User Authentication Providers

Every print user must first register to Secure Release before they can print documents. Registration is required to establish the identity of users who submitted a print job. The Print Scout component is responsible for facilitating user registration.

Secure Release supports three authentication providers for user registration.

• Email Authentication – Uses a familiar email-based account verification workflow. This is the default option.
• Active Directory – This option is suitable for organizations that use Windows Active Directory (AD) for managing users. The Print Scout uses the user’s workstation ID to establish the identity of the user. This option does not require user registration, which means users can submit and release print jobs at once.
• OpenID Connect – This option uses token-based OpenID Connect technology to verify print user identity. This option is suitable for organizations with an existing supported OpenID Connect Identity Provider (e.g., Azure AD, Google) and has well-governed and well-known badges for user access and identity.

Note: Changing authentication providers will clear all existing user registrations, meaning all existing users will need to register again. You'll also need the Site Encryption Key to switch authentication providers.

Email Authentication

With email-based authentication, users register with Pharos Secure Release by providing an email address. Secure Release then sends an email containing a unique link and verification code to the email address provided, allowing the user to validate ownership of the email account and complete their registration.

Users register their proximity card at a printer using their email address and PIN combination. After this initial setup, the user's ID card is all that's required to authenticate at a network device to release documents. If a user’s proximity card is lost, damaged, or forgotten, users can authenticate at a printer using their registered email address and PIN code.

For information on how to register an email address to Secure Release, refer to the Register email address to Pharos Secure Release topic.

Email domain whitelist

The Email domain whitelist section allows you to add email domains that you wish users to be able to register with. Email domains that are not on the list are blocked. Users will see the message "<domain>" is not allowed when registering an email address from a domain that is not on the list. If you leave the list empty, Pharos Secure Release allows users to register from any domain. This is the default behavior.

Adding a domain to the whitelist

In the Email domain whitelist field, enter the domain that you want to whitelist and then click Add. You can add more than one email domain. Click Save for changes to take effect.

Deleting a domain from the whitelist

To delete a domain, select the domain you want to remove and then click the Delete selected button.

Note: If you delete a domain that users are already registered with, existing users will be able to use Secure Release as usual, but new users will only be allowed to register with domains in the whitelist.

Active Directory

This authentication option is suitable for organizations that use Windows Active Directory (AD) for managing users. With this option, users authenticate at secure printers using their network credentials.

If card registration is enabled (under Proximity Card Settings in the Secure > Settings screen), users can walk to any printer, swipe their card and enter their network ID. After this initial setup, a user's ID card is all that's required to authenticate at a printer to release documents.

OpenID Connect

Secure Release supports OpenID Connect for Single Sign-on (SSO). When a user prints a document for the first time, they are redirected to the authentication provider’s (Azure AD, Google, etc.) login page. Users log in to Secure Release using their credentials from the authentication provider configured in the system. Once logged in to their provider, users are automatically logged in to Secure Release.

Note: Secure Release supports the following authentication providers: Microsoft Azure AD, Google and PingFederate.

Prerequisite:

Before you can use OpenID Connect with Secure Release, you must first create and register an application for Secure Release in your OpenID provider. The OpenID provider assigns a unique Client ID/Application ID and Client Secret for the application after a successful registration. Record these values because you need them to configure Secure Release.

Before you Begin

Refer to the following documents to set up OpenID Connect as an authentication provider for Secure Release:

• Secure Release and OpenID Connect
• Configuring Secure Release with OpenID Connect

Configuring OpenID Connect

To configure an OpenID Connect authentication provider, follow these steps:

1. Navigate to the Secure > Settings tab.
2. In the User Authentication Providers section, select OpenID Connect.
3. Enter the following details of the Secure Release application as provided by the OpenID authentication provider:
   • Well-Known Endpoint
   • Client ID
   • Client Secret
4. Save the changes.

For information on how to authenticate with your OpenID Connect credentials, refer to the Register Secure Release using your OpenID Connect Credentials topic.

Back to the Secure Release Settings document