Glossary

Authentication provider (AP)

An external system which is capable to authenticate the device user and capable provide the user credentials to ShareScan. Authentication providers can be grouped as:

Server Authentication provider (SAP)

An external system integrating to ShareScan via the Cost Recovery Service (like Equitrac or Copitrak) or the ID Service (like NTWare Uniflow or Canon ScanFront Fingerprint Authentication).

Device Authentication Provider (DAP)

There is an authentication application installed on the device that is able to pass on username and domain name data to the ShareScan application. Examples: Ricoh AAA, Xerox SecureAccess, and so on.

Session Logon Service settings

Session Logon Mode:

• Session Logon

  When integrating with an Authentication provider, the AP must provide user name, domain and password to let the user automatically bypass the Session Logon screen. As all the 3 data items are provided, real Windows authentication will happen, and the logged-in user’s identity is used in the different operations.

  If no AP is used, then the users must manually enter their user name and password; optionally, they can select a domain, if necessary. By default, the domain marked as ‘default’ will be selected on the Session Logon screen.

  Depending on the specific AP and its configuration, it is possible that only domain and user name is provided by the AP. In such a case, the Session Logon screen will not be automatically bypassed, but the user will have the chance to enter the password manually, and click the Login button.

• Bypass Session Logon (no authentication)

  Select this option only if using an AP. This option does not require a password from the AP, hence it simply requires / uses the domain and the user name.

  This implies that no Windows authentication will happen, so the pre-set service accounts will be used in the different operations.

  There are some system and connector options when the user’s email address or other attributes (like the user’s home directory) is fetched from Active Directory, based on the domain and the user name.

• Bypass Session Logon (authenticate user)

  Select this option only if using an AP. The behavior is somewhat similar to the Bypass Session Logon (no authentication). The similarity is that the AP might or might not pass on the user’s password to the ShareScan Manager. However, the difference is that ShareScan will authenticate users – to achieve this, it needs a password – and challenges them at the MFP for their password when logging into ShareScan for the first time. If the Windows authentication was successful with this password, then ShareScan saves this password (in encrypted form) and uses it whenever the user logs in via the AP.

Disable manual credential entry on Session Logon screen

When this setting is chosen, the manual entry of the user name and domain fields are disabled on the Session Logon screen, displayed on the MFP, but the password filed can be edited. This is meaningful (and strongly recommended) to check when ShareScan is integrated with an Authentication system, because these systems provide the username and other data without manual entry.

When integrating with such systems, leaving this setting cleared may lead to a security issue in certain cases, depending on the configuration.

If Session logon mode is set to Bypass session logon (authenticate user) or to Bypass session logon (no authentication) then the username and the domain fields are automatically disabled (not necessary to check this setting).

Hide Logout button

The Logout button will be hidden on the MFP screens (Main screen, Redirect screen) if this setting is chosen. It is recommended to select this setting when ShareScan is integrated with an External Authentication system.

Hiding the Logout button prevents the users to log out from ShareScan by hitting the Logout button (it could appear on the Main screen or on the Redirect screen). This is useful when we want to force the users to use the card swipe or the hardware logout button to log out from the External Authentication system on the MFP device.

Cost Recovery Service settings

Show Lock Button

ScanStation only setting. When this setting is enabled (checked) a Lock button will be shown on the ShareScan Session Logon screen. If the user clicks this button, the Cost Recovery session will be terminated (the AP / CR server will be notified) and a lock cover screen is displayed on the ScanStation application, blocking any access to ShareScan until the user unlocks (logs in into) the Cost Recovery system.

ID Service settings

Accept UserID only requests from External Service

If configured in a certain way, the AP is able to send a ‘user ID’ instead of the user name (domain user account name). This setting must be checked if we want to use that type of integration.

Advanced Settings

AutoQuitShareScanOnAutoLogout

Supported only on certain platforms like KonicaMinolta, Xerox, Ricoh and HP.

The setting plays a role only for the workflows when ’Bypass redirect screen’ and ’Logoff automatically’ settings of the connector settings are both enabled.

It is reasonable to have these two settings enabled when we want to allow the users to execute only one scanning workflow (that one, one connector usage) in a session.

The behavior controlled by this setting is the following:

When AutoQuitShareScanOnAutoLogout is set to

• True then after the UI phase of the workflow is completed, the MFP will switch back to its main screen (on the supported platforms, see above).
• False then after the UI phase of the workflow is completed, the user will be logged out (from ShareScan) and put back on the ShareScan Session Logon screen.

AutoQuitShareScanOnLogoff (formerly called SingleSignOff)

Supported only on certain platforms like KonicaMinolta, Xerox, Ricoh and HP.

Enables (true) or disables (false) closing/leaving the ShareScan application on the MFP when the user logs out manually by clicking the Logout button on the ShareScan Main screen or Redirect screen.

RicohCRClientProductID

Product ID of the application to switch to, when AutoQuitShareScanOnAutoLogout or AutoQuitShareScanOnLogoffis used.

For example, if Equitrac PCC is the authentication client on the Ricoh device, then the Application ID of PCC should be set for this setting.

SessionLogonDomainCacheEnabled

If domain information is unavailable, Session Logon attempts to retrieve it from the credential cache. Default value: false.

It is possible to use this setting in conjunction with Session Logon mode ‘Bypass Session Logon (authenticate user)’, in cases when the integrating AP or DAP is not providing a domain name.

When this setting is true, ShareScan will use only the user name (as a key) to store / fetch the corresponding password and it stores / fetches the domain name as well.

SessionLogonOverrideHomeDirectory

If set, the home directory location specified in this setting will be used in some of the Connectors as the home folder of the logged in user, ignoring the actual LDAP query result. (that is, the home folder will be the same for all users – this is useful in some special scenarios).

UseSecureLDAP

Use Secure LDAP (LDAPS) for LDAP operations; it can be: true, false. Default value is false.

DirectLockScanStation (formerly called DirectLock)

Locking ScanStation along with the device when the Lock button is pushed on Session logon or Main screens.

If set to

• True: a Cost Recovery Lock message will be sent to the Cost Recovery server when the user pushes the Lock button. This will terminate the Cost Recovery session, the MFP will be locked, preventing the user to perform any other operation on the MFP.
• False: no Lock message will be sent from the ScanStation, which is useful if we want to let the user perform other operations (like copy) on the MFP.