Configure Smart Card Authentication Settings
- Product support for
- VersaLink B620 Printer
- Article ID
- KB0117930
- Published
- 2023-09-05
When the Smart Card Authentication feature is configured, users swipe a preprogrammed identification card at the control panel.
Before you configure the Smart Card Authentication feature, purchase and install a smart card reader system.
The Login Methods page in the Embedded Web Server provides links to authentication and personalization configuration settings.
In the Embedded Web Server, click Properties > Login/ Permissions/ Accounting > Login Methods.
Set the login method to Smart Cards.
For Smart Card Type, select one of the following:
All Supported Smart Cards
CAC & PIV Cards
IDPrime MD Cards
To customize the supported smart card list, click Customize Supported Smart Card List, then click Download in the Customize Supported Smart Card List window. The supported smart card list package is downloaded.
In the Configuration Settings table, configure the options for Smart Card Authentication:
To provide information about your domain controller servers, and to configure domain controller and NTP settings, for Domain Controllers, click Edit.
To configure certificate validation options and to provide information about your OCSP server, for Certificate Validation, click Edit.
To configure the inactive time limit, for Smart Card Inactivity Timer, click Edit.
If needed, specify the method that the printer uses to acquire the email address of users. For Acquiring Logged in User's Email Address, click Edit.
To display your company logo on the blocking screen, for Import Customer Logo, click Edit.
If you selected an alternate login method that requires a network authentication server, provide information about your server. For Authentication Servers, click Edit.
To allow personalization for logged-in users, for Personalization, click Edit.
To view or delete a personalization profile for a user, for Personalization Profiles, click Edit.
To provide information about your LDAP server for personalization, for LDAP Servers, click Edit.
To enable or disable the logout prompt at the local user interface, for Log Out Confirmation, click Edit.
To enable and configure an EIP authentication app, for EIP Authentication, click Edit.
To enable and configure an Single Sign On Identity Provider app, for Single Sign On Identity Provider, click Edit.
To enable DNS canonicalize hostname in Kerberos Settings, for Kerberos Setup, click Edit. To enable or disable Use DNS Canonicalize Hostname option, click the toggle button in the Kerberos Settings window, then click OK.
To enable the USB device from the control panel, for USB Reset Policy, click Edit. To enable or disable Allow the USB reset from the Touch Control Panel option, click the toggle button in the USB Reset Policy window, then click OK.
Setting Up Authentication for a Smart Card System
Domain Controller
On the Login Methods page, for Domain Controllers, click Edit. Users cannot access the device until the domain controller validates the smart card domain certificate.
Click Add Domain Controller.
If you are using a Windows-based domain controller, for Domain Controller Type, select Windows-Based Domain Controller.
Type the domain controller server address information.
To apply the new settings, click Save. To return to the previous page, click Cancel.
Note: Before you access the device, ensure that the domain controller server has validated the domain certificate on the smart card.To change the search priority of the domain controller, click Change Domain Priority.
To change the priority of the server, select a server in the list. To move the selected server up or down in the priority list, click the arrows.
Click Close.
To ensure that the printer and the domain controller are synchronized, enable and configure NTP settings:
For NTP, click Edit.
Synchronize the domain controller time with the time set on the device.
Note: To ensure time synchronization, Xerox recommends that you enable NTP.
To return to the Login Methods page, click Close.
To associate an LDAP server with your Domain Controller for authorization or personalization, under LDAP Server Mapping, click Add LDAP Mapping.
Configuring OCSP Validation Server Settings
If you have an OCSP server, or an OCSP certificate validation service, you can configure the printer to validate certificates installed on the domain controller.
Before you begin:
Add a domain controller.
On the Login Methods page, next to Certificate Validation, click Edit.
Select a validation method and click Next.
On the Required Settings page, type the URL of the OCSP server.
To ensure that the printer can communicate with the OCSP server and the domain controller, configure your proxy server settings as needed.
For each domain controller listed, under Domain Controller Certificate, select the corresponding domain controller certificate from the menu. If there are no certificates installed, click Install Missing Certificate.
Click Save.
Setting the Inactive Time Limit
On the Login Methods page, next to Smart Card Inactivity Timer, click Edit.
Specify the maximum amount of time before a user is logged out automatically. Type the time in minutes.
Click Save.
Single Sign On Identity Provider
A Single Sign On Identity provider is a user authentication service that allows users to maintain multiple user names and passwords with a single set of user credentials. The service authenticates the user for various applications to which they have been granted access, preventing future password prompts for individual applications within the same session and reducing the need for multiple passwords for diverse uses.
The system administrator uses the Single Sign On Identity Provider window to configure the printer to use AD FS as an Identity Provider (IdP), which allows the apps to support a Single Sign On (SSO) workflows.
To configure the Single Sign On Identity Provider app:
To enable or disable Single Sign On Identity Provider, click the toggle button.
In the Setup area, perform the following:
Enter the complete path of the AD FS endpoint. The printer uses this path to communicate with AD FS.
To validate the AD FS Server Certificate, click the toggle button for Enable. To view the content of the device certificates, click on View Xerox Device Certificates.
In SAML Token Access Code, enter the code that you received during the installation.
Note: If the number of characters entered for the SAML Token Access Code is less than 14 or more than 64, and if you select OK, an error message appears as The number of characters entered is outside of the approved range. 14 - 64 characters in the SAML Token Access Code Failed window.
To save the settings, click OK.
Note: If one or more required fields are left empty, and if you select OK, an error message appears as One or more required fields have not been entered. Enter the required data and select ‘OK’ in the Required Entry Required window.
Disabling the Logout Confirmation Prompt
On the Login Methods page, for Log Out Confirmation, click Edit.
To disable the log out confirmation prompt on the device control panel, select Yes.
Click Save.
Configuring the USB Card Reader Disconnection Policy
You can configure the device to display a message when it detects that a USB card reader is disconnected.
In the Embedded Web Server, click Login/Permissions/Accounting > Login Methods.
For Card Reader Setup, click Edit, then select the Detection Policy tab.
Note: If no updatable card reader is detected, the Firmware Update and Detection Policy tabs are not displayed.For Prevent use of device when USB Card Reader is disconnected, click the check box.
Click Save.
Specifying the Method the Printer Uses to Acquire Email Address of Users
On the Login Methods page, next to Acquired Logged-in User's Email Address, click Edit.
Under Acquire logged-in user's email address from, select an option:
Auto instructs the printer to attempt to acquire the email address of the user from the Smart Card. If an email address is not associated with the Smart Card, the printer searches the Network Address Book. If an email address is not found, the printer uses the email address specified in the From Field. Edit From Field settings on the Required Settings tab of the Email Setup page.
Only Smart Card instructs the printer to acquire the email address of the user from the Smart Card.
Only Network Address Book (LDAP) instructs the printer to search the Network Address Book to acquire the email address of the user.
To configure LDAP server settings, under Server Configuration, next to Network Address Book (LDAP), click Edit.
To enable or disable Personalization, under Feature Enablement, next to Acquire Email from Network Address Book, click Enable Personalization or Disable Personalization.
Click Save.