Section 2 — Device Security
When used in Domain Authentication mode, a user must successfully authenticate using valid credentials
on the system's control panel, Remote UI utility, or web browser when accessed via a network prior to
gaining access to any of the device functions.
SSO ships standard with MEAP capable imageRUNNER ADVANCE systems and can support up to 200
trusted domains plus the users that belong to the same domain as the device.
Canon imageRUNNER ADVANCE systems also ship with SSO-H, which supports direct
authentication against an Active Directory domain using Kerberos or NTLMv2 as the
authentication protocol. SSO-H does not require any additional software to perform the user
authentication as it is able to directly communicate with the Active Directory domain controllers.
In Local Device Authentication mode, SSO-H can support up to 5,000 users.
uniFLOW Card Authentication
When combined with the optional uniFLOW Output Manager Suite, imageRUNNER ADVANCE
systems are able to securely authenticate users through contactless cards, chip cards, magnetic
cards and PIN codes. uniFLOW supports HID Prox, MIFARE, Legic, Hitag and Magnetic cards
natively using its own reader, as well as others through custom integrations. Certain models of RF
Ideas Card Readers can also be integrated to support authentication using radio-frequency
identification (RFID) cards.
Advanced Authentication—Proximity Card
Using a MEAP application, imageRUNNER ADVANCE systems can be customized to
automatically perform user authentication with contactless cards typically used in corporate
environments. User data can be stored locally in a secure table to eliminate the need for an
external server, or integrated with an existing authentication server through customization.
Support is provided for cards from HID Prox, HID iClass, Casi-Rusco, MIFARE and AWID.
Customization can also be performed to provide support for other card types.
Advanced Authentication—Common Access Card (CAC)/Personal Identity Verification
Federal agencies—both civilian and military (DoD)—require enhanced user authentication, data
security, and information assurance to help comply with the requirements of the Homeland
Security Presidential Directive 12 (HSPD-12). Employees must verify their identity and security
classifications using secure and reliable forms of identification, such as Common Access Card
(CAC) and Personal Identity Verification (PIV). And with networked multifunction printers
(MFPs) being deployed on a greater scale in these locations, Canon developed Advanced
Authentication CAC/PIV—an easy-to-use, two-factor embedded authentication solution to lock
and unlock Canon devices. This serverless solution ensures that all device functions are locked
down until users insert their government-issued Common Access Card/Personal Identity
Verification into the card reader and enter their PIN. Only those authenticated individuals are
granted access to the device.
Authorized Send Common Access Card (CAC)/Personal Identity Verification (PIV) Card
To fulfill the strict security requirements of government agencies as dictated by Homeland
Security Presidential Directive-12 (HSPD-12), imageRUNNER ADVANCE systems support the
use of Common Access Card (CAC) and/or Personal Identity Verification (PIV) card
authentication for the embedded Authorized Send MEAP application. Authorized Send for
CAC/PIV is a server-less application that protects the Scan-to-Email, Scan-to-Network Folder and
Scan-to-Network Fax functions, while allowing general use of walk-up operations like print and
White Paper: Canon imageRUNNER ADVANCE Security