This page describes Unified Authentication, how it works, and how it behaves in standard local logins and external IdP logins.
While external protocols like SAML 2.0 and OAuth manage user authentication between your network and the Identity Provider (IdP), Unified Authentication specifically manages the session within the PaperCut environment.
Unified Authentication and Single Sign-on (SSO) are independent but related features that are configured separately, but deliver the highest value when used together.
For more information about SSO and SAML 2.0, take a look at Single Sign-on for PaperCut MF and NG.
What is Unified Authentication?
Introduced in PaperCut NG/MF v26.0.2, Unified Authentication provides a centralized authentication framework across PaperCut NG/MF. It delivers a true “log in once” experience for users, rather than requiring them to authenticate separately each time they access a different PaperCut interface.
After a user authenticates, Unified Authentication securely maintains their active session whenever they use any PaperCut component they are allowed to access.
When enabled, Unified Authentication covers the following PaperCut web interfaces and computer clients:
- Web Interfaces: Admin, User Portal, Web Cashier, Central Reports, and Mobile Release.
- Clients: PaperCut Print Deploy and the PaperCut User Client.
How Unified Authentication fits into your environment
Unified Authentication is designed to streamline every user’s login experience, regardless of their current authentication setup:
- For internal/local directories: It manages the session, so users with local accounts only need to enter their credentials once to access all authorized PaperCut components.
- For external Identity Providers (IdPs): It seamlessly complements your Single Sign-on (SSO) configuration. PaperCut NG or MF delegates the initial login to your external IdP, and then Unified Authentication takes over to maintain that authenticated session for all other authorized PaperCut components.
How does Unified Authentication work?
Instead of validating user credentials locally at every individual component, PaperCut NG/MF routes all login requests through a centralized internal mechanism.
Here is how the process works:
- Credentials are verified: The internal PaperCut Authentication Hub acts as the single source of truth. It either validates the credentials locally or hands the request off to an external IdP (such as Okta or Microsoft Entra ID).
- The token is issued: After the user’s identity is verified, the Hub issues a secure JSON Web Token (JWT). This token authorizes the user across any other PaperCut components they have access to.
- Internal SSO takes over: As users switch between different PaperCut interfaces, the system automatically checks and validates the active JWT, eliminating repeated login prompts.
Supported authentication scenarios
Whether you use cloud identity providers or local directories, the authentication experience remains streamlined:
Scenario | Authentication behavior | User experience (UX) |
|---|---|---|
Standard local logins | The Hub acts as the single source of truth, validating credentials locally against your directory. | The user logs in once (for example, to the Admin web interface). If they later open Web Cashier or Central Reports, the system automatically recognizes their session token and passes the user through. |
External IdP logins | The Hub delegates the login request to your configured external provider (for example, Okta, Entra ID). | The user completes their standard organization login (including MFA). After the provider successfully authenticates the user, the Hub issues the JWT to authorize access across PaperCut. |
Is Unified Authentication enabled by default?
The default unified authentication setting is located under Options > User/Group Sync > Unified Authentication and behaves differently depending on whether your environment is a fresh installation or an upgrade.
For details, see the default unified authentication setting table.
Comments