Configuring Microsoft Entra ID Single Sign-on (SSO) via SAML 2.0 for PaperCut Hive and Pocket

For details about SAML 2.0 Single Sign-on, see the SAML 2.0 Single Sign-on overview.

Before starting, ensure you have Cloud Application Administrator level access or higher for Microsoft Entra ID.

1. Provide this configuration’s basic details to PaperCut Hive or Pocket

To add and enable a Microsoft Entra ID SSO configuration:

Log in to the PaperCut Hive or Pocket admin console and at the top-right of the page click the login name.
Select Settings > Authentication tab.
Click Add SAML SSO provider. The Add SAML SSO provider modal is displayed.
Select Microsoft Entra ID. The Add SSO configuration page is displayed.
In the Configuration name field, enter a name for this configuration. This name helps you know which configuration you’re editing or using, especially if your organization has multiple SSO configurations enabled at the same time.
In the Configuration button label field, enter the button label your users will see on your organization’s PaperCut Hive or Pocket login page. Again, if you are using multiple SSO configurations simultaneously, ensure the button label helps users select the right button to log in.

2. Add PaperCut details to Microsoft Entra ID

In a separate tab, log in to your Microsoft Entra Admin Center .
You must have Cloud Application Administrator level access or higher.
Go to Enterprise applications.
In the left menu, select All applications.
Select New application. The Browse Microsoft Entra Gallery page is displayed.
Select Create your own application. The Create your own application drawer is displayed.
1. Enter a name for your application. For this procedure, we’re using Example Application Name.
2. Make sure the option Integrate any other application you don’t find in the gallery (Non-gallery) is selected.
3. Select Create. The Overview page for your new app is displayed.
In the left menu, select Manage > Single sign-on, then select the SAML box.

The SAML-based Sign-on configuration page is displayed.
In the step 1 area, click Edit. The Basic SAML Configuration page is displayed.
On the Basic SAML Configuration page:
1. In the Identifier (Entity ID) area, click Add identifier.
2. Copy and paste this unique identifier (Entity ID) into the box (where xxxx is the Identifier (Entity ID) from your Hive SSO configuration):
  https://login.papercut.com/xxxx
  
  Note
  
  This is the same ID that’s shown in PaperCut on the Add SSO configuration page.
3. In the Reply URL section, click Add reply URL.
4. Copy and paste this URL in the box: https://login.papercut.com/__/auth/handler
  
  Note
  
  This is the same Reply URL that’s shown in PaperCut on the Add SSO configuration page.
Select Save, then close the drawer.
In the left menu, select Users and groups.
Select Add user/group.
Select None Selected. The Users and Groups drawer is displayed.
Select at least one test user to add to your SAML application, then click Select. The Add Assignment page is displayed showing the users and groups you’ve selected.
Click Assign. The SAML App | Users and groups page is displayed. Microsoft Entra ID now has all the PaperCut details it needs.

3. Link Microsoft Entra ID back to PaperCut

In the left menu, select Single sign-on > SAML. The SAML-based Sign-on page is displayed.
Copy the Login URL and paste it into PaperCut:
1. Scroll down to the 4 Set up SSO Application area, and copy the Login URL.
2. Switch to the PaperCut tab, go to 3 Link Microsoft Entra ID back to Papercut, and paste the URL into the Login URL box.
Copy the Microsoft Entra Identifier and paste it into PaperCut:
1. Switch to Entra ID and copy the Microsoft Entra Identifier.
2. Switch to the PaperCut tab, go to 3 Link Microsoft Entra ID back to Papercut, and paste the URL into the Microsoft Entra Identifier box.
Copy the certificate and paste it into PaperCut:
1. Switch to the Set up Single Sign-On with SAML page, in the 3 SAML Certificates area, select Download - Certificate (Base 64).
2. Locate the downloaded file and open it in a text editor.
3. Copy the certificate details, including the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–.
4. Switch back to PaperCut and paste the details into the Certificate box.
  If you have done this correctly, a green tick and certificate validity message appears.
  
  Tip
  
  If the certificate doesn’t validate, ensure the full RFC 1421 / RFC 1422 “PEM” Encapsulation Boundary is present. (That’s the five — yes five! — hyphens before and after BEGIN CERTIFICATE and END CERTIFICATE.) Is the certificate still not validating? Ensure that it hasn’t expired, then reselect the Base 64 version of the certificate, retry the download, and repeat the process.

4. Test the configuration

Test that you can log in with an email address associated with the domain(s) you’re setting up for SSO.

In the 4 Test configuration (required) section, select Test configuration. A Microsoft sign-in pop-up is displayed.
Log in using an account with your SSO-related credentials from the domain you configured. A test user is always a good option!
Wait until a test result is displayed.
Select Return to SSO configuration to return to the configuration page.

5. Enable the configuration

In the Enable configuration section:
- If you’re ready to immediately allow SSO access to PaperCut Hive or Pocket via this configuration, select Yes, enable now.
- If you’re not ready to start using this configuration, select No, enable later, and save the configuration. You can return to enable it at any time. Before enabling it, test the configuration again.
Select Save. The Authentication page is displayed.
Check that your SSO configuration is enabled/disabled according to your previous “Enable configuration” selection. If enabled, use a test account to check that SSO is working.

Configuring Microsoft Entra ID Single Sign-on (SSO) via SAML 2.0

This page applies to: