Configuring Okta SAML 2.0 Single Sign-on (SSO) for PaperCut Hive and Pocket

Note: For details about SAML 2.0, see the SAML 2.0 Single Sign-on overview.

Before you start

Ensure you have Administrator access to the Okta admin interface.

To add and enable an Okta SSO configuration:

Log in to the PaperCut Hive or Pocket admin console, and at the top-right of the page, click on your name.
Select Settings > Authentication tab.
Click Add SAML SSO provider. The Add SAML SSO provider modal is displayed.
Select Custom SAML 2.0. The Add SSO configuration page is displayed.
In the Configuration name field, enter a name for this configuration. This name helps you know which configuration you’re editing or using, especially if your organization has multiple SSO configurations enabled simultaneously.
In the Configuration button label field, enter the button label your users will see on your organization’s PaperCut Hive or Pocket login page. If your organization uses multiple SSO configurations simultaneously, ensure the button label helps users choose the correct login option.

In a separate tab, log in to your Okta admin interface.
Go to Applications > Applications.
Select Create App Integration. The Create a new app integration screen is displayed.
Select SAML 2.0. The Create SAML Integration screen is shown.
Enter an App name for the integration with PaperCut Hive and, optionally, upload an App logo.
Select both checkboxes for Do not display application icon to users and Do not display application icon in the Okta Mobile app. These options should be used as PaperCut Hive does not currently support IdP-initiated SAML authentication.
Click Next. The SAML Settings screen is displayed.
Return to your PaperCut Hive admin interface and copy the ACS (Assertion Consumer Service) URL. Go back to the Okta admin interface and paste this value into the Audience URI (SP Entity ID) field.
In PaperCut Hive, copy the Entity ID (Issuer) URL, then in Okta, paste this value into the Single sign-on URL field.
In the Okta configuration, set the Application username to Email.
Click Next. The Feedback screen is displayed.
Select Finish.

In the Okta interface, go to the Settings screen for your new Application. Under Sign on methods > SAML 2.0, click on More details to expand the section.
Copy the Sign on URL and paste it into PaperCut:
1. Locate the Sign on URL and click Copy.
2. Switch to the PaperCut tab, go to 3 Link Custom SAML Identity Provider back to PaperCut, and paste the URL into the SSO URL box.
Copy the Okta Issuer and paste it into PaperCut:
1. Switch to Okta and copy the Issuer URL.
2. Switch to the PaperCut tab, go to 3 Link Custom SAML Identity Provider back to PaperCut, and paste the URL into the Entity ID box.
Copy the certificate and paste it into PaperCut:
1. Switch back to Okta, locate the Signing Certificate, and click Copy.
2. Switch back to PaperCut and paste the details into the Certificate box.
  
  If you have done this correctly, a green tick and certificate validity message appears.
  
  Tip
  
  If the certificate doesn’t validate, ensure the full RFC 1421 / RFC 1422 “PEM” Encapsulation Boundary is present. (That’s the five — yes five! — hyphens before and after BEGIN CERTIFICATE and END CERTIFICATE. Is the certificate still not validating? Ensure that it hasn’t expired, then reselect the Base 64 version of the certificate, retry the download, and repeat the process.

In the Okta admin interface, select your newly created PaperCut Hive SAML Application.
Click the Assignments tab.
Assign the SAML Application to the users and/or groups who should be able to use this sign in option via PaperCut Hive.

Test that you can log in with an email address associated with the domain(s) you’re setting up for SSO.

On the PaperCut Hive or Pocket Edit SSO configuration page, in the 4 Test configuration (required) section, select Test configuration. An Okta sign-in pop-up is displayed.
Log in using an account with your SSO-related credentials from the domain you configured. A test user is always a good option!
Wait until a test result is displayed.
Select Return to SSO configuration to return to the configuration page.

On the PaperCut Hive or Pocket Edit SSO configuration page, in the Enable configuration section:
1. If you’re ready to immediately allow SSO access to PaperCut Hive or Pocket via this configuration, select Yes, enable now.
2. If you’re not ready to start using this configuration, select No, enable later, and save the configuration. You can return to enable it at any time. Before enabling it, test the configuration again.
Select Save. The Authentication page is displayed.
Check that your SSO configuration is enabled/disabled according to your previous “Enable configuration” selection. If enabled, use a test account to check that SSO is working.