Session Logon service
The Session Logon service is located on the Configure Services tab under the Device Services section.
It provides secure access to the application and avoids prompting for credentials multiple times. that is, it provides a single sign-on for ShareScan.
Session Logon is provided as a single point of authentication for the entire workflow. If Session Logon is configured and enabled for a device, you need to log on only once into ShareScan. The logon information is effective for the entire session. You do not have to enter your logon information each time you select a connector during the current session. The ShareScan Manager passes the logon information to the Connector using an internal interface called "Credentials" in Data Publishing.
If you enable Session Logon for the Quick Connect, LDAP/SMTP, or Fax via SMTP connectors, refer to the connector-specific configuration section for information about selecting the authentication type.
Configuring Session Logon Service (also known as Single Sign-On Extender)
Via the Administration Console, the ShareScan Administrator ensures that you have the necessary access rights to all connectors to be used.
- Select the Yes check box next to the Configured setting in the ShareScan Session Logon Service configuration screen of the Administration Console. Specify Type and Domain in the Select Domain / NDS Server dialog and click OK. Select one of the three options (Session Logon, Bypass session logon (no authentication), Bypass session logon (authenticate user)) in the list next to Session logon mode setting.
- Sign in to the authentication application you are using. The Session Logon screen is displayed, with the User name field automatically filled in with the information from the card.
- Type your Active Directory password into the relevant field.
- Use all ShareScan workflows without further authentication needs until you press the Logout button. Pressing that button logs you out of ShareScan, thus you can use the device only for copying and print management, until you re-authenticate. If you log out of the authentication application, you cannot use the device until you re-authenticate.
- If you change your password, you have to go through the above process once more.
- The authentication is only valid for connectors using the same Active Directory credentials you supplied on the Session Logon screen, and for connectors that are configured not to ask for credentials. You still have to authenticate separately if your card-based credentials are not the same as your credentials for logging in to the backend service of a connector (for instance, OpenText Content Server).
- You can test the username/password combination prior to enabling the service either via the built-in ShareScan Simulator, or at the device itself.
Session Logon settings
Setting |
Description |
---|---|
Configured |
Enables Session Logon in the Device pane when selecting the Yes check box; or disables Session Logon in the Device pane (this disables all the other fields and properties). |
Session logon mode |
The value of this setting specifies session logon behavior. Available options:
Secure storage (password caching) of the user’s network passwords is enabled when Session logon mode is set to or Bypass session logon (authenticate user). This enables the user to swipe a card (or use any other available method to identify themselves) and have this log the user into eCopy ShareScan and to access network resources. If no password is provided, available or password caching is not enabled, the user is prompted to enter their password. |
Directory services |
Specifies the directory service that manages your list of users (Windows Active Directory or Novell Directory Services). |
Domain |
The domain associated with your login name and password (you can also specify another domain name):
You can add more domains to your configuration (see below). The value you choose above defines which (AD or Novell) domains the service can access. If you have multiple domains configured, these can have different base DNs and LDAP query credentials per server. |
Default |
Sets the active domain as the default one. |
Directory Access |
Specifies the type of access required to retrieve user and group data from the directory. |
Type |
Specifies the type of access required to retrieve user and group data from the directory: Anonymous or Use credentials or Use ShareScan Manager service credentials. User name and Password settings are required if you choose Use credentials. If you select Use ShareScan Manager service credentials, User name and Password settings are required but only for testing the Session Logon service configuration. At runtime always the actual ShareScan Manager service credential is used for retrieving user and group data from the directory. You can also choose Directory service access is disabled. If you choose to do so, Search while typing is also disabled and so is LDAP-based authentication. |
User name |
The user name. Specify if you have chosen the Use credentials option above. |
Password |
The user password (hidden by asterisks). Specify if you have chosen the Use credentials option above. |
Search while typing |
Click Yes to enable the type-ahead feature when you start entering a user name at the device. |
Search parameters |
Specifies the parameters for searching the selected directory. |
Search on |
The search criterion by which the system searches the user list:
|
Automatic Base DN detection |
If enabled, the Manager performs an auto-detection for the base DN in the domain when doing type-ahead search. In multi-domain environments, you can set a DN for each added domain. Domains without this will take the default domain settings. |
Base DN |
The Base DN or directory root which is the starting point of the search. This option defaults to the root of the main tree. Use this option to select the specific DN or context where you want the search to begin. |
Restrict users to this DN |
Limits the scope of the search to the specified DN. |
Scope |
The scope of the search at one level down from the Base DN or down to the lowest level of the tree: Base, One level, and Subtree. |
Use Group Membership Lookup Strategy |
Select how to determine all groups in which the user is a member. Options include:
|
Group Container DN |
The scope of the search at one level down from the Base DN or down to the lowest level of the tree: Base, One level, and Subtree. |
Disable manual credential entry on Session Logon screen |
Leave this option cleared to enable users to change the credentials at session logon. This is helpful when there is authentication on a device that does not communicate server to server. This option is only required if neither ID services nor Cost Recovery is configured, and the user name is received from the device. If this check box is selected, the user name and domain fields are disabled on the MFP screen, and only the data received from the device are shown. This also happens if ID service or Cost Recovery is active and configured. |
Hide Logout button |
Use this to hide the Logout button on the MFP device screen when you use an external authentication system for authentication, and you do not want the user to disconnect from Session Logon, as the authentication is performed by an external system. |
Enable for all devices |
Enabled: select the Yes check box to enable the service for all devices; clear the check box to disable the service for all devices. |
The Test button allows you to quickly verify the Session Logon configuration without having to wait to add the device and test the same details at the Client. It is enforced to use the Test feature successfully before saving the settings of the Session Logon Service.
Adding a domain
Click the Add domain button if you want to have more than one domains covered by the Session Logon service. Specify Type and the Domain itself in the dialog window. If you have at least two domains listed in this service, you can pick a default one in the main configuration page.
Removing a domain
Select the domain you want to remove in the main configuration page (under Directory Services) and click the Remove domain button.
Test Session Logon settings
You can verify configuration by entering your name and password, selecting the domain, and then clicking the Test button.
Setting |
Description |
---|---|
User name |
The user name. |
Password |
The user password. |
Domain |
The domain in which you are testing the configuration. |
Success/Failure message |
A message indicating success or failure appears in the bottom of the pane. If the test fails, the following error message appears: Error: Failed to authenticate the user - Logon failure: unknown user name or bad password. |
Test |
Attempts to log on using the specified credentials. |
Cancel |
Terminates the test session. |
After Session Logon is configured, enabled for a device, and tested, Session Logon is the first screen that you see at the Client. You must enter a valid username and password to log on to the selected domain, or if Session logon mode is set to Bypass session logon (no authentication) or Bypass session logon (authenticate user) the credentials are received from external authentication and the Session Logon screen can be bypassed automatically. The ShareScan Manager verifies the credentials and passes them to the selected Connector.
The Connector must also verify the credentials passed to. If the authentication fails, the Connector must challenge you for the credentials again. The Connector must also display an appropriate error message.
Bypassing Session Logon
Alternatively, you can use the ShareScan Single Sign-On Extender, which enables secure storage (password caching) of the user’s network passwords for use in a single sign on workflow. This enables the user to swipe a card (or use any other available method to identify themselves) and have this log the user into eCopy ShareScan and to access network resources.
If no password is provided, available or password caching is not enabled, the user is prompted to enter their password.
Typical Session Logon workflows
This section describes several Session Logon workflows and their configuration settings.
These settings are at different locations in the ShareScan Administration Console:
- Session Logon:
- Services tab > Device Services section;
- Devices tab > Settings pane (click device name in Device Configuration pane) (that is, Session Logon must be enabled both in the Services tab and the Devices tab)
- Session Logon mode: Services tab > Device Services section
- Bypass redirect screen option: (Connectors tab, connector's Setting pane)
- Logoff automatically: (Connectors tab, connector's Setting pane)
Each workflow below uses an external authentication application. In these scenarios it is Equitrac but the order of the workflow steps is essentially the same with a different external authentication application.
Based on setting values (enabled or disabled), the workflows make up four major groups.
Variable: Session Logon mode (No Authentication / Authenticate User / Session Logon)
Workflow 1
Settings
- Session Logon: Configured
- Session Logon mode: Bypass Session Logon (No Authentication)
- Bypass redirect screen option: Enabled
- Logoff automatically: Enabled
Workflow Steps
User is logged in via bypassing Session Logon without authentication (password), then each connector that works on the basis of authentication will ask for authentication (password)
- User swipes card to log automatically into Equitrac (or a similar external authentication provider).
- User selects the ShareScan application on the device screen.
- The session logon screen is automatically bypassed, the password is not checked by Session Logon service.
- ShareScan main screen is shown.
- User inserts sheets, presses a connector button, scanning starts. If the connector requires user authentication; user has to provide the password.
- Connector screens are displayed. After clicking through the final connector screen: and the user is logged off automatically.
- The ShareScan Session Logon screen shows empty fields.
Workflow 2
Settings
- Session Logon: Configured
- Session Logon mode: Bypass Session Logon (Authenticate user)
- Bypass redirect screen option: Enabled
- Logoff automatically: Enabled
Workflow Steps
If user is logged in via bypassing Session Logon with authentication (fixed user name and password), then each connector that works on the basis of authentication will not require further authentication since it is done at the beginning of the workflow.
- User swipes card to log automatically into Equitrac (or a similar external authentication provider).
- User selects the ShareScan application on the device screen.
- The user name password and domain is checked by Session Logon service. If the correct credentials are provided by the external authentication, the session logon screen is automatically bypassed.
- ShareScan Main screen is shown.
- User inserts sheets, presses a connector button, scanning starts. If the connector requires user authentication; user has to provide the password.
- Connector screens are displayed. After clicking through the final connector screen: and the user is logged off automatically.
- The ShareScan Session Logon screen shows empty fields.
Workflow 3
Settings
- Session Logon: Configured
- Session Logon mode: Session Logon
- Bypass redirect screen option: enabled
- Logoff automatically: enabled
Workflow Steps
- User swipes card to log automatically into Equitrac (or a similar external authentication provider).
- User selects the ShareScan application on the device screen.
- Session Logon screen is shown, with the user's authentication data already filled in (password required).
- User presses Login after providing the password, ShareScan Main screen is shown.
- User inserts sheets, presses a connector button. Scanning starts.
- Connector screens are displayed and the user is logged off automatically.
- The ShareScan Session Logon screen shows empty fields.
Variable: Session Logon mode (No Authentication / Authenticate User / Session Logon)
Workflow 4
Settings
- Session Logon: Configured
- Session Logon mode: Bypass Session Logon (no authentication)
- Bypass redirect screen option: enabled
- Logoff automatically: disabled
Workflow Steps
- User swipes card to log automatically into Equitrac (or a similar external authentication provider).
- User selects the ShareScan application on the device screen.
- The session logon screen is automatically bypassed, the password is not checked by Session Logon service.
- ShareScan Main screen is shown.
- User inserts sheets, presses a connector button, scanning starts. If the connector requires user authentication; user has to provide the password.
- Connector screens are displayed. After clicking through the final connector screen: the Main screen is displayed.
- User presses Logout and the ShareScan Session Logon screen shows empty fields.
Workflow 5
Settings
- Session Logon: Configured
- Session Logon mode: Bypass Session Logon (authenticate user)
- Bypass redirect screen option: enabled
- Logoff automatically: disabled
Workflow Steps
- User swipes card to log automatically into Equitrac (or a similar external authentication provider).
- User selects the ShareScan application on the device screen.
- The user name password and domain is checked by Session Logon service. If the correct credentials are provided by the external authentication, the session logon screen is automatically bypassed.
- ShareScan Main screen is shown.
- User inserts sheets, presses a connector button, scanning starts. If the connector requires user authentication; user has to provide the password.
- Connector screens are displayed. After clicking through the final connector screen: the Main screen is displayed.
- User presses Logout and the Session Logon screen shows empty fields.
Workflow 6
Settings
- Session Logon: Configured
- Session Logon mode: Session Logon
- Bypass redirect screen option: enabled
- Logoff automatically: disabled
Workflow Steps
- User swipes card to log automatically into Equitrac (or a similar external authentication provider).
- User selects the ShareScan application on the device screen.
- Session Logon screen is displayed, with the user's authentication data already filled in (password required).
- User presses Login after providing the password, ShareScan Main screen is shown.
- User inserts sheets, presses a connector button. Scanning starts.
- Connector screens are displayed. After clicking through the final connector screen the Main screen is displayed.
- User presses Logout and the Session Logon screen shows empty fields.
Variable: Session Logon mode (No Authentication / Authenticate User / Session Logon)
Workflow 7
Settings
- Session Logon: Configured
- Session Logon mode: Bypass Session Logon (no authentication)
- Bypass redirect screen option: disabled
Workflow Steps
- User swipes card to log automatically into Equitrac (or a similar external authentication provider).
- User selects the ShareScan application on the device screen.
- The session logon screen is automatically bypassed, the password is not checked by Session Logon service.
- ShareScan Main screen is shown.
- User inserts sheets, presses a connector button, scanning starts. If the connector requires user authentication, user has to provide the password.
- Connector screens are displayed. After clicking through the final connector screen, the Redirect screen is displayed.
- User chooses an option on the Redirect screen.
Workflow 8
Settings
- Session Logon: Configured
- Session Logon mode: Bypass Session Logon (authenticate user)
- Bypass redirect screen option: disabled
Workflow Steps
- User swipes card to log automatically into Equitrac (or a similar external authentication provider).
- User selects the ShareScan application on the device screen.
- The user name password and domain is checked by Session Logon service. If the correct credentials are provided by the external authentication, the session logon screen is automatically bypassed.
- ShareScan Main screen is shown.
- User inserts sheets, presses a connector button, scanning starts.
- Connector screens are displayed. After clicking through the final connector screen, the Redirect screen is displayed.
- User chooses an option on the Redirect screen.
Workflow 9
Settings
- Session Logon: Configured
- Session Logon mode: Session Logon
- Bypass redirect screen option: disabled
Workflow Steps
- User swipes card to log automatically into Equitrac (or a similar external authentication provider).
- User selects the ShareScan application on the device screen.
- Session Logon screen is displayed, with the user's authentication data already filled in (password required).
- User presses Login after providing the password, ShareScan Main screen is shown.
- User inserts sheets, presses a connector button. Scanning starts.
- Connector screens are displayed. After clicking through the final connector screen, the Redirect screen is displayed.
- User chooses an option on the Redirect screen.
Variable: Bypass redirect screen and Logoff automatically (enabled or disabled)
Workflow 10
Settings
- Session Logon: NOT Configured
- Bypass redirect screen option: enabled
- Logoff automatically: disabled
Workflow Steps
- User swipes card to log automatically into Equitrac (or a similar external authentication provider).
- User selects the ShareScan application on the device screen.
- ShareScan Main screen is shown.
- User inserts sheets, presses a connector button. Scanning starts.
- Connector screens are displayed. After clicking through the final connector screen, ShareScan main screen is shown.
Workflow 11
Settings
- Session Logon: NOT Configured
- Bypass redirect screen option: disabled
Workflow Steps
- User swipes card to log automatically into Equitrac (or a similar external authentication provider).
- User selects the ShareScan application on the device screen.
- ShareScan Main screen is shown.
- User inserts sheets, presses a connector button. Scanning starts.
- Connector screens are displayed. After clicking through the final connector screen, the Redirect screen is shown.
- User chooses an option on the Redirect screen.