Why do users have to log in when accessing the end-user web pages? Can I implement single-signon.

This is a controversial topic. Older versions of PaperCut use to implement single-signon, meaning that users could access the end-user pages by simply clicking on the Details... link in the client or bringing up the required URL in a browser. No login was required. This however caused a number of problems in an education environment. The end-user pages expose sensitive information and a number of advanced features such as funds transfers.

The problem was that students would momentarily leave their desktop and another student could jump in, open the browser, and transfer funds out of their account or gain access to other sensitive data or functions. The same can be said for "admin" level users, although with more severe consequences! To prevent this, we have designed PaperCut NG to require username/password authentication when the end-user pages are initially accessed. The new authentication method also provides a consistent login interface for users across all operating systems. The login screen can also be quickly customized to include your organization logo providing an official look.

Most customers prefer the security and consistency of the new authentication system. Some however prefer the legacy behavior of the older releases. The developers have noted this request and are considering adding a non-default option to re-enable the legacy single-signon (SSO) behavior in a future release.

Latest Review

April 2008 - The PaperCut code based has been recently externally reviewed from a security standpoint. As a result of this review a number of potential cross-site request forgery attacks (XSRF) were found. This is a relatively new and emerging attach vector. The potential XSRF vectors were closed up in the 8.2 release. The security advice on the NTLM topic was that we should keep with our transient authentication method. Moving to NTLM/SSO would be equivilent to introducing persistent authentication and would be against XSRF best security practice and would unnecessarily expose users.

Categories: WebTools

keywords: single sign on, interface, web tools, login, NTLM, integrated authentication, auth