Session Logon settings

Configured

Enables Session Logon in the Device pane when selecting the Yes check box; or disables Session Logon in the Device pane (this disables all the other fields and properties).

Session logon mode

The value of this setting specifies session logon behavior. Available options:

• Session Logon: This option selects the standard service behavior, that is, users must authenticate themselves via user name and password /one-time passcode at the device.
• Bypass session logon (no authentication): This option enables the ShareScan client to be configured to bypass the Session Logon screen when only the user identification is received from the device, Cost Recovery or ID Services and the password is not provided. While a network authentication is not performed by ShareScan Session logon, the received username is used by the individual connectors when needed.
• Bypass session logon (authenticate user) (also known as Single Sign-On Extender): This option enables a network authentication to be performed by ShareScan using the username, password and domain provided by the device, Cost Recovery or ID Services.

Only in case of Windows Active Directory, secure storage (password caching) of the user’s network passwords is enabled when Session logon mode is set to or Bypass session logon (authenticate user). This enables the user to swipe a card (or use any other available method to identify themselves) and have this log the user into eCopy ShareScan and to access network resources. If no password is provided, available or password caching is not enabled, the user is prompted to enter their password.

Directory services

Specifies the directory service that manages your list of users (Windows Active Directory or Microsoft Entra ID or Novell Directory Services).

Domain (not available for Microsoft Entra ID)

The domain associated with your login name and password (you can also specify another domain name):

• Windows Active Directory: The current domain for the local machine is default.
• Novell Directory services: You must specify the NDS Server and ID.

You can add more domains to your configuration (see below). The value you choose above defines which (AD or Novell) domains the service can access. If you have multiple domains configured, these can have different base DNs and LDAP query credentials per server.

Tenant (only available for Microsoft Entra ID)

The tenant specified when enabled Session logon with Microsoft Entra ID or added as an additional tenant.

Default

Sets the active domain / tenant as the default one.

Directory Access

Specifies the type of access required to retrieve user and group data from the directory.

Type

Specifies the type of access required to retrieve user and group data from the directory.

In case of Microsoft Entra ID its value is Use credentials which cannot be modified, and Username and Authorization Provider ID are required.

Otherwise you can select Anonymous or Use credentials or Use ShareScan Manager service credentials.

User name and Password settings are required if you choose Use credentials.

If you select Use ShareScan Manager service credentials, User name and Password settings are required but only for testing the Session Logon service configuration.

At runtime always the actual ShareScan Manager service credential is used for retrieving user and group data from the directory.

You can also choose Directory service access is disabled. If you choose to do so, Search while typing is also disabled and so is LDAP-based authentication.

User name

The user name. Specify if you have chosen the Use credentials option above.

Password (not available for Microsoft Entra ID)

The user password (hidden by asterisks). Specify if you have chosen the Use credentials option above.

Authorization Provider ID (only available for Microsoft Entra ID)

Identifier of the Token Vault Microsoft 365 authorization provider that is associated with this service.

Search while typing

Click Yes to enable the type-ahead feature when you start entering a user name at the device.

Search parameters

Specifies the parameters for searching the selected directory.

Search on

The search criterion by which the system searches the user list:

• Windows Active Directory and Microsoft Entra ID: First Name, Last Name, Display Name, or Account Name.
• Novell Directory Services: First Name, Last Name, or User ID.

Automatic Base DN detection (not available for Microsoft Entra ID)

If enabled, the Manager performs an auto-detection for the base DN in the domain when doing type-ahead search. In multi-domain environments, you can set a DN for each added domain. Domains without this will take the default domain settings.

Base DN (not available for Microsoft Entra ID)

The Base DN or directory root which is the starting point of the search. This option defaults to the root of the main tree. Use this option to select the specific DN or context where you want the search to begin.

Restrict users to this DN (not available for Microsoft Entra ID)

Limits the scope of the search to the specified DN.

Scope (not available for Microsoft Entra ID)

The scope of the search at one level down from the Base DN or down to the lowest level of the tree: Base, One level, and Subtree.

Use Group Membership Lookup Strategy (not available for Microsoft Entra ID)

Select how to determine all groups in which the user is a member. Options include:

• Use the 'Token-Groups' user attribute (default): utilizing this attribute from Active Directory to detect all groups in which the user is a member (including direct and indirect membership data).
• Use the 'Member' group attribute with 'in-chain' match operator: utilizing the "Member" group attribute with the LDAP_MATCHING_RULE_IN_CHAIN matching operator to get all membership info for a user. When this strategy is used, optionally, the "Group Container DN" Session Logon parameter can be specified to make the operation faster. This setting must contain the distinguished name(s) of container(s) which store(s) the security groups in the AD. When this parameter is not specified, eCopy ShareScan will perform the LDAP search from the root - this is slightly slower then starting the search from the security group container. The actual performance difference depends on the network environment / Active Directory configuration.

Group Container DN (not available for Microsoft Entra ID)

The scope of the search at one level down from the Base DN or down to the lowest level of the tree: Base, One level, and Subtree.

Disable manual credential entry on Session Logon screen

Leave this option cleared to enable users to change the credentials at session logon. This is helpful when there is authentication on a device that does not communicate server to server.

This option is only required if neither ID services nor Cost Recovery is configured, and the user name is received from the device.

If this check box is selected, the user name and domain fields are disabled on the MFP screen, and only the data received from the device are shown. This also happens if ID service or Cost Recovery is active and configured.

Hide Logout button

Use this to hide the Logout button on the MFP device screen when you use an external authentication system for authentication, and you do not want the user to disconnect from Session Logon, as the authentication is performed by an external system.

Enable for all devices

Enabled: select the Yes check box to enable the service for all devices; clear the check box to disable the service for all devices.