Skip to content

Choose your language

  • No results

Choose your login

  • No results
Support
Search

Configuring Google Workspace Single-Sign-on (SSO) via SAML 2.0

This page applies to:

For a description about SAML 2.0 Single Sign-on, see the SAML 2.0 Single Sign-on overview.

Before starting, ensure you have Google Workspace Administrator-level access or higher.

1. Provide your organization’s details

To add and enable a Google Workspace SSO configuration:

  1. Log in to the PaperCut Hive or Pocket admin console and at the top-right of the page click the login name.
  2. Select Settings > Authentication tab.
  3. Click Add SAML SSO provider. The Add SAML SSO provider modal is displayed.
    Add SAML SSO provider modal, showing three selectable options: Microsoft Entra ID, GoogleWorkspace, and Custom SAML 2.0
  4. Select Google Workspace. The Add SSO configuration page is displayed.
    Screenshot of the top of the "Add SSO configuration" page showing the first section: Provide your organization’s details.
  5. In the Identity provider name field, enter a name for this configuration. This name helps you know which configuration you’re editing or using, especially if your organization has multiple SSO configurations enabled at the same time.
  1. In a separate tab, log in to your Google Workspace Admin console. You must have Administrator access.
  2. In the left menu, select Apps > Web and mobile apps.
  3. In the action selection area, select Add app > Add custom SAML app.
    Google Workspace, Web and mobile apps page showing a list of apps and the Add app dropdown at the top of the list
    The app details page is displayed.
    Google Workspage, App details page showing fields for the app name and description
  4. In App name, enter a name for your application. We’ll use Example SAML app. Then select Continue. The Google Identity Provider details page is displayed.
    Google Workspace, Google Identity Provider details page showing the SSO URL, Entity ID and Certificate details
  5. Copy and paste the SSO URL into PaperCut:
    1. Go to Option 2 and copy the SSO URL.
    2. Switch to the PaperCut tab showing the Add SSO configuration page, and paste the SSO URL in the SSO URL box.
  6. Copy and paste the Entity ID into PaperCut:
    1. On the Google Identity Provider details page, copy the Entity ID.
    2. Switch to the PaperCut tab and paste the Entity ID into the Entity ID box.
  7. Copy and paste the certificate into PaperCut:

    1. On the Google Identity Provider details page, copy the details in the Certificate box, including the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–.

    2. Switch to the PaperCut tab and paste the certificate in the Certificate box.
      If you have done this correctly, a green tick and certificate validity message appears.

  8. Leave other boxes on the page empty, and select CONTINUE. The Service Provider Details tab is displayed.
    Google Workspace, Service provider details page showing empty fields for the ACS URL and Entity ID

3. Add PaperCut details to Google Workspace

Both URLs below are also available on the PaperCut Add SSO configuration page.

  1. On the Service Provider Details tab in Google Workspace, paste this URL into the ACS URL box: https://login.papercut.com/__/auth/handler
  2. Copy and paste this unique identifier (Entity ID) into the Entity ID box (where xxxx is the Identifier (Entity ID) from your Hive SSO configuration):
    https://login.papercut.com/xxxx
  3. Leave the other boxes on the page empty, and select CONTINUE. The Attribute Mapping page is displayed.
  4. Leave the boxes on the page empty, and select FINISH.
  5. Switch to the PaperCut tab.

4. Test configuration

Test that you can log in to PaperCut with an email address associated with the domain(s) you’re setting up for SSO. A test user is always a good option!

  1. In the Test configuration section:
    1. Select Test configuration. A pop-up window is displayed.
    2. Log in using an account with your SSO-related credentials from the domain you configured.
    3. Wait until a test result is displayed.
    4. Select Return to SSO configuration to return to the configuration page.
  2. In the Enable configuration section:
    1. If you’re ready to immediately allow SSO access to PaperCut Hive or Pocket via this configuration, select Yes, enable now.
    2. If you’re not ready to start using this configuration, select No, enable later and save the configuration. You can return to enable it at any time. Before enabling it, test the configuration again.
  3. Select Save. The Authentication page is displayed.
  4. Check that your SSO configuration is enabled/disabled, according to your previous “Enable configuration” selection. If enabled, use a test account to check that SSO is working.

Comments