Session Logon service

The Session Logon service is located on the Configure Services tab under the Device Services section.

It provides secure access to the application and avoids prompting for credentials multiple times.

Session Logon is provided as a single point of authentication for the entire workflow. If Session Logon is configured and enabled for a device, you need to log on only once into ShareScan. The logon information is effective for the entire session. You do not have to enter your logon information each time you select a connector during the current session. The ShareScan Manager passes the logon information to the Connector using an internal interface called "Credentials" in Data Publishing.

If you need to access different servers, and the logon credentials are not the same on those servers, the system prompts you to enter logon information, even when Session Logon is enabled.

If you enable Session Logon for the Quick Connect, LDAP/SMTP, or Fax via SMTP connectors, refer to the connector-specific configuration section for information about selecting the authentication type.

Configuring Session Logon Service (also known as Single Sign-On Extender)

Via the Administration Console, the ShareScan Administrator ensures that you have the necessary access rights to all connectors to be used.

If you change your password, you have to go through the above process once more.

The authentication is only valid for connectors using the same Active Directory credentials you supplied on the Session Logon screen, and for connectors that are configured not to ask for credentials. You still have to authenticate separately if your card-based credentials are not the same as your credentials for logging in to the backend service of a connector (for instance, Lotus Notes).

You can test the username/password combination prior to enabling the service either via the built-in ShareScan Simulator, or at the device itself.

Session Logon settings

Setting	Description
Configured	Enables Session Logon in the Device pane when selecting the Yes check box; or disables Session Logon in the Device pane (this disables all the other fields and properties).
Session logon mode	The value of this setting specifies session logon behavior. Available options: Session Logon: This option selects the standard service behavior, (i.e. users must authenticate themselves via user name and password at the device). Bypass session logon (no authentication): This option enables the ShareScan client to be configured to bypass the Session Logon screen when only the user identification is received from the device, Cost Recovery or ID Services and the password is not provided. While a network authentication is not performed by ShareScan Session logon, the received username is used by the individual connectors when needed. Bypass session logon (authenticate user) (also known as Single Sign-On Extender): This option enables a network authentication to be performed by ShareScan using the username, password and domain provided by the device, Cost Recovery or ID Services. Note: Secure storage (password caching) of the user’s network passwords is enabled when Session logon mode is set to or Bypass session logon (authenticate user). This enables the user to swipe a card (or use any other available method to identify themselves) and have this log the user into eCopy ShareScan and to access network resources. If no password is provided, available or password caching is not enabled, the user is prompted to enter their password.
Directory services	Specifies the directory service that manages your list of users (Windows Active Directory or Novell Directory Services).
Domain	The domain associated with your login name and password (you can also specify another domain name): Windows Active Directory: The current domain for the local machine is default. Novell Directory services: You must specify the NDS Server and ID. You can add more domains to your configuration (see below). The value you choose above defines which (AD or Novell) domains the service can access. If you have multiple domains configured, these can have different base DNs and LDAP query credentials per server.
Default	Sets the active domain as the default one.
Directory Access	Specifies the type of access required to retrieve user names from the directory.
Type	Specifies the type of access required to retrieve user names from the directory: Anonymous or Use credentials (User name and Password settings are required). You can also choose to Disable directory service access. If you choose to do so, Search while typing is also disabled and so is LDAP-based authentication.
User name	The user name. Specify if you have chosen the Use credentials option above.
Password	The user password (hidden by asterisks). Specify if you have chosen the Use credentials option above.
Search while typing	Click Yes to enable the type-ahead feature when you start entering a user name at the device.
Search parameters	Specifies the parameters for searching the selected directory.
Search on	The search criterion by which the system searches the user list: Windows Active Directory: First Name, Last Name, Display Name, or Account Name. Novell Directory Services: First Name, Last Name, or User ID.
Automatic Base DN detection	If enabled, the Manager performs an auto-detection for the base DN in the domain when doing type-ahead search. In multi-domain environments, you can set a DN for each added domain. Domains without this will take the default domain settings.
Base DN	The Base DN or directory root which is the starting point of the search. This option defaults to the root of the main tree. Use this option to select the specific DN or context where you want the search to begin.
Restrict users to this DN	Limits the scope of the search to the specified DN.
Scope	The scope of the search at one level down from the Base DN or down to the lowest level of the tree: Base, One level, and Subtree.
Use Group Membership Lookup Strategy	Select how to determine all groups in which the user is a member. Options include: Use the 'Token-Groups' user attribute (default): utilizing this attribute from Active Directory to detect all groups in which the user is a member (including direct and indirect membership data). Use the 'Member' group attribute with 'in-chain' match operator: utilizing the "Member" group attribute with the LDAP_MATCHING_RULE_IN_CHAIN matching operator to get all membership info for a user. When this strategy is used, optionally, the "Group Container DN" Session Logon parameter can be specified to make the operation faster. This setting must contain the distinguished name(s) of container(s) which store(s) the security groups in the AD. When this parameter is not specified, ShareScan will perform the LDAP search from the root - this is slightly slower then starting the search from the security group container. The actual performance difference depends on the network environment / Active Directory configuration.
Group Container DN	The scope of the search at one level down from the Base DN or down to the lowest level of the tree: Base, One level, and Subtree.
Disable manual credential entry on Session Logon screen	Leave this option unchecked to enable users to change the credentials at session logon. This is helpful when there is authentication on a device that does not communicate server to server. This option is only required if neither ID services nor Cost Recovery is configured, and the user name is received from the device. If this checkbox is marked, the user name and domain fields are disabled on the MFP screen, and only the data received from the device are shown. This also happens if ID service or Cost Recovery is active and configured.
Hide Logout button	Use this to hide the Logout button on the MFP device screen when you use an external authentication system for authentication, and you do not want the user to disconnect from Session Logon, as the authentication is performed by an external system.
Enable for all devices	Enabled: select the Yes checkbox to enable the service for all devices; clear the check box to disable the service for all devices.

The Test button allows you to quickly verify the Session Logon configuration without having to wait to add the device and test the same details at the Client. It is enforced to use the Test feature successfully before saving the settings of the Session Logon Service.

Adding a domain

Click the Add domain button if you want to have more than one domains covered by the Session Logon service. Specify Type and the Domain itself in the dialog window. If you have at least two domains listed in this service, you can pick a default one in the main configuration page.

Removing a domain

Select the domain you want to remove in the main configuration page (under Directory Services) and click the Remove domain button.

Test Session Logon settings

You can verify configuration by entering your name and password, selecting the domain, and then clicking the Test button.

Setting	Description
User name	The user name.
Password	The user password.
Domain	The domain in which you are testing the configuration.
Success/Failure message	A message indicating success or failure appears in the bottom of the pane. If the test fails, the following error message appears: `Error: Failed to authenticate the user - Logon failure: unknown user name or bad password.`
Test	Attempts to log on using the specified credentials.
Cancel	Terminates the test session.

After Session Logon is configured, enabled for a device, and tested, Session Logon is the first screen that you see at the Client. You must enter a valid username and password to log on to the selected domain, or if Session logon mode is set to Bypass session logon (no authentication) or Bypass session logon (authenticate user) the credentials are received from external authentication and the Session Logon screen can be bypassed automatically. The ShareScan Manager verifies the credentials and passes them to the selected Connector.

The Connector must also verify the credentials passed to. If the authentication fails, the Connector must challenge you for the credentials again. The Connector must also display an appropriate error message.

Note:

The ShareScan Manager does not retain the credentials entered for testing.

Typical Session Logon workflows

This section describes several Session Logon workflows and their configuration settings.

These settings are at different locations in the ShareScan Administration Console:

Session Logon:
1. Services tab > Device Services section;
2. Devices tab > Settings pane (click device name in Device Configuration pane) (that is: Session Logon must be enabled both in the Services tab and the Devices tab )
Session Logon mode: Services tab > Device Services section
Bypass redirect screen option: (Connectors tab, connector's Setting pane)
Logoff automatically: (Connectors tab, connector's Setting pane)

Each workflow below uses an external authentication application. In these scenarios it is Equitrac but the order of the workflow steps is essentially the same with a different external authentication application.

Based on setting values (enabled or disabled), the workflows make up four major groups.

Note:

The length and complexity of a workflow depends on how a particular connector is configured. The enabled or disabled status of any of the User data entry during scan, Background Processing and Hide Preview screen options and combinations of these all have an impact on workflow execution time. The workflows described here have all these settings enabled.

Important!

In the Authentication section of connector profiles, the Authenticate User field should be set to either RunTime or Logon as for a more lifelike Session Logon behaviour.

Group 1: All settings enabled

Variable: Session Logon mode (No Authentication / Authenticate User / Session Logon)

Workflow 1

Settings

Session Logon: Configured
Session Logon mode: Bypass Session Logon (No Authentication)
Bypass redirect screen option: Enabled
Logoff automatically: Enabled

Workflow Steps

User swipes card to log automatically into Equitrac (or a similar external authentication provider)
User selects the ShareScan application on the device screen.
The session logon screen is automatically bypassed, the password is not checked by Session Logon service.
ShareScan main screen is shown.
User inserts sheets, presses a connector button, scanning starts. If the connector requires user authentication; user has to provide the password.
Connector screens are displayed. After clicking through the final connector screen: and the user is logged off automatically.
The ShareScan Session Logon screen shows empty fields.

Workflow 2

Settings

Session Logon: Configured
Session Logon mode: Bypass Session Logon (Authenticate user)
Bypass redirect screen option: Enabled
Logoff automatically: Enabled

Workflow Steps

User swipes card to log automatically into Equitrac (or a similar external authentication provider).
User selects the ShareScan application on the device screen.
The user name password and domain is checked by Session Logon service. If the correct credentials are provided by the external authentication, the session logon screen is automatically bypassed.
ShareScan Main screen is shown.
User inserts sheets, presses a connector button, scanning starts. If the connector requires user authentication; user has to provide the password.
Connector screens are displayed. After clicking through the final connector screen: and the user is logged off automatically.
The ShareScan Session Logon screen shows empty fields.

Workflow 3

Settings

Session Logon: Configured
Session Logon mode: Session Logon
Bypass redirect screen option: enabled
Logoff automatically: enabled

Workflow Steps

User swipes card to log automatically into Equitrac (or a similar external authentication provider).
User selects the ShareScan application on the device screen.
Session Logon screen is shown, with the user's authentication data already filled in (password required).
User presses Login after providing the password, ShareScan Main screen is shown.
User inserts sheets, presses a connector button. Scanning starts.
Connector screens are displayed and the user is logged off automatically.
The ShareScan Session Logon screen shows empty fields.

Group 2: Logoff Automatically disabled

Variable: Session Logon mode (No Authentication / Authenticate User / Session Logon)

Workflow 4

Settings

Session Logon: Configured
Session Logon mode: Bypass Session Logon (no authentication)
Bypass redirect screen option: enabled
Logoff automatically: disabled

Workflow Steps

User swipes card to log automatically into Equitrac (or a similar external authentication provider).
User selects the ShareScan application on the device screen.
The session logon screen is automatically bypassed, the password is not checked by Session Logon service.
ShareScan Main screen is shown.
User inserts sheets, presses a connector button, scanning starts. If the connector requires user authentication; user has to provide the password.
Connector screens are displayed. After clicking through the final connector screen: the Main screen is displayed.
User presses Logout and the ShareScan Session Logon screen shows empty fields.

Workflow 5

Settings

Session Logon: Configured
Session Logon mode: Bypass Session Logon (authenticate user)
Bypass redirect screen option: enabled
Logoff automatically: disabled

Workflow Steps

User swipes card to log automatically into Equitrac (or a similar external authentication provider).
User selects the ShareScan application on the device screen.
The user name password and domain is checked by Session Logon service. If the correct credentials are provided by the external authentication, the session logon screen is automatically bypassed.
ShareScan Main screen is shown.
User inserts sheets, presses a connector button, scanning starts. If the connector requires user authentication; user has to provide the password.
Connector screens are displayed. After clicking through the final connector screen: the Main screen is displayed.
User presses Logout and the Session Logon screen shows empty fields.

Workflow 6

Settings

Session Logon: Configured
Session Logon mode: Session Logon
Bypass redirect screen option: enabled
Logoff automatically: disabled

Workflow Steps

User swipes card to log automatically into Equitrac (or a similar external authentication provider).
User selects the ShareScan application on the device screen.
Session Logon screen is displayed, with the user's authentication data already filled in (password required).
User presses Login after providing the password, ShareScan Main screen is shown.
User inserts sheets, presses a connector button. Scanning starts.
Connector screens are displayed. After clicking through the final connector screen the Main screen is displayed.
User presses Logout and the Session Logon screen shows empty fields.

Group 3: Bypass redirect screen disabled (Logoff automatically inactive)

Variable: Session Logon mode (No Authentication / Authenticate User / Session Logon)

Workflow 7

Settings

Session Logon: Configured
Session Logon mode: Bypass Session Logon (no authentication)
Bypass redirect screen option: disabled

Workflow Steps

User swipes card to log automatically into Equitrac (or a similar external authentication provider).
User selects the ShareScan application on the device screen.
The session logon screen is automatically bypassed, the password is not checked by Session Logon service.
ShareScan Main screen is shown.
User inserts sheets, presses a connector button, scanning starts. If the connector requires user authentication, user has to provide the password.
Connector screens are displayed. After clicking through the final connector screen, the Redirect screen is displayed.
User chooses an option on the Redirect screen.

Workflow 8

Settings

Session Logon: Configured
Session Logon mode: Bypass Session Logon (authenticate user)
Bypass redirect screen option: disabled

Workflow Steps

User swipes card to log automatically into Equitrac (or a similar external authentication provider).
User selects the ShareScan application on the device screen.
The user name password and domain is checked by Session Logon service. If the correct credentials are provided by the external authentication, the session logon screen is automatically bypassed.
ShareScan Main screen is shown.
User inserts sheets, presses a connector button, scanning starts.
Connector screens are displayed. After clicking through the final connector screen, the Redirect screen is displayed.
User chooses an option on the Redirect screen.

Workflow 9

Settings

Session Logon: Configured
Session Logon mode: Session Logon
Bypass redirect screen option: disabled

Workflow Steps

User swipes card to log automatically into Equitrac (or a similar external authentication provider).
User selects the ShareScan application on the device screen.
Session Logon screen is displayed, with the user's authentication data already filled in (password required).
User presses Login after providing the password, ShareScan Main screen is shown.
User inserts sheets, presses a connector button. Scanning starts.
Connector screens are displayed. After clicking through the final connector screen, the Redirect screen is displayed.
User chooses an option on the Redirect screen.

Group 4: Session Logon disabled

Variable: Bypass redirect screen and Logoff automatically (enabled or disabled)

Workflow 10

Settings

Session Logon: NOT Configured
Bypass redirect screen option: enabled
Logoff automatically: disabled

Workflow Steps

User swipes card to log automatically into Equitrac (or a similar external authentication provider).
User selects the ShareScan application on the device screen.
ShareScan Main screen is shown.
User inserts sheets, presses a connector button. Scanning starts.
Connector screens are displayed. After clicking through the final connector screen, ShareScan main screen is shown.

Workflow 11

Settings

Session Logon: NOT Configured
Bypass redirect screen option: disabled

Workflow Steps

User swipes card to log automatically into Equitrac (or a similar external authentication provider).
User selects the ShareScan application on the device screen.
ShareScan Main screen is shown.
User inserts sheets, presses a connector button. Scanning starts.
Connector screens are displayed. After clicking through the final connector screen, the Redirect screen is shown.
User chooses an option on the Redirect screen.