Blueprint Print Center Email and Pin

NOTE: Read the following carefully to help you decide if you want to use the email and PIN authentication feature described in this document.

Card Registration: The email and PIN authentication feature is not recommended for card registration. We recommend using an authentication script that will interface directly with your card system (to match card IDs to network IDs), so that card registration is not necessary. This setup is straightforward because you do not have to maintain employee card IDs in the Blueprint database. All you need to do is to provide Pharos with details of your card system so that we can provide you with an authentication script. You should only use email and PIN for card registration when Blueprint cannot interface with your existing card system.

Print Center: We strongly discourage logging on to the Print Center via email address and PIN because this presents a considerable security weakness in the Print Center. For example, unauthorized users may be able to gain administrative access to the Print Center. The recommended solution for logging on to Print Center is for Blueprint to interface with your organization’s Single Sign-On (SSO) system. You’ll need to provide Pharos with details of your SSO identity provider so we can craft a script for your organization.

What is Email and PIN Authentication?

Blueprint Enterprise supports a wide range of authentication models, including username/password (for example, LDAP, Active Directory), and card-based systems as well.

Email and PIN authentication is intended for use by sites where employees do not use passwords to authenticate users (e.g. Users log onto their PCs by inserting a smart card into a reader). Email and PIN allows these employees to authenticate themselves at network terminals (iMFPs, Omegas, etc.) or Print Center using their email address and PIN.

In this configuration, you’ll need to prepopulate employees’ email addresses and network IDs to the Blueprint Database. Blueprint creates and sends a PIN code to the user's associated email address. There are two ways in which Blueprint generates a PIN code:

• When an employee prints a document for the first time, Blueprint automatically generates a PIN code and sends the code to the email address associated with the employee’s user ID.

• An employee can create a PIN from the Print Center logon screen. This is useful in cases where employees access the Pharos Print Center before submitting a print job or when an employee has forgotten their PIN.

The key point of the email and PIN authentication feature is that it is excellent for environments which do not use passwords for authentication, for example, organizations that use smart cards to log into their workstations.

If a user’s card ID is known to Blueprint, the user's ID card is all that's required to authenticate at a network device to release documents. If an employee ID card is lost, damaged, or forgotten, the email address and PIN can be used to authenticate at network terminals or Print Center.

Important Notes:

• This document applies to Blueprint Enterprise 5.3 Update 7 or later.

• When the email and PIN authentication feature is enabled, authentication via Active Directory Services (network ID and password) is not available. To log in as an administrator, you'll need to log in with your network ID and PIN code. Refer to the "Logging in to Print Center with administrative rights" section of this document.

• The upgrade does not copy over previous Email and PIN settings to Update 7. Administrators will need to reconfigure Email and PIN using the new PIN tab in the Print Center.

• If using Email and PIN, admins or users will not be able to log onto the Print Center if the MSSQL Server cannot be contacted (that's where the PIN codes are kept). Blueprint checks the PIN in the database to log users onto the Print Center.

User Workflows

The following illustrates the typical user workflows for using email and PIN authentication.

First-time use (Automatic PIN Code generation)

1. The user submits a document to print for the first time (e.g. print to secure queue, print to Print Scout Secure Release, or MobilePrint).

2. Blueprint sends a PIN code to the email address that correlates to the user’s network ID.

3. The user releases documents by entering their email address and PIN at network terminals (e.g. iMFPs, Omega) or Print Center.

Creating a PIN code from the Print Center

Users can generate PIN codes from the Print Center logon screen.

1. The user clicks the PIN Management button from the Print Center logon screen.

   

2. The user enters an email address and network logon ID.

   

3. The user receives an email containing a PIN that correlates to the network ID. This PIN is used for authentication at network terminals to release print jobs or to log on to the Print Center. The PIN code is an alternative to a password.

   

Logging in to the Print Center using an email address and PIN

Users enter their email address and their PIN code (in place of password) to log in to Print Center.

Logging in to the Print Center with administrative rights

When the Email and PIN feature is enabled, a user with administrative rights can log in to Print Center using their Network ID and PIN code. Email address and PIN code combination are not supported for administrative users.

1. In the Dashboard > Logons context in Blueprint Administrator, add a logon user (with the relevant logon roles).

2. Navigate to the Employees > Employeescontext in Blueprint Administrator.

   1. Add an employee record using for the same network ID used when creating the logon user in Step 1. Make sure that the ID type is Employee.

   2. Make sure that the employee record has two identifiers (Network ID and email address). You can add identifiers via HR import or manually.

3. Send a print job or click the PIN Management button on the Print Center login screen. This will send a PIN code to the entered email address.

4. Log in to the Print Center using your Network ID and the PIN code received via email.

Registering a New Card

1. The user walks up to any iMFP, and the user swipes their card.

2. The user is prompted to enter their Network ID and Password.

3. The user enters email address in place of Network ID and PIN code in place of password.

4. If the email and PIN match, the card is registered to the user. The card registration is complete.

5. The user can release subsequent print jobs using the registered card.

Releasing documents from iMFPs

With existing registered card

1. The user walks up to an iMFP.

2. The user swipes their card.

3. The user selects and releases documents.

No Card/Forgotten Card

1. The user walks up to an iMFP.

2. The user enters their email address and PIN code when prompted.

3. The user selects and releases documents.

Configuring Email and PIN

Before you Begin

• For email and PIN authentication to work correctly, employee records must have the following details in Blueprint Administrator:

  • ID

  • Full Name

  • Email Address

• Each employee record requires two identifier data – network ID and email address. You’ll need to prepopulate the Blueprint Database with this information. You can use the File Importer in Blueprint Administrator to import identifier data for employee records. For more details on the standard HR import file format, refer to the “Blueprint Configuration Guide” in the Pharos Community.

Step 1: Configure Email Server Settings

For employees to receive emails with PIN codes, you’ll need to configure the SMTP server settings in the Servers > Settings screen of Blueprint Administrator (if not already set up for Scheduled Reports or other email notifications).

Step 2: Enable Email and PIN Authentication in the Print Center

1. Log into Print Center.

2. Navigate to the Secure > PIN tab.

3. Toggle on the Enable PIN switch.

Configure the following settings if required or you can leave the default values.

Step 3: Set the Authentication Method used by the Network Terminals to PIN Email Authentication (as required)

To allow users to logon with email and PIN on Network Terminals, a new authentication method called PIN Email Authentication has been added to the Device Management > Authentication Methods context in Blueprint Administrator.

You'll need to associate the Authentication Method to your terminals (SE50s, Omegas, etc) in the Device Management > Terminals context of Blueprint Administrator.

Alternatively, you can set the Authentication Method to PIN Email Authentication in the Secure Release Here > Default Settings context of Blueprint Administrator. When you create a terminal, the PIN and Email authentication will be automatically applied to newly created managed devices.

Note: When configuring Email and PIN, we highly recommend using the Pin Email Authentication method only. The Email and PIN feature does not support having a mix of terminals using different authentication methods.

Step 4: Restart required services on all servers

On the Blueprint Analyst:

1. Restart the Pharos Systems TaskMaster Service. This enables the Directory Service to pick up the new value for AllowCreatePin.

2. Restart IIS. This enables the Pharos API to pick up the AllowCreatePin setting.

On each Blueprint Collector, do the following:

1. Click Clear Replicated Data.

2. Restart Pharos Systems TaskMaster Services

3. Restart IIS.

Disabling the Email and PIN authentication feature

1. Login to Print Center using the email address and PIN code combination.

2. In the Secure > PIN tab, toggle off the Enable PIN switch.

On the Blueprint Analyst

1. Restart the Pharos Systems TaskMaster Service. This enables the Directory Service to pick up the new value for AllowCreatePin.

2. Restart IIS. This enables the Pharos API to pick up the AllowCreatePin setting.

On each Blueprint Collector, do the following:

1. Click Clear Replicated Data.

2. Restart Pharos Systems TaskMaster Service.

3. Restart IIS.