Canon imageRUNNER ADVANCEsystems also ship with SSO-H, which supports direct
authentication againstan Active Directory domain using Kerberos or NTLMv2 as the
authentication protocol. SSO-H doesnot require any additional software to perform the
user authentication asit is able to directly communicate with the Active Directory domain
controllers. In LocalDevice Authentication mode, SSO-H can support up to 5,000 users.
Card-Based AuthenticationuniFLOWCard Authentication
When combined with the optionaluniFLOW Output Manager Suite, imageRUNNER ADVANCE
systemsare able to securely authenticate users through contactless cards, chip cards,
magneticcards and PIN codes. uniFLOW supports HID Prox, MIFARE, Legic, Hitag and Magnetic
cardsnatively using its own reader, as well as others through custom integrations. Certain
modelsof RF Ideas Card Readers can also be integrated to support authentication using
radio-frequencyidentification (RFID) cards.
Advanced Authentication—ProximityCard
Using a MEAP application, imageRUNNER ADVANCEsystems can be customized to
automaticallyperform user authentication with contactless cards typically used in corporate
environments. User data can be stored locallyin a secure table to eliminate the need for an
externalserver, or integrated with an existing authentication server through customization.
Support isprovided for cards from HID Prox, HID iClass, Casi-Rusco, MIFARE and AWID.
Customization can also be performed to provide supportfor other card types.
Authorized Send for CAC/PIV
To fulfillthe strict security requirements of government agencies as dictated by Homeland
SecurityPresidential Directive-12 (HSPD-12), imageRUNNER ADVANCE systems support the use
ofCommon Access Card (CAC) and/or Personal Identity Verification (PIV) card authentication
for the embedded Authorized Send MEAP application. Authorized Send for CAC/PIVis a
server-lessapplication that protects the Scan-to-Email, Scan-to-Network Folder and
Scan-to-NetworkFax functions, while allowing general use of walk-up operationslike print
and copy.
Authorized Send for CAC/PIVsupports two-factor authentication by prompting users to insert
their card into the device’scard reader and requiring them to enter their PIN. ASEND for
CAC/PIVsupports the Online Certificate Status Protocol (OCSP) to checkthe revocation status
ofthe user’s card, and then authenticates the user against the Public Key Infrastructure (PKI)
and Active Directory. Once authenticated, userscan access the document distribution features
ofAuthorized Send.
Authorized Send for CAC/PIVsupports enhanced e-mail security features such as
non-repudiation, digitalsigning of e-mail, and encryption of e-mail and file attachments.
The cryptographicengine used by Authorized Send for CAC/PIV is based on the industry
leading RSA BSAFEsecurity software and has undergone the stringent testing and validation
requirementsof the FIPS 140 standard.
ControlCards/Card Reader System
Canon imageRUNNER ADVANCEsystems offer support for an optional Control Card/Card Reader
system for device accessand to manage usage. The ControlCard/Card Reader system option
requiresthe use of intelligent cards that must be inserted in the system before granting access
to functions, which automatesthe process of Department ID authentication. The optional
ControlCard/Card Reader system manages populations of up to 300 departments or users.
6
White Paper: Canon imageRUNNER ADVANCE Security
Section 2 — Device Security