Configuring web SSO
Configuring SSO in PaperCut is easy, but you must work through the preparation steps above, or you might not be able to log in to PaperCut!
After enabling SSO on the Admin web interface, it is not easy to use the built in admin user as the login page is no longer shown. Before configuring SSO, you must ensure your domain or corporate login has admin rights and you need to use this login. As a protection, the built-in admin user does not have the rights to enable SSO. If you lock yourself out after enabling SSO, you can bypass SSO by adding /nosso to the Application ServerAn Application Server is the primary server program responsible for providing the PaperCut user interface, storing data, and providing services to users. PaperCut uses the Application Server to manage user and account information, manage printers, calculate print costs, provide a web browser interface to administrators and end users, and much more. URL. For example: http://[myserver]/admin/nosso.
-
Select Options > Advanced.
The Advanced page is displayed.
-
In the Web Single Sign-on (SSO) area, select the Enable Single sign-on check box to enable SSO. Additional configuration items are displayed.
-
Select the SSO method:
- Integrated Windows Authentication
- WebAuth
-
If you select WebAuth, complete the following fields:
- WebAuth HTTP header key—the WebAuth HTTP header name.
- Allowed WebAuth IP addresses—a comma separated list of whitelisted IP addresses.
-
Specify the SSO behavior you want for the user web interface and mobile client, Admin web interface, and other interfaces:
-
Standard (username and password)—don't use SSO and show the PaperCut MF login screen.
-
SSO with confirmation page—use SSO and present a confirmation page at login.
-
SSO with direct access—use SSO and directly log in the user with no confirmation page.
-
-
If you want to show a Switch User link on the confirmation page, select the Show "Switch User" link on confirmation page check box.
-
In On logout, direct user to URL, enter a URL to go to on logout. A typical example would be the URL for your intranet portal.
Advanced configuration
You can set advanced config keys to fine tune SSO behavior. For more information, see Using the Config Editor.
-
Some installations want to enable SSO for web users, but not for users of the mobile client and mobile release apps. To disable SSO for mobile users, set the advanced config keyA config key stores information about a specific advanced setting in PaperCut. Config keys are editable by an administrator in the Config Editor.: auth.web-login.sso-enable.mobile-user to N.
-
By default, Windows SSO does not authenticate users belonging to the "Guest" group. You can change this behavior by setting the advanced config key auth.web-login.sso-allow-guest to Y.
Post installation testing
After enabling SSO, perform the following tests to ensure that users can successfully access the PaperCut interface.
-
Verify that you can still log in to the Admin web interface.
-
Verify that a user without admin rights can still access their user web pages.
-
If in use, verify that a user with the appropriate admin rights can still access other interfaces, such as, Release StationPrint Release Stations place a print job on hold and allow users to release it when required. Often a Release Station is a dedicated PC terminal located next to the printers, however, Release Stations can take other forms such as a web browser based interface. Some common examples where Release Stations can be used include secure printing, approved printing, and authentication. In a secure printing environment jobs are only printed when the user arrives at the print area and confirms his or her identity. This ensures the user is there to collect the job and other users can't "accidentally" collect the document. In some organizations it may be appropriate to hold jobs until they are approved by selected individuals. A good example would be a teacher approving printing on an expensive color printer. Hold/Release queues can be used as a form of authentication in an unauthenticated environment. Users must authenticate prior to releasing their jobs allowing PaperCut NG to confirm their identity. or Web CashierWeb Cashier is a basic Point of Sale (POS) system to charge items to PaperCut accounts and deposit funds into users' accounts..
-
Try logging in from other computers in the domain.
-
Try logging in from different browsers supported in your organization.
-
If using IWA, try logging in from a non-windows client or a PC outside the domain. Verify you can still log in after providing your Windows credentials.