Choose your language

Choose your login

Support

How can we help?

PaperCut's AI-generated content is continually improving, but it may still contain errors. Please verify as needed.

Lightbulb icon
Lightbulb icon

Here’s your answer

Sources:

* PaperCut is constantly working to improve the accuracy and quality of our AI-generated content. However, there may still be errors or inaccuracies, we appreciate your understanding and encourage verification when needed.

Lightbulb icon

Oops!

We currently don’t have an answer for this and our teams are working on resolving the issue. If you still need help,
User reading a resource

Popular resources

Conversation bubbles

Contact us

Configure Okta Single Sign-on (SSO) via SAML 2.0

This page applies to:

Last updated June 26, 2026

This page describes how to configure Okta SSO (Single Sign-on) using SAML 2.0 for PaperCut NG and PaperCut MF. For more information about SAML 2.0, see User authentication and SSO.

Before you start

Ensure you have administrator access to the Okta admin interface.

Step 1. Provide your organization’s basic configuration details to PaperCut NG or MF

To add and enable an Okta SSO configuration:

  1. Log in to the PaperCut Admin web interface with SSL port (for example, https://your-papercut-server-name:9192).

  2. Select Options > User/Group Sync tab.

  3. Scroll down to the SSO Single Sign on section.

  4. Click Add SAML2 configuration button. The SAML 2.0 SSO configuration page is displayed.

    Screenshot of the SAML 2.0 SSO configuration page showing the first three sections: Provide your organization's details, Configure SAML Identify Provider, and Link your SAML Identity Provider
  5. In the Configuration name field, enter a name for this configuration. This name helps you know which configuration you’re using or editing.

  6. In the Configuration button label field, enter the button label your users will see on your organization’s PaperCut NG or MF login page. If your organization uses multiple SSO configurations simultaneously, ensure the button label helps users choose the correct login option.

Step 2. Configure Okta with PaperCut details

  1. In a separate tab, log in to your Okta admin interface.

  2. Go to Applications > Applications.

    List of configured Applications in the Okta Admin Interface
  3. Select Create App Integration. The Create a new app integration screen is displayed.

  4. Select SAML 2.0. The Create SAML Integration screen is shown.

    Create a new app integration dialog in the Okta Admin Interface with SAML 2.0 selected.
  5. Enter an App name for the integration with PaperCut NG or MF and, optionally, upload an App logo.

    Create SAML Integration dialog in the Okta Admin Interface
  6. Select the Do not display application icon to users checkbox.

  7. Click Next. The SAML Settings screen is displayed.

    SAML Settings dialog in the Okta Admin Interface
  8. Copy the PaperCut Service Provider Entity ID and paste it into Okta.
    For example, https://10.10.17.7:9192/app/fd2ad995-e626-4c14-a1f8-bad8b2547ea2, where 10.10.17.7:9192 is your MF host and port details.

    1. Go to the PaperCut MF SAML 2.0 SSO configuration page > Configure SAML Identity Provider section and copy the Service Provider Entity ID.
    2. Switch to Okta and copy the ID into the the Audience URI (SP Entity ID) box.
  9. Copy the PaperCut Reply/ACS URL and paste it into Okta.
    For example: https://10.10.17.7:9192/api/sso/callback/saml, where 10.10.17.7:9192 is replaced with your MF host and port details.

    1. Go to the PaperCut MF SAML 2.0 SSO configuration page > Configure SAML Identity Provider section and copy the Reply/ACS URL.
    2. Switch to the Okta admin interface and paste this value into the sign-on URL field.
  10. In the Okta configuration, set the Application username to Email.

  11. Click Next. The Feedback screen is displayed.

  12. Select Finish.

This step is for completing the Link your SAML Identity Provider section of the SAML 2.0 SSO configuration page.

Screenshot of the Link your SAML Identity Provider section, showing the Manaually and URL tabs.

There are two ways to do this: automatically, by fetching the IdP details via the URL tab, or manually by entering the IdP details on the Manually tab.

Automatically entering IdP details using the metadata URL

Using this method means the certificate will automatically update whenever it changes in the future.

  1. In Okta, go to Applications > Applications.
  2. Select the app you just created.
  3. Select the Sign On tab.
  4. In the Metadata URL field copy the URL.
    Screenshot of the Okta Applications page showing the Metatdata URL field with the URL blurred.
  5. In PaperCut, in the Link your SAML Identity Provider section, paste the URL into the IdP Metatdata URL field.
    Screenshot of the Link your SAML Identity Provider section, showing the Manually and URL tabs.
  6. Go to Step 4. Assign Authentication App to your end users in Okta.

Manually entering IdP details

  1. In Okta, go to Applications > Applications.

  2. Select the app you just created.

  3. Select the Sign On tab.

  4. Select More details to expand the section.

    Screenshot of the Okta PaperCut app sign on methods screen
  5. Copy the Okta Issuer and paste it into PaperCut:

    1. In Okta, copy the Issuer URL.
    2. Switch to the PaperCut tab and paste the URL into the Entity ID box in the Manually tab.
  6. Copy the Sign on URL and paste it into PaperCut:

    1. In Okta, locate the Sign on URL and click Copy.
    2. Switch to the PaperCut tab and paste the URL into the SSO URL box in the Manually tab.
  7. Copy the certificate and paste it into PaperCut:

    1. Switch back to Okta, locate the Signing Certificate, and click Copy.

    2. Switch to the PaperCut tab and paste the details into the IdP Signing Certificate box in the Manually tab.

Step 4. Assign Authentication App to your end users in Okta

  1. In the Okta admin interface, for your newly created PaperCut NG or MF SAML Application, click the Assignments tab.
  2. Assign the SAML Application to the users and/or groups who you want to sign in to PaperCut NG or MF or Pocket using Okta.

Step 5. Test the configuration

Test that you can log in with an email address associated with the domain(s) you’re setting up for SSO.

  1. On the PaperCut NG or MF SAML 2.0 SSO configuration page, in the Test configuration section, select Test configuration.
  2. Log in to the IdP using an account with your SSO-related credentials from the domain you configured. A test user is always a good option!
  3. Wait until a test result is displayed.
    • If the Test successful popup is displayed, select Return to SSO Configuration.
    • If the Test failed popup is displayed, make a note of the error information, select Return to SSO Configuration, make the required changes, and test again.
  4. Select Return to SSO configuration to return to the configuration page.

Step 6. Enable the configuration

  1. On the PaperCut NG or MF SAML 2.0 SSO configuration page, in the Enable configuration section:
    • If you’re ready to immediately allow SSO access to PaperCut NG or MF via this configuration, select Yes, enable now.
    • If you’re not ready to start using this configuration, select No, enable later, and save the configuration. You can return to enable it at any time. Before enabling it, test the configuration again.
  2. Select Apply. The Authentication page is displayed.
  3. Check that your SSO configuration is enabled/disabled according to your previous “Enable configuration” selection. If enabled, use a test account to check that SSO is working.

Comments