PaperCut Hive and Pocket offer different methods to authenticate administrators when they sign up and log in:
- Email and Password
- Sign in with Microsoft and/or Sign in with Google (OAuth social login)
- SAML 2.0 Single Sign-on (SSO)
- Configuring custom SAML 2.0 Single Sign-on (SSO)
- Configuring Google Workspace Single-Sign-on (SSO) via SAML 2.0
- Configuring Microsoft Entra ID Single Sign-on (SSO) via SAML 2.0
When enabled, these authentication methods are presented as signup and/or login options on the organization’s PaperCut Hive or Pocket login page.
Single Sign-on centralizes authentication for a consistent user experience and centralized security policy enforcement. It uses your current multi-factor authentication (MFA) settings in your identity provider with PaperCut Hive or Pocket.
This section describes these administrator authentication methods and how to set them up.
Email and Password authentication
Email and Password authentication is a login method for PaperCut Hive and Pocket administrators and users. It is enabled by default but can be disabled — if disabling, ensure that administrators still have access to PaperCut Hive and Pocket.
See Enabling Email and Password authentication .
Sign in with Microsoft and/or Sign in with Google (OAuth social login authentication)
The Sign in with Microsoft and Sign in with Google OAuth social login authentication methods are the default logins for PaperCut Hive and Pocket admins. Both methods are enabled by default and can be disabled.
When enabled, these OAuth social logins allow admins to easily sign in to PaperCut Hive or Pocket using the Sign in with Microsoft or Sign in with Google social login buttons on the organization’s PaperCut login screen.
Only admins with Microsoft-issued accounts can use Sign in with Microsoft (for example, from Outlook, MSN, or Live).
Similarly, only administrators with Google-issued accounts (for example, from Google Workspace or Gmail) can use Sign in with Google.
See:
SAML 2.0 Single Sign-on
For the (extra) security-minded and the tinkerers! Security Assertion Markup Language (SAML) is built to safely ask for user information from an authentication source. It lets you add some customization for your Google Workspace or Entra ID environments or configure an identity provider that we haven’t thought of (yet).
SAML 2.0 in PaperCut Hive and Pocket comes with options for Microsoft Entra ID and Google Workspace to let administrators quickly configure a custom connection to their identity providers. To configure these, see:
- Configuring Microsoft Entra ID Single Sign-on (SSO) via SAML 2.0
- Configuring Google Workspace Single Sign-on (SSO) via SAML 2.0
It also comes as a custom SAML 2.0 connector, allowing admins to leverage third-party identity providers. Third party identity providers using SAML 2.0 include:
- Okta
- Duo
- OneLogin
- Ping Identity
- IBM Security Verify
- Delinea (was Centrify)
- JumpCloud
See Configuring custom SAML 2.0 Single Sign-on (SSO) .
Multiple SSO IDPs
You can add and configure one or more SSO identity providers (IDPs). If you use multiple IDPs, at least one must be enabled at all times.
Multiple configurations can be useful in scenarios such as an organizational merger or if multiple organizational units have separate identity providers.
Pre-configuring (staging) SSO
It’s also possible to stage SSO configurations by creating them but not enabling them until you’re ready. Examples of when you might do this include:
- before a large-scale migration of identity providers
- in an environment that has used PaperCut Hive for a little while but not yet used SSO, so everything is set up and configured before the ‘grand unveiling’
- before a deadline, for example, the start of a school year or financial year
- to prove that the concept will work with your environment before rolling it out to your users
- to configure multiple IDPs so they can be rolled out together.
Disabling an authentication method
If you need to disable a previously used authentication method, be sure to notify any other administrators and your users so they are aware of the login changes. Of course, before making the change, check that all your users will still be able to log in!
Comments