Table of Contents
Single sign-on lets users access PaperCut's web interface without re-entering credentials. For example, a user logged into Windows may be given direct access to PaperCut's web interface without the need to re-enter their username and password at the PaperCut login screen. Sites with an intranet portal often find SSO particularly attractive, as it allows diverse IT systems to be seamlessly integrated into the portal without the need for separate logins.
Single sign-on also goes hand in hand with technologies such as two-factor authentication used in high security environments. With two-factor authentication, sign-on may involve presentation of an ID card or reading a fingerprint. In some cases, user passwords are managed by the security system and not known to the user, making it impossible to login using a traditional login screen. PaperCut's SSO support allows PaperCut to leverage the two-factor security already in place.
Web single sign-on is an advanced topic. The standard web login that comes built-in with PaperCut is most appropriate for many sites.
PaperCut supports two different web SSO methods:
Integrated Windows Authentication For Windows domain environments where both the PaperCut Application Server and the user PC's share the same Windows domain and intranet zone. With Integrated Windows Authentication, PaperCut uses existing Windows technologies to securely identify Windows domain users as PaperCut users.
WebAuth A web authentication system developed and freely licensed by Stanford University. It is implemented as an Apache module and works by intercepting requests to the PaperCut Application Server. WebAuth is operating system neutral, but requires specialist expertise to set up.
PaperCut's WebAuth integration is actually quite generic and is also used for Shibboleth SSO integration at several customer sites.
There are a number of considerations and preparation steps you must take prior implementing SSO in PaperCut
An effective security system offers multiple layers of defence against unwanted intrusion. For example an organization's firewall may provide the first layer of defence, but if an intruder penetrates that, the Windows login presents a second barrier. Once logged into Windows, PaperCut's login screen represents a third layer of defence.
SSO trades off the convenience of direct access with removing one layer of security. For example, with SSO a user may click on a hyperlink in an email or instant message and be taken directly into PaperCut. Before implementing SSO, you must weigh up the risks and benefits for your organization.
PaperCut offers granularity of control over which parts of PaperCut will use SSO. For example, you may decide to use SSO for just the user web pages and mobile client, not the admin interface. You will need to decide your policy up front before configuring SSO.
You must choose whether you wish PaperCut MF SSO to log users directly in, or to first present a confirmation page. The confirmation page displays the user name and can also offer a Switch User link to allow users to use an alternate login. With direct login, one less click is needed, but there is no opportunity to confirm the correct login or switch to an alternate user.
You will also need to decide whether you wish to redirect the user to your intranet portal after logout. A logout URL is required when direct access is configured.
Your PaperCut users must be sourced from a central directory server such as
Windows directory. Internal PaperCut users,
and the built-in admin
are internal to PaperCut and
will not work with SSO. If you do need to retain some internal users,
you will need to show the confirmation page with
the Switch User link to make the PaperCut login page accessible.
If using SSO to access the PaperCut administration interface, you must set up the necessary administration rights for all administrator users before enabling SSO. The same applies to other PaperCut interfaces such as /release, /webcashier and /central-reports.
Select which SSO technology is right for you. Whilst many PaperCut MF sites will choose Integrated Windows Authentication, it does have strict pre-requisites. For example, if you have a significant number of non-Windows users, Windows based SSO may not be the best choice for you. More information about each SSO technology is provided below.
Integrated Windows Authentication (IWA) is designed for Microsoft Windows environments where both the PaperCut Application Server and client PCs reside on the same Windows domain and Intranet Zone. In summary the requirements are:
The PaperCut Application Server must run on the Windows operating system.
PaperCut web users are using PC's running Windows
All computers are on the same domain
Your site uses Active Directory for managing users, including PaperCut users. Windows Authentication will only work with users that are managed by Windows.
The Application Server URL is on the same Intranet Zone as user's PC's. By default this means that the URL does not contain periods. User Internet options may also be configured to explicitly add the PaperCut Application Server to the Intranet Zone.
Your organization's recommended web browser supports IWA. Browsers that support IWA include Internet Explorer, Chrome and Firefox. (Note that Firefox requires additional configuration to enable IWA support.)
By default, Windows SSO will not authenticate users belonging to the "Guest" group. You may change this behavior by setting the advanced config key "auth.web-login.sso-allow-guest" to Y. Please see the section called “Using the Config Editor” to find out how to change config keys.
Integrated Windows Authentication is part of Windows, so if your site meets the above criteria, no additional setup is needed prior to configuring SSO.
WebAuth uses a reverse proxy server to manage HTTP traffic between users and PaperCut. If you are considering WebAuth, you will need the resources and skills to implement and configure an Apache web server and perform the installation instructions provided by WebAuth.
WebAuth takes care of authorizing the user and inserts a special HTTP header in all authorized requests sent to PaperCut. You will need to specify the name of this header and also a list of whitelisted source IP addresses when integrating WebAuth with PaperCut
Although WebAuth SSO is considerably more complex to implement than IWA, it does have the advantage of supporting a non-Windows environment.
© Copyright 1999-2014. PaperCut Software International Pty Ltd. All rights reserved.