Watchdoc - Authenticating in a WES

Principle

Not all features presented in this chapter are compatible with all makes and models of printing device.
Please refer to the WES functionalities on the pages dedicated to each WES to find out which authentication modes are compatible.

When a printing device is managed by a WES, all its functions are locked. To access these functions, users must authenticate themselves.

Depending on brand compatibility, this can be done :

  • from the device panel;

  • or with a badge.


For some brands of device, the authentication interface displayed is not the WES Watchdoc, but the native interface of the printing device.

Some devices also allow anonymous access, without any authentication. 

Authentication from the device panel

Depending on the brand's compatibility and the settings, authentication using the panel is possible by entering:

  • a PUK code: the PUK code is between 6 and 10 digits long, that runs only with active Directory or LDAP. It is generated automatically when Watchdoc is set up, depending on the configuration (in the directory configuration), and is made available to the user via the "Watchdoc - My account" page;

  • a PIN code (4 to 6 digits) and login : relation between code and login has to be defined either in a CSV File, a SQL table (made of 2 columns : CODE and LOGIN), or an active directory field (storing the CODE), for all users having credentials to copy and print.;

  • a user account (Active Directory/LDAP/Microsoft Entra ID login and password). While this is a simple solution to deploy, it is rarely used because users will tend to use simplistic passwords, and password issues due to typing errors on the virtual keyboard may increase calls to helpdesk. If you choose this solution, we highly recommend you to use SSL for every communication between the server and the printing device.

    Doxense® recommendation:
    In most cases, we would recommend you to go for the PUK code authentication, as a flexible and easy way to deploy solution. The main disadvantage of this mode is that your users will have to remember the code if they don’t have a badge.
    However, the code is reminded to them in the emails sent by the server to notify them that their document is held until they release it, and they can access the code from thei 'Account' web page.
    On the other hand, we highly advise against using the login/password mode. It is often complicated to type in a good password on the virtual keyboard of an MFP. As a result using this mode could lose time for everyone and give a poor user experience.

Card authentication

The printing device must be equipped with a compatible badge reader.

To authenticate, the user waves his badge in front of the reader. Each badge must have a unique code (read code). Check with your provider that there are no duplicates in the read codes.

A user will not be able to login with his card if the card has not been explicitly registered in the system. In the same way, a card will still log the user as long as he has not been explicitly revoked. Then, when the badge is used for the first time, an Enrolment stage is required:

  1. the user must wave their badge in front of the reader;

  2. enter an identifier on the device screen (depending on the settings):

    • either their PUK code (recommended);

    • or their account (Active Directory/LDAP/Microsoft Azure AD login and password):

     

It is the most efficient way for your users to log in. The user just has to conveniently swipe his card and the device grants him access, provided his card number is already registered.

Combined modes

It is possible to use keypad authentication alone, badge authentication alone or a combination of the 2 modes, for example with the badge as the main authentication method and the PUK code if the user has forgotten their badge.

Gallery mode

This mode is compatible with the Sharp WES.

It allows users to select their accounts from a gallery, a list of accounts existing in the directory and displayed on the device screen.

Once his account found, the user completes his authentication with a second authentication item.

If the user can not find his account in the gallery, he can use a search engine. This tool allows him to find his account using a combination of predefined criteria (login, full name, email address or/and domain) in an exact or approximate search (3 characters minimum: "der" finds ‘Derrick’, ‘Underwood’ and 'Fielder’).

 

Once they have found their account, they can authenticate themselves using their PIN code:



N.B.: in Gallery mode, authentication is performed using the user's PIN code. Make sure that users have a PIN code and that the ‘PIN code: users have a PIN code’ box is ticked in the directory configuration (see Configuring an LDAP directory or Configuring an SQL directory).

Anonymous access

The anonymous access is enabled.

Prerequisites: each badge must have a unique code (read code). Check with your provider that there are no duplicates in the read codes.