For details about SAML 2.0, see the SAML 2.0 Single Sign-on overview.
1. Provide this configuration’s basic details to PaperCut Hive or Pocket
To add and enable a custom SAML 2.0 SSO configuration:
- Log in to the PaperCut Hive or Pocket admin console and at the top-right of the page click the login name.
- Select Settings > Authentication tab.
- Click Add SAML SSO provider. The Add SAML SSO provider modal is displayed.
- Select Custom SAML 2.0. The Add SSO configuration page is displayed.
- In the Configuration name field, enter a name for this configuration. This name helps you know which configuration you’re editing or using, especially if your organization has multiple SSO configurations enabled simultaneously. Since this authentication method is generic, it can be helpful to include the name of the identity service you are using.
- In the Configuration button label field, enter the button label your users will see on your organization’s PaperCut Hive or Pocket login page. Again, if you are using multiple SSO configurations simultaneously, ensure the button label helps users select the right button to log in.
2. Add PaperCut details to your identity provider
-
In a separate tab, log in to your identity provider admin interface. You’ll likely need to have admin permissions in your identity service to set this up.
-
Register a SAML connection/application with your IDP.
During the SAML registration, you will be asked for the following details from PaperCut Hive or Pocket:
SP Entity ID (sometimes called the “identifier”): a unique name for the service provider application, which the IDP uses for identification in the SSO process.
Assertion Consumer Service (ACS) URL: the URL where the IDP sends authentication tokens for PaperCut Hive to validate.
3. Link your IDP back to PaperCut Hive or Pocket
-
In the app you just registered with your IDP, find the following information and add it to the SAML2 Provider Registration details in PaperCut Hive:
- Login URL: the URL where PaperCut Hive or Pocket needs to submit authentication requests to your IDP for processing.
- IDP Entity ID: the unique identifier for the identity platform for you to register in PaperCut Hive or Pocket.
-
Copy the BASE64 x509 certificate value. An IDP can provide the certificate in one of two formats:
- As a file: open the file in a text editor and copy the certificate details, including the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–.
- As text to copy/paste: copy the text.
-
Paste the certificate details into the Certificate box.
If you have done this correctly, a green tick and certificate validity message appears.
4. Test the configuration
Test that you can log in with an email address associated with the domain(s) you’re setting up for SSO.
- In the Test configuration (required) section, select Test configuration. A sign-in prompt for your identity provider is displayed.
- Log in using an account with your SSO-registered credentials from the domain you configured. A test user is always a good option!
- Wait until a test result is displayed.
- Select Return to SSO configuration to return to the configuration page.
5. Enable the configuration
- In the Enable configuration section:
- If you’re ready to immediately allow SSO access to PaperCut Hive or Pocket via this configuration, select Yes, enable now.
- If you’re not ready to start using this configuration, select No, enable later, and save the configuration. You can return to enable it at any time. Before enabling it, test the configuration again.
- Select Save. The Authentication page is displayed.
- Check that your SSO configuration is enabled/disabled according to your previous “Enable configuration” selection. If enabled, use a test account to check that SSO is working.
Comments