Configuring Web SSO

Configuring SSO in PaperCut is easy, but you must work through the preparation steps above, or you may find that you are unable to login to PaperCut!

Tip

After enabling SSO on the admin interface, it will no longer be easy to use the built in admin user as the login page is no longer shown. Before configuring SSO, you must ensure your domain or corporate login has admin rights and you will need to use this login.

As a protection, the built-in admin user does not have the rights to enable SSO.

If you make a mistake, and lock yourself out after enabling SSO, you can bypass SSO by adding /nosso to the Application Server URL. For example:

http://[myserver]/admin/nosso

Go to: OptionsAdvanced and find the "Single Sign-on (SSO)" section.

Single Sign-on Configuration

Figure 17.1. Single Sign-on Configuration

  1. Check Enable Single sign-on to enable SSO. Additional configuration items will appear.

  2. Select the SSO method, either Integrated Windows Authentication or WebAuth.

  3. If you have selected WebAuth, enter the WebAuth header name and a list of whitelisted IP addresses.

  4. Specify the SSO behavior you want for user web interface, admin interface and other interfaces:

    1. Standard (username and password) - don't use SSO and show the PaperCut NG login screen.

    2. SSO with confirmation page - Use SSO and present a confirmation page at login.

    3. SSO with direct access - Use SSO and login the user directly with no confirmation page.

  5. Specify whether you wish to show a Switch User link on the confirmation page.

  6. Specify a URL to go to on logout. A typical example would be the URL for your intranet portal.

Post Installation Testing

After enabling SSO, we recommend you perform these tests to ensure that users can successfully access the PaperCut interface.

  1. Verify that you can still login to the admin interface.

  2. Verify that a user without admin rights can still access their user web pages.

  3. If in use, verify that a user with the appropriate admin rights can still access other interfaces such as release or webcashier.

  4. Try logging in from other PC's in the domain.

  5. Try logging in from different browsers supported in your organization.

  6. If using IWA, try logging in from a non-windows client or a PC outside the domain. Verify you can still login after providing your Windows credentials.