Skip to content

Choose your language

  • No results

Choose your login

  • No results
Support

How can we help?

PaperCut's AI-generated content is continually improving, but it may still contain errors. Please verify as needed.

Lightbulb icon
Lightbulb icon

Here’s your answer

Sources:

* PaperCut is constantly working to improve the accuracy and quality of our AI-generated content. However, there may still be errors or inaccuracies, we appreciate your understanding and encourage verification when needed.

Lightbulb icon

Oops!

We currently don’t have an answer for this and our teams are working on resolving the issue. If you still need help,
User reading a resource

Popular resources

Help center

FAQs
Conversation bubbles

Contact us

Configure generic Single Sign-on (SSO) via SAML 2.0

This page applies to:

PaperCut NG PaperCut MF PaperCut Pocket PaperCut Hive

Last updated June 26, 2026

This page describes the generic procedure for configuring Single Sign-on (SSO) via SAML 2.0 for PaperCut MF and PaperCut NG. It’s applicable for products such as:

  • Duo
  • OneLogin
  • Ping Identity (for example, PingFederate, PingOne)
  • JumpCloud.

For more information about SAML 2.0, see User authentication and SSO.

Step 1. Provide your organization’s basic details to PaperCut MF of NG

To add and enable a custom SAML 2.0 SSO configuration:

  1. Log in to the PaperCut Admin web interface with SSL port (for example, https://your-papercut-server-name:9192).

  2. Select Options > User/Group Sync tab.

  3. Scroll down to the SSO Single Sign on section.

  4. Click Add SAML2 configuration. The SAML 2.0 SSO configuration page is displayed.

    Screenshot of the SAML 2.0 SSO configuration page showing the first three sections: Provide your organization's details, Configure SAML Identify Provider, and Link your SAML Identity Provider

  5. In the Configuration name field, enter a name for this configuration. This name helps you know which configuration you’re using or editing.

  6. In the Configuration button label field, enter the button label your users will see on your organization’s PaperCut NG or MF login page. Again, if you are using multiple SSO configurations simultaneously, ensure the button label helps users select the right button to log in.

Step 2. Add PaperCut details to your identity provider

  1. In a separate tab, log in to your identity provider admin interface. You’ll likely need to have admin permissions in your identity service to set this up.
  2. Register a SAML connection/application with your IdP.
    During the SAML registration, you will be asked for the following details from PaperCut MF or NG. You can find these details on the Configure SAML Identity Provider section:
    • Service Provider Entity ID (sometimes called the “identifier”): a unique name for the service provider application, which the IdP uses for identification in the SSO process.
    • Reply/ACS URL: the URL where the IdP sends authentication tokens for PaperCut MF or NG to validate.
  3. Save the details.

  1. In the app you just registered with your IdP, find the following information and add it to the SAML 2.0 SSO configuration page, Link your SAML Identity Provider section in PaperCut MF or NG:

    • Entity ID: the unique identifier for the identity platform for you to register in PaperCut MF of NG.
    • SSO URL: the URL where PaperCut Hive or Pocket needs to submit authentication requests to your IdP for processing.

  2. Copy the IdP’s BASE64 x509 certificate value. An IdP can provide the certificate in one of two formats:

    • As a file: open the file in a text editor and copy the certificate details, including the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–.
    • As text to copy/paste: copy the text.

  3. Paste the certificate details into the IdP Signing Certificate box.

Step 4. Test the configuration

Test that you can log in with an email address associated with the domain(s) you’re setting up for SSO.

  1. On the PaperCut NG or MF SAML 2.0 SSO configuration page, in the Test configuration section, select Test configuration.
  2. Log in to the IdP using an account with your SSO-related credentials from the domain you configured. A test user is always a good option!
  3. Wait until a test result is displayed.
    • If the Test successful popup is displayed, select Return to SSO Configuration.
    • If the Test failed popup is displayed, make a note of the error information, select Return to SSO Configuration, make the required changes, and test again.
  4. Select Return to SSO configuration to return to the configuration page.

5. Enable the configuration

  1. On the PaperCut NG or MF SAML 2.0 SSO configuration page, in the Enable configuration section:
    • If you’re ready to immediately allow SSO access to PaperCut NG or MF via this configuration, select Yes, enable now.
    • If you’re not ready to start using this configuration, select No, enable later, and save the configuration. You can return to enable it at any time. Before enabling it, test the configuration again.
  2. Select Apply. The Authentication page is displayed.
  3. Check that your SSO configuration is enabled/disabled according to your previous “Enable configuration” selection. If enabled, use a test account to check that SSO is working.

Comments