Skip to content

Choose your language

  • No results

Choose your login

  • No results
Support

How can we help?

PaperCut's AI-generated content is continually improving, but it may still contain errors. Please verify as needed.

Lightbulb icon
Lightbulb icon

Here’s your answer

Sources:

* PaperCut is constantly working to improve the accuracy and quality of our AI-generated content. However, there may still be errors or inaccuracies, we appreciate your understanding and encourage verification when needed.

Lightbulb icon

Oops!

We currently don’t have an answer for this and our teams are working on resolving the issue. If you still need help,
User reading a resource

Popular resources

Help center

FAQs
Conversation bubbles

Contact us

Configure Microsoft Entra ID Single Sign-on (SSO) via SAML 2.0

This page applies to:

PaperCut NG PaperCut MF PaperCut Pocket PaperCut Hive

Last updated June 26, 2026

This page describes how to configure Google Workspace Single Sign-on (SSO) via SAML 2.0 for PaperCut MF and PaperCut NG. For more information about SAML 2.0, see User authentication and SSO.

Before you start

Ensure you have Cloud Application Administrator-level access or higher to Microsoft Entra ID.

Step 1. Provide your organization’s basic configuration details to PaperCut MF or NG

To add and enable a Microsoft Entra ID SSO configuration:

  1. Log in to the PaperCut Admin web interface with SSL port (for example, https://your-papercut-server-name:9192).

  2. Select Options > User/Group Sync tab.

  3. Scroll down to the SSO Single Sign on section.

  4. Click Add SAML2 configuration. The SAML 2.0 SSO configuration page is displayed.

    Screenshot of the SAML 2.0 SSO configuration page showing the first three sections: Provide your organization's details, Configure SAML Identify Provider, and Link your SAML Identity Provider

  5. In the Configuration name field, enter a name for this configuration. This name helps you know which configuration you’re using or editing.

  6. In the Configuration button label field, enter the button label your users will see on your organization’s PaperCut NG or MF login page. Again, if you are using multiple SSO configurations simultaneously, ensure the button label helps users select the right button to log in.

Step 2. Configure Microsoft Entra ID with PaperCut details

  1. In a separate tab, log in to your Microsoft Entra Admin Center.
    You must have Cloud Application Administrator level access or higher.

  2. Select Enterprise apps. The Enterprise applications page is displayed.

  3. In the left menu, select All applications.

    Screenshot of Enterprise ID, All applications area.

  4. Select the New application tab. The Browse Microsoft Entra Gallery page is displayed.

    Screenshot of the Browse Microsoft Entra App Gallery page

  5. Select the Create your own application tab. The Create your own application drawer is displayed.

    1. Enter a name for your application. For this procedure, we’re using Example Application Name.

    2. Make sure the option Integrate any other application you don’t find in the gallery (Non-gallery) is selected.

    3. Select Create. The Overview page for your new app is displayed.

      Microsoft Entra ID, Example Application Name, Overview page showing 3 properties: name, application ID, and object ID. Also shows the Getting Started section.

  6. In the left menu, select Manage > Single sign-on, then select the SAML box.

    Microsoft Entra, Single sign-on page page showing 4 sign-on methods: disables, SAML, Passowrd-based, and Linked

    The SAML-based Sign-on configuration page is displayed.

    Microsoft Entra ID, SAML-based Sign-on page showing setup steps

  7. In the step 1 area, click Edit. The Basic SAML Configuration panel is displayed.

    Screenshot of the Entra ID Basic SAML Configuration panel showing the Identifier (Entity ID) field and Reply URL (Assertion Consumer Service URL) fields

  8. Copy the PaperCut Service Provider Entity ID and paste it into Entra ID:
    For example, https://10.10.17.7:9192/app/fd2ad995-e626-4c14-a1f8-bad8b2547ea2, where 10.10.17.7:9192 is your MF host and port details.

    1. In the Identifier (Entity ID) area, click Add identifier.

      Microsft Entra ID, Basic SAML Configuration page showing the Add identifier field

    2. Go to the PaperCut MF SAML 2.0 SSO configuration page > Configure SAML Identity Provider section and copy the Service Provider Entity ID.

    3. Switch to Entra ID and paste the ID into the Identifier (Entity ID) box.

  9. Copy the PaperCut Reply/ACS URL and paste it into Entra ID:

    1. In the Reply URL section, click Add reply URL.

      Microsoft Entra ID, Basic SAML Configuration page showing the Reply URL field

    2. Go to the PaperCut MF SAML 2.0 SSO configuration page > Configure SAML Identity Provider section and copy the Reply/ACS URL.

    3. Switch to Entra ID and paste the ID into the Reply URL (Assertion Consumer Service URL) box.

  10. Select Save, then close the drawer.

  11. In the left menu, select Users and groups.

    Microsoft Entra ID, Users and groups page

  12. Select the Add user/group tab. The Add Assignment page is displayed.

    Microsoft Entra ID, Add Assignment page showing the heading Users and groups and the link None Selected underneath

  13. Select None Selected. The Users and Groups drawer is displayed.

    Microsoft Entra ID, Users and Groups drawer showing a list of all users and groups

  14. Select at least one test user to add to your SAML application, then click Select. The Add Assignment page is displayed showing the users and groups you’ve selected.

  15. Click Assign. The SAML App | Users and groups page is displayed. Microsoft Entra ID now has all the PaperCut details it needs.

There are two ways to do this: automatically, by fetching the IdP details via the URL tab, or manually by entering the IdP details on the Manually tab.

Automatically entering IdP details using the metadata URL

  1. In In the Microsoft Entra ID, in the left menu, select Single sign-on > SAML. The SAML-based Sign-on page is displayed.
  2. In the SAML Certificates section, copy the App Federation Metadata URL.
  3. In PaperCut, in the Link your SAML Identity Provider section, paste the URL into the IdP Metatdata URL field.
    Screenshot of the Link your SAML Identity Provider section, showing the Manually and URL tabs.
  4. Go to Step 4. Test the configuration.

Manually entering IdP details

  1. In the Microsoft Entra ID, in the left menu, select Single sign-on > SAML. The SAML-based Sign-on page is displayed.
  2. Copy the Login URL and paste it into PaperCut:

    1. Scroll down to the 4 Set up SSO Application area, and copy the Login URL.

      Microsoft Entra ID, SAML-based Sign-on page, step 4, Set up, showing the Login URL, Microsoft Entra Identifier, and Logout URL fields

    2. Switch to the PaperCut tab and paste the URL into the SSO URL box.

  3. Copy the Microsoft Entra Identifier and paste it into PaperCut:
    1. Switch to Entra ID and copy the Microsoft Entra Identifier.
    2. Switch to the PaperCut tab and paste the URL into the Entity ID box.
  4. Copy the certificate and paste it into PaperCut:

    1. Switch to the Set up Single Sign-On with SAML page, in the 3 SAML Certificates area, select Download - Certificate (Base 64).

    2. Locate the downloaded file and open it in a text editor.

    3. Copy the certificate details, including the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–.

    4. Switch back to PaperCut and paste the details into the IdP Signing Certificate box.

Step 4. Test the configuration

Test that you can log in with an email address associated with the domain(s) you’re setting up for SSO.

  1. On the PaperCut NG or MF SAML 2.0 SSO configuration page, in the Test configuration section, select Test configuration.
  2. Log in to the IdP using an account with your SSO-related credentials from the domain you configured. A test user is always a good option!
  3. Wait until a test result is displayed.
    • If the Test successful popup is displayed, select Return to SSO Configuration.
    • If the Test failed popup is displayed, make a note of the error information, select Return to SSO Configuration, make the required changes, and test again.
  4. Select Return to SSO configuration to return to the configuration page.

Step 5. Enable the configuration

  1. On the PaperCut NG or MF SAML 2.0 SSO configuration page, in the Enable configuration section:
    • If you’re ready to immediately allow SSO access to PaperCut NG or MF via this configuration, select Yes, enable now.
    • If you’re not ready to start using this configuration, select No, enable later, and save the configuration. You can return to enable it at any time. Before enabling it, test the configuration again.
  2. Select Apply. The Authentication page is displayed.
  3. Check that your SSO configuration is enabled/disabled according to your previous “Enable configuration” selection. If enabled, use a test account to check that SSO is working.

Comments