Configuring custom SAML 2.0 Single Sign-on (SSO) for PaperCut Hive and Pocket

For details about SAML 2.0, see the SAML 2.0 Single Sign-on overview.

1. Add your organization’s details into PaperCut Hive or Pocket

To add and enable a custom SAML 2.0 SSO configuration:

Log in to the PaperCut Hive or Pocket admin console and at the top-right of the page click the login name.
Select Settings > Authentication tab.
Click Add SAML SSO provider. The Add SAML SSO provider modal is displayed.
Select Custom SAML 2.0. The Add SSO configuration page is displayed.
In the Identity provider name field, enter a name for this configuration. This name helps you know which configuration you’re editing or using, especially if your organization has multiple SSO configurations enabled simultaneously. Since this authentication method is generic, it can be helpful to include the name of the identity service you are using.

In a separate tab, log in to your identity provider admin interface. You’ll likely need to have admin permissions in your identity service to set this up.
Register a SAML connection/application with your IDP.

During the SAML registration, you will be asked for the following details from PaperCut Hive or Pocket:

SP Entity ID (sometimes called the “identifier”): a unique name for the service provider application, which the IDP uses for identification in the SSO process.
Assertion Consumer Service (ACS) URL: the URL where the IDP sends authentication tokens for PaperCut Hive to validate.

Note

Make sure that your IDP contains all users you want to authenticate to PaperCut Hive for your newly registered SAML app. Without permission, users may get sign in errors for otherwise successful authentication attempts.
Save the details.

In the app you just registered with your IDP, find the following information and add it to the SAML2 Provider Registration details in PaperCut Hive:
- Login URL: the URL where PaperCut Hive or Pocket needs to submit authentication requests to your IDP for processing.
- IDP Entity ID: the unique identifier for the identity platform for you to register in PaperCut Hive or Pocket.
Copy the BASE64 x509 certificate value. An IDP can provide the certificate in one of two formats:
- As a file: open the file in a text editor and copy the certificate details, including the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–.
- As text to copy/paste: copy the text.
Paste the certificate details into the Certificate box.
If you have done this correctly, a green tick and certificate validity message appears.

Tip

If the certificate doesn’t validate, ensure the full RFC 1421 / RFC 1422 “PEM” Encapsulation Boundary is present. (That’s the five — yes five! — hyphens before and after BEGIN CERTIFICATE and END CERTIFICATE. Is the certificate still not validating? Ensure that it hasn’t expired, then reselect the Base 64 version of the certificate, retry the download, and repeat the process.

Test that you can log in with an email address associated with the domain(s) you’re setting up for SSO.

In the Test configuration (required) section, select Test configuration. A sign-in prompt for your identity provider is displayed.
Log in using an account with your SSO-registered credentials from the domain you configured. A test user is always a good option!
Wait until a test result is displayed.
Select Return to SSO configuration to return to the configuration page.

In the Enable configuration section:
- If you’re ready to immediately allow SSO access to PaperCut Hive or Pocket via this configuration, select Yes, enable now.
- If you’re not ready to start using this configuration, select No, enable later, and save the configuration. You can return to enable it at any time. Before enabling it, test the configuration again.
Select Save. The Authentication page is displayed.
Check that your SSO configuration is enabled/disabled according to your previous “Enable configuration” selection. If enabled, use a test account to check that SSO is working.