Configuring Web SSO

Configuring SSO in PaperCut is easy, but you must work through the preparation steps above, or you may find that you are unable to login to PaperCut!

Tip

After enabling SSO on the admin interface, it will no longer be easy to use the built in admin user as the login page is no longer shown. Before configuring SSO, you must ensure your domain or corporate login has admin rights and you will need to use this login.

As a protection, the built-in admin user does not have the rights to enable SSO.

If you make a mistake, and lock yourself out after enabling SSO, you can bypass SSO by adding /nosso to the Application Server URL. For example:

http://[myserver]/admin/nosso

Go to: OptionsAdvanced and find the "Single Sign-on (SSO)" section.

Single Sign-on Configuration

Figure 21.1. Single Sign-on Configuration

  1. Check Enable Single sign-on to enable SSO. Additional configuration items will appear.

  2. Select the SSO method, either Integrated Windows Authentication or WebAuth.

  3. If you have selected WebAuth, enter the WebAuth header name and a list of whitelisted IP addresses.

  4. Specify the SSO behavior you want for user web interface and mobile client, admin interface and other interfaces:

    1. Standard (username and password) - don't use SSO and show the PaperCut MF login screen.

    2. SSO with confirmation page - Use SSO and present a confirmation page at login.

    3. SSO with direct access - Use SSO and login the user directly with no confirmation page.

  5. Specify whether you wish to show a Switch User link on the confirmation page.

  6. Specify a URL to go to on logout. A typical example would be the URL for your intranet portal.

Advanced Configuration

Advanced config keys may be set to fine tune SSO behavior. Please see the section called “Using the Config Editor” to learn how to set config keys.

  1. Some installations wish to enable SSO for web users, but not for mobile users of the mobile client and mobile release apps. To disable SSO for mobile users, set the advanced config key: auth.web-login.sso-enable.mobile-user to N.

  2. By default, Windows SSO will not authenticate users belonging to the "Guest" group. You may change this behavior by setting the advanced config key auth.web-login.sso-allow-guest to Y.

Post Installation Testing

After enabling SSO, we recommend you perform these tests to ensure that users can successfully access the PaperCut interface.

  1. Verify that you can still login to the admin interface.

  2. Verify that a user without admin rights can still access their user web pages.

  3. If in use, verify that a user with the appropriate admin rights can still access other interfaces such as release or webcashier.

  4. Try logging in from other PC's in the domain.

  5. Try logging in from different browsers supported in your organization.

  6. If using IWA, try logging in from a non-windows client or a PC outside the domain. Verify you can still login after providing your Windows credentials.