. User inserts sheets, presses a connector button, scanning starts. If the connector requires user authentication, user has to provide the password.
  6. Connector screens are displayed. After clicking through the final connector screen, the Redirect screen is displayed.
  7. User chooses an option on the Redirect screen.

Workflow 8

Settings

  • Session Logon: Configured
  • Session Logon mode: Bypass Session Logon (authenticate user)
  • Bypass redirect screen option: disabled

Workflow Steps

  1. User swipes card to log automatically into Equitrac (or a similar external authentication provider).
  2. User selects the ShareScan application on the device screen.
  3. The user name password and domain is checked by Session Logon service. If the correct credentials are provided by the external authentication, the session logon screen is automatically bypassed.
  4. ShareScan Main screen is shown.
  5. User inserts sheets, presses a connector button, scanning starts.
  6. Connector screens are displayed. After clicking through the final connector screen, the Redirect screen is displayed.
  7. User chooses an option on the Redirect screen.

Workflow 9

Settings

  • Session Logon: Configured
  • Session Logon mode: Session Logon
  • Bypass redirect screen option: disabled

Workflow Steps

  1. User swipes card to log automatically into Equitrac (or a similar external authentication provider).
  2. User selects the ShareScan application on the device screen.
  3. Session Logon screen is displayed, with the user's authentication data already filled in (password required).
  4. User presses Login after providing the password, ShareScan Main screen is shown.
  5. User inserts sheets, presses a connector button. Scanning starts.
  6. Connector screens are displayed. After clicking through the final connector screen, the Redirect screen is displayed.
  7. User chooses an option on the Redirect screen.
Group 4: Session Logon disabled

Variable: Bypass redirect screen and Logoff automatically (enabled or disabled)

Workflow 10

Settings

  • Session Logon: NOT Configured
  • Bypass redirect screen option: enabled
  • Logoff automatically: disabled

Workflow Steps

  1. User swipes card to log automatically into Equitrac (or a similar external authentication provider).
  2. User selects the ShareScan application on the device screen.
  3. ShareScan Main screen is shown.
  4. User inserts sheets, presses a connector button. Scanning starts.
  5. Connector screens are displayed. After clicking through the final connector screen, ShareScan main screen is shown.

Workflow 11

Settings

  • Session Logon: NOT Configured
  • Bypass redirect screen option: disabled

Workflow Steps

  1. User swipes card to log automatically into Equitrac (or a similar external authentication provider).
  2. User selects the ShareScan application on the device screen.
  3. ShareScan Main screen is shown.
  4. User inserts sheets, presses a connector button. Scanning starts.
  5. Connector screens are displayed. After clicking through the final connector screen, the Redirect screen is shown.
  6. User chooses an option on the Redirect screen.