Planning for web SSO implementation

Preparing for SSO

1. An effective security system offers multiple layers of defence against unwanted intrusion. For example, an organization's firewall can provide the first layer of defence, but if an intruder penetrates that, the Windows login presents a second barrier. Once logged into Windows, PaperCut's login screen represents a third layer of defence.

   SSO trades off the convenience of direct access with removing one layer of security. For example, with SSO a user can click a hyperlink in an email or instant message and be taken directly into PaperCut. Before implementing SSO, you must weigh up the risks and benefits for your organization.

2. PaperCut offers granularity of control over which parts of PaperCut will use SSO. For example, you might decide to use SSO for just the user web pages and mobile client, not the Admin web interface. Decide your policy up front before configuring SSO.

3. Decide whether you want PaperCut MF SSO to directly log in users, or to first present a confirmation page. The confirmation page displays the user name and can also offer a Switch User link to allow users to use an alternate login. With direct login, one less click is required, but there is no opportunity to confirm the correct login or switch to an alternate user.

4. Decide if you want to redirect the user to your intranet portal after logout. A logout URL is required when direct access is configured.

5. Your PaperCut users must be sourced from a central directory server, such as Windows directory. Internal users (users managed by PaperCut NG), and the built-in admin are internal to PaperCut so do not work with SSO. If you have internal users, show the confirmation page with the Switch User link to make the PaperCut login page accessible.

6. If using SSO to access the PaperCut Admin web interface, set up the necessary permissions (see Assign administrator level access) for all administrative users before enabling SSO. The same applies to other PaperCut interfaces, such as Release StationPrint Release Stations place a print job on hold and allow users to release it when required. Often a Release Station is a dedicated PC terminal located next to the printers, however, Release Stations can take other forms such as a web browser based interface. Some common examples where Release Stations can be used include secure printing, approved printing, and authentication. In a secure printing environment jobs are only printed when the user arrives at the print area and confirms his or her identity. This ensures the user is there to collect the job and other users can't "accidentally" collect the document. In some organizations it may be appropriate to hold jobs until they are approved by selected individuals. A good example would be a teacher approving printing on an expensive color printer. Hold/Release queues can be used as a form of authentication in an unauthenticated environment. Users must authenticate prior to releasing their jobs allowing PaperCut NG to confirm their identity., Web CashierWeb Cashier is a basic Point of Sale (POS) system to charge items to PaperCut accounts and deposit funds into users' accounts., and Central ReportsCentral Reports provide a consolidated data and reporting view across multiple Application Servers. Central Reports provide a large subset of the same reports that provided by the standard PaperCut reporting feature..

7. Select which SSO technology is right for you. While many PaperCut MF sites choose Integrated Windows Authentication, it does have strict prerequisites. For example, if you have a significant number of non-Windows users, Windows based SSO might not be the best choice for you. More information about each SSO technology is provided below.