This page describes user authentication and Single Sign-on, including SAML 2.0 SSO. It also describes how different PaperCut NG and MF interfaces and products (for example, the Admin web interface and Print Deploy) support them.
What is user authentication?
User authentication in a PaperCut NG/MF printing environment is the act of confirming the digital identity of the person who issued a print job. Knowing the user’s identity allows PaperCut NG/MF to:
- allocate the cost of a job to their account
- offer access to shared accounts
- track and report on print usage per user.
Single Sign-on (SSO) overview
Single Sign-on (SSO) lets users and administrators access PaperCut NG/MF without needing to re-enter their username and password each time. Depending on your setup, users can sign in through trusted identity providers like Microsoft Entra ID or Google Workspace, or via your organization’s existing web-based identity management platform.
As of PaperCut NG/MF v26.0.2, SSO includes a new centralized framework that provides a Unified Authentication session across all interfaces a user may access. This means users can log in once and do not have to re username and password details multiple times. In addition, this modernization adds standard SAML 2.0 support to delegate authentication to SAML-compliant cloud Identity Providers (IdPs).
Single Sign-on (SSO) authentication methods
PaperCut MF and NG offer a tiered approach to streamlining user access, evolving from quick-to-implement convenience buttons to fully integrated, enterprise-grade identity federation.
OAuth SSO Methods (Sign-on with Google/Microsoft)
PaperCut MF supports OAuth 2.0 convenience SSO methods. Administrators can easily enable dedicated Sign in with Google or Sign in with Microsoft buttons directly on login interfaces to streamline access and minimize password prompts.
These one-click buttons use cloud-based directories to provide a familiar, consumer-style login experience for end-users:
- Sign in with Google: utilizes Google Workspace accounts for streamlined web and client authentication.
- Sign in with Microsoft: utilizes Microsoft Entra ID accounts for streamlined web and client authentication.
SAML 2.0 Single Sign-on
Security Assertion Markup Language (SAML) 2.0 allows you to configure a secure, standards-based connection for authentication with Identity Providers (IdPs) such as Okta, Google Workspace, Microsoft Entra ID, Ping Identity, and JumpCloud.
This enables a consistent, unified authentication flow across the PaperCut environment, allowing organizations to enforce existing security policies — including Multi-Factor Authentication (MFA) — at every login point.
PaperCut has separate procedures to:
- Configure Okta Single Sign-on (SSO) vial SAML 2.0
- Configure Google Workspace Single Sign-on (SSO) via SAML 2.0
- Configure Microsoft Entra ID Single Sign-on (SSO) via SAML 2.0
Generic SAML 2.0 connector
In addition to dedicated setup guides, PaperCut MF includes a generic SAML 2.0 connector. Because PaperCut’s SAML implementation is universal, the configuration fields are dynamic and compatible with SAML 2.0-compliant IdPs.
This flexibility allows you to connect almost any popular cloud or on-premises Identity Provider, including:
- Duo
- OneLogin
- Ping Identity (for example, PingFederate, PingOne)
- JumpCloud.
See Configure generic Single Sign-on (SSO) via SAML 2.0.
Supporting multiple concurrent Identity Providers (IdPs)
PaperCut MF and NG allow environments to run up to 3 concurrent Single Sign-on (SSO) configurations. This allows organizations to offer users a choice of authentication methods directly from the login page.
Supported SSO configurations
Administrators can mix and match the following authentication types:
- Microsoft OAuth SSO: Can be enabled to provide a Sign in with Microsoft button.
- Google OAuth SSO: Can be enabled to provide a Sign in with Google button.
- SAML 2.0 SSO (new from PaperCut NG/MF 26.0.2 onwards): Introduces modern authentication support for industry-standard identity providers (such as Okta or Ping Identity).
Best practice: Why SSO requires Unified Authentication
When deploying an SSO configuration, it is highly recommended to enable Unified Authentication concurrently.
While SSO successfully federates your login with your Identity Provider (IdP), it only handles the initial handshake. Without Unified Authentication enabled, users may still face jarring login prompts when crossing boundaries between different PaperCut MF components, for example, the User web interface, Central Reports, User Release or Mobile Print Release.
Enabling both features in tandem ensures a truly seamless deployment: SSO securely authenticates the user at the front gate, while Unified Authentication maintains that trusted session globally across the entire PaperCut ecosystem.
SSO and Unified Authentication comparison table
Feature | Unified Authentication | External SSO (IdP) |
|---|---|---|
Scope | Internal: Manages sessions strictly inside the PaperCut ecosystem. | External: Connects PaperCut to your corporate network login. |
Login source | Works with both local directory accounts and external IdPs. | Requires a cloud IdP (like Okta, Microsoft Entra ID, or Google Workspace). |
Protocol | Issues JWTs to keep users logged in across PaperCut apps. | Uses SAML 2.0 or OAuth 2.0 to verify the user's corporate identity. |
Admin benefit | Centralizes login logic into a single hub inside PaperCut. | Lets you enforce corporate rules like MFA and conditional access. |
User experience | Users log in once and can jump between PaperCut components without being prompted again. | Users log in using their standard corporate credentials. |
Staging and pre-configuring SAML 2.0 SSO
Unlike the native Google and Microsoft OAuth toggles (which are simply enabled or disabled), the SAML 2.0 framework allows for full configuration staging. Administrators can input metadata, configure endpoints, and save a complete SAML integration in an inactive/disabled state.
This allows you to thoroughly prepare, test, and validate your enterprise identity connection well ahead of your actual launch date.
Staging a SAML configuration is highly beneficial in various scenarios, such as those described below.
Risk-free proof of concepts (PoC)
Validate the integration fields and test endpoints with your Identity Provider (like Okta or Ping Identity) to ensure the handshake works before impacting production users.
Large-scale identity migrations
Build out your next-generation enterprise identity structure calmly behind the scenes while your legacy authentication methods continue to run.
Targeted cut-over deadlines
Complete the heavy technical lifting during a quiet maintenance window, allowing you to simply flip the active toggle on a high-stakes deadline (for example, the start of a new school semester or financial year).
Coordinated multi-auth rollouts
Stage your new SAML provider configuration alongside your existing OAuth methods, so the final deployment to the login screen is seamless.
Legacy browser-based web SSO methods
In addition to modern identity federation, PaperCut MF supports legacy browser-based Single Sign-on methods designed specifically for web interfaces. For more information, see Configure Web SSO (legacy).
Integrated Windows Authentication (IWA)
An on-premises, browser-negotiated protocol that automatically signs users into PaperCut web interfaces using their active Windows domain credentials.
WebAuth (End-of-Life notice)
A web authentication system originally developed by Stanford University and implemented via an Apache module.
PaperCut NG/MF feature and authentication method compatibility with SSO
This matrix outlines which user interfaces and native endpoint clients support PaperCut NG/MF’s various authentication and Single Sign-on methods.
Feature / Authentication method | User Web Login | Admin Web Login | Print Deploy Client | Mobility Print Client | PaperCut User Client (Desktop) |
|---|---|---|---|---|---|
Sign in with Google (OAuth) | Yes | Yes | Yes | Yes | No |
Sign in with Microsoft (OAuth) | Yes | Yes | Yes | No | No |
SAML 2.0 SSO | Yes | Yes | Yes | No | Yes |
Legacy Web SSO (Deprecated WebAuth) | Yes | Yes | No | No | No |
How different PaperCut NG/MF features and products support SSO
User and Admin web log in
To streamline access to the User Portal and Admin web interfaces, you can choose between native convenience toggles, enterprise identity federation, or legacy tools.
Administrators can enable simple OAuth 2.0 toggles to place one-click Sign in with Microsoft or Sign in with Google buttons directly on web login screens.
For strict enterprise compliance, the SAML 2.0 framework delegates web logins to external IdPs like Okta, Microsoft Entra ID, or Ping Identity, allowing you to enforce corporate Multi-Factor Authentication (MFA).
After a user is authenticated, Unified Authentication manages the session behind the scenes. Acting as an internal hub, it issues secure JSON Web Tokens (JWT) so users can move freely between the User Portal, Central Reports, or Web Cashier without encountering repeated login prompts.
For older environments, PaperCut still supports Integrated Windows Authentication (IWA) to automatically log users in using Windows domain credentials. Note that legacy WebAuth Apache modules are officially End-of-Life (EOL) and no longer supported.
Print Deploy Client
The PaperCut Print Deploy client supports a few distinct methods for onboarding users and authenticating endpoint machines.
Many environments utilize Trust Authentication, a zero-interaction background sign-in based on the user's active Windows or macOS login session. Alternatively, the client supports one-click Sign in with Microsoft and Sign in with Google buttons, or can route logins through an external IdP if the server is running the SAML 2.0 framework.
If Unified Authentication is enabled on the Application Server, the Print Deploy client will bypass local configurations and route all user logins directly through the global PaperCut MF Authentication Hub.
As soon as Unified Authentication is activated, global Application Server preferences take absolute priority. Any pre-existing, standalone OAuth configurations built directly inside the Print Deploy admin panel will be ignored. Ensure your global server preferences are fully aligned before upgrading.
For general Print Deploy authentication info, see Print Deploy Auth methods.
Mobility Print Client
Authentication behaviors within the Mobility Print client depend entirely on the specific cloud or directory paths your organization chooses to deploy.
If you want to provide an identity provider login experience, native Sign in with Google via OAuth is supported for Mobility Print client logins. However, native Sign in with Microsoft via OAuth is not available.
It is important to note that the SAML 2.0 SSO framework does not yet extend to Mobility Print.
For more details, see Authentication with Mobility Print and NG/MF.
PaperCut User Client (computer/desktop)
The traditional computer PaperCut User Client — used for balance displays, client billing pop-ups, and notifications — relies on local operating system hooks rather than standard web paths.
By default, the client automatically recognizes the active Windows or macOS user, meaning manual login is rarely required. Because of this local architecture, the native desktop client interface does not support standard web-based OAuth SSO buttons (Google or Microsoft).
From PaperCut NG/MF 26.0.2 onwards, enabling Unified Authentication allows the computer User Client to trigger a centralized, web-based login window. This upgrade means desktop client authentication can now be successfully routed out to a cloud-based IdP for the first time. For specialized environments, the client can also accept automated logins from alternative software—see Integrating the PaperCut Client with a Public Kiosk Solution.
For more information about the PaperCut User Client, see PaperCut User Client Authentication and Integrating the PaperCut Client with a Public Kiosk solution.
Embedded devices (MFDs and copiers)
At the physical copier, SSO refers to a user’s ability to authenticate using credentials, a PIN, or a swipe card to gain access to Secure Print Release and copying functions.
Once the PaperCut embedded application verifies the user, it can securely "hand over" control and pass user metadata to authorized third-party applications on the copier panel, such as software for scanning directly to home directories, cloud storage, or automated workflows.
Because this hardware-level authentication depends on the specific copier platform, integration methods and capabilities vary significantly by manufacturer brand and model. For detailed information, see Single Sign On for Embedded Devices.
How to hide the default PaperCut login link when SSO is enabled
You can make PaperCut user login screens cleaner by hiding standard username and password fields in both the PaperCut Admin and User web interfaces. (PaperCut version 25.0.10 onwards.)
This helps your team follow security policies like Multi-Factor Authentication (MFA). It also removes confusion by showing only your authorized login methods.
What changes for your users?
The “Or continue with username and password” link disappears for standard users.
- Users see only your active SSO buttons.
- This ensures everyone uses the most secure login path.
- The login link still appears at the /admin URL for built-in admin access.
How to hide the username and password login fields
- In the PaperCut Admin web interface, select Options.
- Click Config editor (advanced).
- Search for the key auth.web-login.sso-enforced-for-users.
- Change the Value to Y.
- Click Update.
Comments