Knowledge Base

Q Why do users have to log in when accessing the end-user web pages? Can I implement single sign-on (e.g. NTLM, Yale CAS)?

This is a controversial topic. Older versions of PaperCut used to implement single sign-on, meaning that users could access the user interface by simply clicking on the Details… link in the client or bringing up the required URL in a browser. No login was required. This however caused a number of problems in an education environment. The user web interface exposes sensitive information and features such as funds transfer.

The problem was that students would momentarily leave their desktop and another student could jump in, open the browser, and transfer funds out of their account or gain access to other sensitive data or functions. The same can be said for “admin” level users, although with more severe consequences!

Another related issue covers a new area of security attack, cross-site request forgery (XSRF). In 2008 an external security advisor demonstrated a successful attack against PaperCut with SSO enabled.

To prevent these issue we have designed PaperCut NG to require username/password authentication when the end-user pages are initially accessed. The new authentication method also provides a consistent login interface for users across all operating systems. The login screen can also be quickly customized to include your organization logo providing an official look.

Most customers prefer the security and consistency of the new authentication system. Some however prefer the legacy behavior of the older releases. The developers have noted this request and are considering adding a non-default option to re-enable the legacy single sign-on (SSO) behavior in a future release. This will only happen after XSRF mitigation measures such as image captcha are in place in key areas of the application (e.g. balance transfer).

Latest Review

April 2008 - The PaperCut code based has been recently externally reviewed from a security standpoint. As a result of this review a number of potential cross-site request forgery attacks (XSRF) were found. This is a relatively new and emerging attack vector. The potential XSRF vectors were closed up in the 8.2 release. The security advice on the NTLM topic was that we should keep with our transient authentication method and all SSO code should be removed. Moving back to NTLM/SSO would be equivalent to introducing persistent authentication and would be against XSRF best security practice, unnecessarily exposing users.

Other Options:

PaperCut NG version 9+ now includes some web widgets. If the aim is to provide users with simple access to view their balance or environmental impact within your intranet environment then the web widgets may satisfy these requirements.

Categories: User Web Interface

keywords: single sign on, signon, interface, web tools, login, NTLM, integrated authentication, auth, automatic login, Windows authentication

Comments

Share your findings and experience with other PaperCut users. Feel free to add comments and suggestions about this Knowledge Base article. Please don't use this for support requests.