Watchdoc - Directory - Configure a Microsoft Entra ID (Azure AD) directory

Azure section

The information entered is used to establish communication between Watchdoc and the directory:

  • Tenant-Id: specify your Microsoft Azure Directory ID (Tenant - Locataire).

  • Service account Application: Specify authentication informations generated by the Microsoft Azure application dedicated to Watchdoc servers.

    • Client-Id: enter the Microsoft Azure Application (client) ID.

    • Client-Secret: enter the Microsoft Azure Client secret associated with the application. Specify the secret value and not the secret ID.

 

  • Authentificate users Application (Print Client): Specify authentication informations generated by the Microsoft Azure application dedicated to Watchdoc Print Client for Windows.

    • Label: enter the application name displayed to users in Watchdoc Print Client.

    • Client-Id: enter the Microsoft Azure Application (client) ID.

 

  • Authenticate users Application (Browser): : Specify authentication informations generated by the Microsoft Azure application dedicated to Watchdoc web interface.

    • Label: enter the application name displayed to users in Watchdoc interface.

    • Client-Id: enter Microsoft Azure Application (client) identifier.

    • Client-Secret: enter the Microsoft Azure Client secret associated with the application. Sepcify the secret value and not the secret identifier.



PUK code section

Users registered in a Microsoft Entra ID directory can authenticate themselves in Watchdoc using a PUKClosed (Print User Key). In Watchdoc, this is a code (associated with a user account but used alone) sufficient to allow the user to authenticate in a WES. The PUK code is generated thanks to an algorithm. The user can consult it in the "My account" page of Watchdoc. For security reasons, we advise against using the PUK code and recommend using a login (user account)/PIN code. code*. This code can be:

  • either present in an attribute of the Microsoft Entra ID directory. In this case:

    1. tick the box The PUK code is in an Entra ID attribute,

    2. complete the Attribute field by entering the name of the Entra ID directory attribute in which the PUK code is stored (for example, enter ‘employeeId’ if the Entra ID directory attribute used is Employee ID);

  • either stored in a PUK Code Database (SQL) type directory. In this case, you must first configure this database (see Configuring a PUK Code Database (SQL)), then configure the directory as follows:

    1. in the list of databases, select the PUK Code database associated with the Entra ID directory (Azure AD);

    2. tick the Use the master to create/get users PUK code if you want PUK code management to be centralised by the Master server. This option, available since v6.0.0.4777, prevents duplicates in the case of PUK codes generated from a slave server when the Master server is unavailable.

* For security reasons, we advise against authentication by PUK code and recommend using the user account (login)/PIN code.

PIN code section

In this section, specify whether users registered in the directory can authenticate themselves in Watchdoc using a PINClosed The PIN (Personal Identification Number) is a code with at least 4 digits. It is used, for example, on a cell phone or smartphone equipped with a SIM card. In Watchhdoc, it is a code which, combined with the user name, constitutes a means of authentication on a WES. Deduced from the AD, the user can consult it in his My Account page. It is stored either in a SQL table or in a Json file, and can be stored as is or secured by hashing. Translated with DeepL.com (free version) code (a code consisting of at least 4 digits, the length of which varies depending on the administrator's configuration). Combined with the username, it constitutes a means of authentication on a WES.

It is stored either in an SQL table or in a JSON file and can be stored as is or secured by hashing.

From the list, select one of the following settings:

  • Auto: the PIN code is generated automatically by the directory;

  • Disabled: the PIN code is not used;

  • Stored or inherited from a child directory: this parameter is specific to the META directory and indicates that the PIN code is managed by another directory included in the META directory;

  • Stored in user settings (in plain text): the PIN code is stored in plain text in the directory. The user can view it on their ‘My Account’ page and can also generate a new one;

  • Stored in user settings (hashed): the PIN code is stored securely in the Json.db database. The user cannot view it on the ‘My Account’ page, but they can generate a new one:

Print code section

The print code is a code that allows users to authenticate themselves, in addition to their login, on certain WES (Epson, Hewlett Packard, Konica Minolta, Sharp, Toshiba, Xerox).
This alphanumeric code is entered by the user on their ‘My Account > Codes and Badges’ page. It must contain between 4 and 16 characters and must not contain more than 2 digits.

To be configured in WES as a means of authentication, it must first be configured in the directory:

  1. Select code activation, specifying:

    1. whether it is stored in plain text;

    2. whether it is secured by the AES algorithm (hashed, provided that hashing is configured in the LDAP directory):

E-mail

To communicate with users (when e-mail notifications are enabled), Watchdoc needs to have their e-mail address. This setting is used to define how Watchdoc determines a user's e-mail address:

  • Stored in the directory: Opt for this choice if the directory has an attribute that is specific to the e-mail address,

  • The user account is also used as the e-mail address: Opt for this choice so that Watchdoc will create the e-mail address by linking the user account name with a DNS domain name. In this case, state:

    • The DNS domain name to add when linking.

  • Find the address in an alias directory: Opt for this choice if the e-mail address is stored in an Alias directory.

    • Search: Select the Alias directory where the e-mails are stored.

Cards

The user can authenticate to the printing device using a badge. If this authentication method is used, select from the list the directory in which the user's badges are registered: the users will receive an e-mail containing their code (PUK or PIN) and inviting them to enrollClosed Action when a user account is assigned to a badge number belonging to them. Enrolment takes place when a badge is used for the first time. Enrolment may be performed by the IT services manager when they issue a badge to a user or by the user themselves by entering their ID (PIN, PUK or ID and password) which is then assigned to their badge number. Once enrolment is complete, the badge number is definitively assigned to their owner. their badge.

Cache

 

Watchdoc can retain the requests for cache in its memory to accelerate their execution.
By default, the lifetime (TTLClosed By default, the lifetime (TTL) of cached directory data is 72 hours.) of cached directory data is 72 hours.
Tick the boxes for the caches you wish to enable:

  • User Infos: Tick this box to enable the user information cache.

  • Not found: Tick this box to enable the cache covering users whose accounts have not been found.

  • Cold Cache: Tick this box to retain "cold" data cache, i.e. already checked but now expired data..

  • Persistence: Tick this box to allow retaining the cache on disk so that it can be retrieved if the Watchdoc service is restarted..

  • Compression: Tick this box to enable cache compression on disk. We strongly recommend enabling this setting to reduce the size of the file when persistence is enabled.

  • Encryption: Tick this box to encrypt the cache file on disk, to secure its content.

 

Circuit Breaker

User directories are usually hosted on a remote domain controller or server, accessible via the local network. In the event of a network failure or severe slowdown, this can cause a cascading effect that can cause the print server to freeze or slow down.

In this case, it may be useful to activate a "logic fuse", which trips in the event of a major system slowdown, to stop requests being sent to the faulty server.

Warning: it is important to consider the impact of the fuse activation on the service's good functioning!
In order to effectively protect the server from any malfunction of the remote directory, it is important to calibrate the fuse correctly. It is recommended to test the fuse setting before configuring it in a production environment.

Enter in the fields the values beyond which Watchdoc stops sending queries to the directory server to avoid overload:

  1. Acces the Watchdoc administration interface as an administrator.

  2. From the Main Menu, Configuration section, click on Users directories.

  3. In the list of declared directories, click on the button to access the directory settings ;

  4. or click on the button to Register a new directory (in the top banner).

  5. In the Register a directory interface, go to the Circuit breaker section.

  6. In the fields, enter the values beyond which Watchdoc stops sending queries to the directory server to avoid overload:

  • Max. errors: it's the number of "serious" successive errors. A "serious" error is, for example, a network communication problen, a timeout, a malfunction or the remote server.  These errors are generally rare and can sometimes be resolved automatically (end of a peak period, restart of the remote server, etc.). Logical errors (such as authentication failure, syntax error or directory setting error) are ignored.

  • Max. Requests: this is the maximum number of parallel requests allowed. In case of heavy workload, the remote server may not be able to respond to a large number of simultaneous requests.

  • Max. duration: it is the maximum average time for the execution of the 10 last requests. In case of a strong slowdown of the remote server (peak period, network timeout,...), this time is extended.

  • Retry Delay: after starting the circuit breaker, waiting time before reactivation. At the end of this delay, Watchdoc restarts the requests in order to "probe" the state of the server. If the requests are successful, the fuse is reactivated, otherwise it waits for the timeout to expire again.
    The administrator can manually deactivate the fuse at any time. The fuse then remains switched off until it is manually reactivated. Consider using this feature to test the impact of a failure on the print server.

     

     

The values frequently entered to activate the circuit breaker in a a large multi servers environment are the following:

  • max. errors: 5

  • max. requests: 5

  • max. duration: 30 secondes

  • retry delay: 120 secondes

Print clients

Do not use this directory: tick this box to prevent this directory from being used by Watchdoc Print Clients:

Validating the configuration

Click on the Create button to validate the configuration for your directory.