Setup OpenID Connect (OIDC) Authentication Profile

  1. Click [System][Security][Authentication Profile].

  2. Click [Add].

  3. Select [OpenID Connect] from the [Type] menu on the [General] tab.

  4. Enter the name of the authentication profile. The name will be displayed on the login screen when an administrator or a user logs in to the Admin Tool or the MFP.

  5. Enter the OIDC server information on the [OpenID Connect] tab. Click [Save] to create the profile once you've completed all required fields.

    If the username does not match between the Entra ID and OIDC authentication profile when the user info is sent via the print job, ensure you follow the steps in Resolving Usernames for OIDC Profiles.

    Item

    Description
    Authorization Endpoint Enter the URL of authorization endpoint.
    Token Endpoint Enter the URL of token endpoint.
    JWKS URI Enter the URL of JSON Web Key Set.

    Issuer

    Enter the URL of the issuer.

    Client ID

    Enter the Client ID.

    Client Secret

    Click [Change Password] and enter the Client secret.

    Scope

    Enter the space-delimited scope values. These values are required for OIDC login. A Scope of one resource and one delivery destination is required.

    Scope Extensions

    Login User Name

    Enter the attribute to identify the login user name.

    If you use the document delivery function using a user name and password, be sure to set a deliverable user name attribute for [Login User Name].

    The username of job log, job queue, and job history of the scan jobs of OIDC login user is displayed according to this setting.

    If you created a new claim in Entra ID to transform the user name, enter the claim name here. Refer to Resolving Usernames for OIDC Profiles for details.

    Display Name

    Enter the display name.

    Email Address

    Enter the attribute of the e-mail address of the user.

    Fax Destination

    Enter the attribute of the fax destination.

    Group

    Enter the attribute of the group name.

    Home Folder

    Enter the attribute of the user home folder.

    Card ID

    Enter the attribute of the card ID.

    Department

    Enter the attribute of the department.

    The cost of scan jobs of OIDC login users is counted according to this setting.

    Get User Information From External LDAP

    Select whether to specify the information about an external LDAP server.

    Server Name*

    Enter the LDAP server name.

    Port*

    Enter the port number.

    The default is 389.

    The port number is automatically changed from 389 to 636 when the SSL setting is enabled.

    SSL*

    Specify whether to enable or disable SSL.

    Domain*

    Enter the domain name of the LDAP server.

    Active Directory*

    Specify whether or not to enable Active Directory.

    When Active Directory is enabled, enter the following items:

    • [Domain]: Type the full domain name

    • [Alt UPN Suffix]: Enter the alternate UPN suffix. This appends the suffix to the username.

      Input example: mycompany.com

    Alt UPN Suffix*

    Enter the alternate UPN suffix.

    Input example: mycompany.com

    Base DN*

    Enter the start point for searching for an account name. Starting from the base DN, the search is performed toward the end of the branches.

    Example: ou=member,dc=mycompany,dc=com

    Search Scope*

    Specify the search range from the base DN.

    Search Condition*

    Enter the search condition. The following string is set as the default value:

    (&(objectClass=organizationalPerson)(sAMAccountName=^))

    Prefix*

    Enter the prefix of the LDAP search filter.

    Suffix*

    Enter the suffix of the LDAP search filter.

    Anonymous Bind*

    Select whether to specify [Proxy User Name] and [Proxy User Password].

    When this option is selected, you cannot specify [Proxy User Name] and [Proxy User Password].

    Proxy User Name

    Enter the proxy user name.

    Proxy User Password*

    Click the [Change Password] button, and then enter the password of the proxy user.

    Enable DNS Round Robin*

    Specify whether to enable the DNS round robin function.

    The DNS round robin function assigns multiple IP addresses to a single domain name and disperses the connection workload among multiple servers.

    Timeout*

    Specify the LDAP operation timeout.

    The default is 5 seconds.

    [Test Connection] button*

    Check whether a connection can be established to the Directory Broker Service.

    When [Anonymous Bind] is selected, specify whether to use Anonymous Bind for connection.

    To specify [User Name], select [Use Anonymous Bind].

    To specify [User Name] and [User Password], do not select [Use Anonymous Bind].

    User Certificate*

    Specify the attribute to be used to log in to the LDAP server.

    The default is userCertificate;binary.

    * Available only when [Get User Information From External LDAP] is selected.

To check if the connection to the created authentication profile works, click the (Check Connection) button. You will be asked to enter a username and a password. These credentials will be used to connect to the external authentication server. If the result returns unsuccessful, please check your input in the [OpenID Connect] tab and try again.