G2 Fall report names PaperCut #1 in Print

Choose your language

Choose your login

Contact us

Help Center menu

PRODUCT MANUALS

PaperCut NG & PaperCut MF Manual

PRODUCTS FEATURED

Synchronize user and group details with Google Cloud Directory

This topic describes how to:

  • set up user/group synchronization and user authentication with Google Cloud Directory

  • set up Google Single sign on for Chromebooks, Admin, and User web interfaces (optional).

  • connect your PaperCut NG/MF Application Server to Google Cloud Directory.

Environments with Google Cloud Directory as a user sync source are cost effective and quick to implement because they use Mobility Print and PaperCut NG/MF for end-to-end print requirements, including authentication, reporting, filters, and restrictions.

All you need to do is make sure users can access your WiFi. There’s no need to set up or manage a domain (for example Active Directory) or deal with the complexities inherent in managing multiple printer drivers (OSs, multiple vendors, multiple models, etc.).

If you don’t want users to access your network, Google Cloud Directory still works with Web print, Email to print and Google Cloud print.

For a run-through showing how to configure PaperCut MF or PaperCut NG to sync and authenticate users with G Suite and Google Cloud Identity, check out the video below:

Examples of Google Cloud Directory environments

A pure Google Cloud Directory environment

Install PaperCut NG/MF in a pure, Google Workspace-only environment.

An existing directory is going to be replaced with Google Workspace

If your current environment uses an on-premises directory, for example Active Directory (AD), and you want to replace it completely with Google Cloud Directory, then you first need to migrate all users from your current directory into Google Workspace. If you prefer, you can do this in stages over a period of time and run a hybrid environment until the full migration is finished. Keep the original directory until you’ve completed and tested the entire new Google Cloud Directory setup.

An existing directory and new Google Cloud Directory are both going to be synced with PaperCut NG/MF

You can sync PaperCut NG/MF with two user directory sources, one being a traditional directory such as Active Directory and one being a new Google Cloud Directory. You can even sync directories from two Google Cloud Directories. You set up one directory as the primary sync source and one as the secondary sync source.

Set up at a glance

The high-level process to set up Google Cloud Directory authentication is as follows:

  1. In Google, Set up your Google Workspace or Google Cloud Identity users.

  2. If not already done, set up your printing solution.

  3. Set up LDAP access and permissions for Google Workspace or Google Cloud Identity.

  4. Set up Google Workspace or Google Cloud Identity sync in PaperCut NG/MF:

    1. Set up the primary sync source.

    2. (Optional) Set up the secondary sync source.

    3. Set up the Sync Options.

    4. Test your new print environment.

  5. (Optional) Set up Google Single sign on

Detailed setup steps

Step 1: Set up your Google Workspace or Google Cloud Identity users

In Google, depending on your planned environment:

Step 2: If not already done, set up your printing solution

If you haven’t already set up a printing solution, select and set up the solution that best suits your environment:

Step 3: Set up LDAP access and permissions for Google Workspace or Google Cloud Identity

  1. Log in to admin.google.com using your Super Admin user login details. The Google Admin console is displayed.

  2. Click the Apps tile. The Apps screen is displayed.

  3. Click the LDAP tile. The LDAP screen is displayed.

  4. Click ADD CLIENT.

  5. Type a name for the LDAP client connection you’ll be configuring to use for PaperCut NG/MF (for example, “PaperCut MF”), and optionally type a description; then click CONTINUE. The Access permissions screen is displayed.

  1. In the Verify user credentials section, select either:

    • Entire domain <domain name>

    • Selected organizational units; then click Add and select the units from the list. (Use this to limit syncing to users in a subset of groups.)

  2. In the Read user information section, select either

    • Entire domain <domain name>

    • Selected organizational units; then either click Copy from Verify user credentials or click Add and select the units from the list. (Use this to limit syncing to users in a subset of groups.)

    • Depending on your organizational policies, tick all boxes for System attributes, Public custom attributes, and Private custom attributes as this will allow PaperCut to sync primary number and secondary number from custom fields of your choice stored under individual users as per your organization’s schema on Google Cloud Directory. More details on this in (Optional) Add card/ID numbers.

  3. In the Read group information section, click the switch to set it to On; then click ADD LDAP CLIENT. Google displays a confirmation message and information about downloading the certificate.

  4. On the same screen, click Download certificate; then save the downloaded certificate (which is a PDF file) in a secure location.

  5. Click CONTINUE TO CLIENT DETAILS. The Settings for <LDAP client name>  screen is displayed.

  1. Click anywhere in the Service Status box. The Service Status screen is displayed.

  2. Select On for everyone. The service status is updated for everyone.

  3. Click SAVE.

Step 4: Set up Google Workspace or Google Cloud Identity sync in PaperCut NG/MF

Set up the primary sync source

  1. Log in to the PaperCut NG/MF Admin interface.

  2. Select Options > User/Group Sync.

  3. In the Sync Source area, in Primary sync source, select Google Cloud Directory.

  4. If you haven’t already downloaded your LDAP certificate, follow the steps in Set up LDAP access and permissions for Google Workspace or Google Cloud Identity.

  5. Type your Google Cloud Directory Domain name, for example, melbourneschoolzones.com.

  6. Click Choose file and select the Google-generated certificate zip file that you downloaded earlier; then click Install Certificate. If installation is successful, the message ‘The certificate has been installed. It will expire on <day month year>.’ is displayed.

  7. Select which users to import.

    • Import all users.

    • Import users from selected groups. This option is useful if the domain contains groups of users, where certain groups contain the users who you want to allow to print:

    1. Click Select Groups.

    2. Select the groups you want to import. You can filter the list to find the groups you’re after.

  8. (Optional) Add card/ID numbers.

    Card and ID numbers are used as an alternative to usernames/passwords for authentication at software Release Stations, or at hardware terminals attached to photocopiers. The card/ID number can also be searched in the user quick-find in the User List page. For more information, see User card and ID numbers.

    In PaperCut NG/MF, you can associate one or two unique card/ID numbers with each user. These are known as the primary and secondary card/ID number. PaperCut NG/MF automatically generate these card/ID numbers for each user.

    To add card/ID numbers:

    1. In Primary number, select Auto-generate random ID. The Length field is displayed.

    2. Type the number of digits you want the card/ID number to be.

    1. If you require a secondary card/ID number for each user, repeat the above two steps for Secondary number.

    OR,

    1. Alternatively, as of PaperCut NG/MF 21.1, you can sync these card or ID numbers stored in Google Cloud Directory’s user details. This is done by choosing Sync from AD/LDAP field option in step 5’s drop down menu.

    1. The system will then allow you to input a field name to sync from. The field name must be identical to the name of the custom field created on Google Cloud Directory’s user schema. This field must be accessible by the certificate you created and installed previously.

  9. Scroll down and click Test Settings. (It is gray but you can still click on it.) PaperCut NG/MF displays progress and the results in the Testing sync settings popup.

  10. Review the results to make sure all the expected users are there, and then click Close.

  11. Click Apply.

  12. If you:

  • have a secondary sync source you need to set up, continue below.

  • do not have a secondary sync source, go to Set up the Sync Options.

(Optional) Set up the secondary sync source

How usernames are handled when syncing from two sources

A secondary sync source allows you to import users and groups from a second independent external directory source into PaperCut NG/MF.

PaperCut NG/MF treats Google Cloud Directory usernames as globally unique—if the same username exists in both the primary and secondary sync sources, it generates only a single user. When PaperCut NG/MF merges the user’s details from both sync sources, it prioritizes the primary sync source details, and then adds any additional details that are in the secondary source.

The priority that PaperCut NG/MF enters details into the Card/Identity Numbers and Other Details fields for the Primary and Secondary fields is:

  • Priority 1—The primary sync source details.

  • Priority 2—The secondary sync source details.

  • Priority 3—The PaperCut NG/MF existing details in the Users > Other Details section.

When you sync, the source details always overwrite what’s already inPaperCut NG/MF. PaperCut NG/MF will retain the details in the fields that are not changed in the sync source. If at a later time you stop using the primary or secondary sync source, or if a Google Workspace or Google Cloud Identity field becomes blank, PaperCut NG/MF will still retain the details in the fields.

Set up the secondary sync source
  1. Set up a second LDAP connection and generate a second certificate for the second sync source. Refer to Set up LDAP access and permissions for Google Workspace or Google Cloud Identity.

  2. On the User/Group Sync page, in the Secondary Sync Source (Advanced) area, select the Enable secondary sync source check box.

  3. If the secondary sync source is a second Google Cloud Directory, go to the next step to complete the secondary sync source details.

    For all other directory sources, refer to:

  4. Type your Google Workspace or Google Cloud Identity Domain name, for example, melbourneschoolzones.com.

  5. Click Choose file and select the LDAP certificate zip file that you downloaded earlier; then click Install certificate.
    If installation is successful, the message ‘The certificate has been installed. It will expire on <day month year>.’ is displayed.

  6. Select which users to import.

    • Import all users.

    • Import users from selected groups. This option is useful if the domain contains groups of users, where certain groups contain the users who you want to allow to print:

    1. Click Select Groups.

    2. Select the groups you want to import. You can filter the list to find the groups you’re after.

  7. (Optional) Add card/ID numbers.

    Card and ID numbers are used as an alternative to usernames/passwords for authentication at software Release Stations, or at hardware terminals attached to photocopiers. The card/ID number can also be searched in the user quick-find in the User List page. See User card and ID numbers for more information.

    In PaperCut NG/MF, you can associate one or two unique card/ID numbers with each user. These are known as the primary and secondary card/ID number. You can automatically generate these card/ID numbers for each user.

    To add card/ID numbers:

    1. In Primary number, select Auto-generate random ID. The Length field is displayed.

    2. Type the number of digits you want the card/ID number to be.

    1. If you require a secondary card/ID number for each user, repeat the previous two steps for Secondary number.

    OR,

    1. Alternatively, as of PaperCut NG/MF 21.1, you can sync these card or ID numbers stored in Google Cloud Directory’s user details. This is done by choosing Sync from AD/LDAP field option in step 5’s drop down menu.

    1. The system will then allow you to input a field name to sync from. The field name must be identical to the name of the custom field created on Google Cloud Directory’s user schema. This field must be accessible by the certificate you created and installed previously.

  8. Scroll down and click Test Settings. PaperCut NG/MF displays the progress of the test and the results in the Testing sync settings popup.

  9. Review the results to make sure all the expected users are there; then click Close.

  10. Click Apply.

Set up the Sync Options

Whereas the sync source(s) you specified above determine where PaperCut NG/MF imports users from, the Sync Options section lets you make choices about what happens during the sync itself.

The options you select in this section:

  • affect only users added via the synchronization source

  • do not delete users in the PaperCut NG/MF database during the overnight automatic synchronizing

  • do not delete users added via Guest and anonymous user management. To delete users that do not exist in the Sync source, you must manually synchronize (click Synchronize Now).


  1. In the Sync Options area, select what’s appropriate for your environment:

    • Update users’ full-name, email, department and office when synchronizing
      If a user’s details in PaperCut NG/MF do not match those in the synchronization source, update the details in PaperCut NG/MF with the details from the sync source.

    • Import new users and update details overnight
      Synchronization automatically occurs overnight at approximately 12:55am. PaperCut NG/MF imports all new and changed user details. No users are deleted during this sync.

  2. Click Test Settings.
    A Testing sync settings popup is displayed, the test runs, and the details of users and user groups that will be modified (updated, added, or deleted) when the actual sync operation runs are displayed. By default a maximum of 100 users are displayed.

    For information about setting config keys, see Using the Advanced Config Editor.

  3. Confirm that the number of users being added and, optionally, being deleted, matches your expectations.

  4. Click Apply.

  5. Click Synchronise Now. PaperCut NG/MF syncs with Google Cloud Directory. You can view the users in the User List.

  6. After the sync, in Users > User List, select a username. The Details screen is displayed.

  7. In the Other Details section, check and confirm the Card/Identity Numbers fields show the correct details.

Test your new print environment

Test the end-to-end printing experience on all interfaces to make sure it matches what you intended.

If you are not going to set up Google Single sign on, then that’s it!

Step 5: (Optional) Set up Google Single sign on

(Optional) Manage Google Single sign on for Chromebooks

By default there will be a Sign in with Google button on Chromebooks so users do not have to re-enter their credentials to log in to PaperCut NG/MF.

If in your environment there are user accounts that do not have Gmail email addresses or Gmail accounts, you might want to consider turning off Single sign on. If you don’t, these users might click the Sign in with Google button and not be logged in because their account won’t be registered in PaperCut NG/MF.

To turn off Single sign on for Chromebooks:

  1. Select Options > Mobile/BYOD.

  2. In the Mobility print section, set up Mobility Print.

  3. Click Apply.

(Optional) Set up Google Single sign on for Admin and User web interfaces

Google Workspace users can always log in to Chromebooks or PaperCut NG/MF Admin or User web interfaces by typing their Google credentials in the Username and Password fields.

However, if you set up Google Single sign on, users who have already logged in to their Chromebook or Google account in a browser will not need to re-enter their credentials to log in toPaperCut NG/MF. The Username and Password fields will still show on the login screen, but there will also be a Sign in with Google button for users to click instead.

Create the client secret JSON file in Google Workspace
  1. Ensure your PaperCut NG/MF system environment is ready before you start to set up users to login to PaperCut NG/MF using their Google credentials.

    1. Ensure your organization owns a top-level, public fully qualified domain name (FQDN), for example:

      • schoolname.region.edu

      • campusname.school.region.edu

    2. We highly recommend you use a secure browser connection, so ensure that:

      • user and admin access to the system is restricted to be only via SSL

      • HSTS is turned on.

      Refer to Forcing use of HTTPS/SSL only.

  2. Log in to the Google Workspace Developer’s API console. The Google APIs Dashboard screen is displayed.

  3. In the title bar, next to the Google APIs heading, click the dropdown list showing a project name. The Select from popup is displayed.

  4. Do one of the following:

    • If a project is already set up for synchronization withPaperCut NG/MF, click the project’s name. The API Dashboard is displayed with the project name in the title bar. Go to the next step.**

    • If a project is not set up yet, create a new project:

    1. At the top right of the popup, click NEW PROJECT. The New Project screen is displayed.

    2. In the Project name field, type a name that identifies the project you’ll use for PaperCut NG/MF, for example, PaperCut NG/MF Authorise.

    3. Click Create. The Credentials screen is displayed.

    4. In the title bar, next to the Google APIs heading, click the project name drop-down. The Select from popup is displayed.

    5. Click the new project’s name. The Google APIs main screen is displayed with the project name in the title bar, and the APIs Credentials popup is displayed.

  5. Select the OAuth consent screen tab. The OAuth consent screen is displayed.

  6. Type the details you want users to see when users log in to PaperCut NG/MF Admin or the User Web interface.

  7. Click Save. The Credentials screen is displayed.

  8. Click Create credentials; then select OAuth client ID.

    The Create OAuth client ID screen is displayed.

  9. Select Web application. Additional fields are displayed.

  10. In the Name field, type the name for your OAuth Client ID.

  1. In the Authorised redirect URIs field, type the full URI of your PaperCut NG/MF Application Server, for example:

     https://papercut.schoolname.region.edu:9192/api/oauth2callback 
    
  1. Click Create. The OAuth client popup displays your client ID and client secret. You will use these credentials when you set up the sync source in PaperCut NG/MF.

  1. Click OK. The Credentials screen is displayed. No need to save the credentials from here because you’ll download them in a few steps.

  1. Click to download the credentials as a JSON file.
  1. Close the browser window.
Set up Google Single sign on (Sign in with Google) in PaperCut NG/MF

This part of the interface is for setting up Sign in with Google on the PaperCut NG/MF Admin web interface and User Web interface. You set up Single sign on for Mobility Print via the link at the bottom of this section.

  1. Sign in to PaperCut NG/MF.

    For example: https://papercut.schoolname.region.edu:9192/admin

  2. In the Admin web interface, select Options > User/Group Sync; then scroll to the Single Sign on with Google section.

  3. Select the Enable the “Sign in with Google” button on the Admin and User web interfaces checkbox.

  1. Click Choose file and select the JSON file you downloaded.

  2. Click Upload client secret. The file is uploaded.

  3. Test with real users to confirm the Sign in with Google button is visible on the PaperCut NG/MF login screen and works as expected.

  4. If your environment uses Mobility Print, click Set up ‘Sign in with Google’ for Mobility Print and follow the instructions in Mobility Print.

Comments