How to deploy PaperCut Application Server with SAML single sign-on

KB Home   |   How to deploy PaperCut Application Server with SAML single sign-on

Main.DeployPaperCutWithSAMLSingleSignOn History

Hide minor edits - Show changes to output

August 07, 2019, at 03:05 AM by Steven Turner - Added the InProcess configuration required for Shibboleth V3 implementations
Added lines 94-103:

NOTE: If you are running Shibboleth V3 then an additional entry need to be put into the code above. V3 requires the command useHeaders="true". Therefore, if you are implementing a Shibboleth V3 configuration, please use the code below instead, which has the useHeaders="true" command added.

  <[=InProcess logger="native.logger">
    <ISAPI normalizeRequest="true" safeHeaderNames="true">
        <Site id="1" name="iis.domain.vm" scheme="https" port="443" useHeaders="true" />
    </ISAPI>
  </InProcess>
=]

November 09, 2018, at 03:44 PM by 24.116.246.88 - added note on Shibboleth version
Changed line 79 from:
Download the latest version of Shibboleth from https://shibboleth.net/downloads/service-provider/latest/ and install it using the default options
to:
Download the latest version of Shibboleth from https://shibboleth.net/downloads/service-provider/latest/ and install it using the default options. (at time of writing, this is valid for Shibboleth version 3.3)
August 29, 2018, at 04:27 PM by Arturo - formatting
Changed lines 188-189 from:
From the dropdown you are going to want @@[=WebAuth=]@@, The @@HTTP Header Key@@ will be @@ppcuser@@ which will contain the username after a successful authentication attempt. The @@[=Allowed WebAuth IP addresses=]@@ list will only need the IIS server's IP in it but to play it safe also add the IPv4 and v6 localhost addresses (127.0.0.1 and 0:0:0:0:0:0:0:1) and the IP for the PaperCut Application Server.
to:
From the dropdown you are going to want @@[=WebAuth=]@@, The @@HTTP Header Key@@ will be @@ppcuser@@ which will contain the username after a successful authentication attempt. The @@[=Allowed WebAuth IP addresses=]@@ list will only need the IIS server's IP in it but to play it safe also add the [=IPv4=] and [=v6=] localhost addresses (127.0.0.1 and 0:0:0:0:0:0:0:1) and the IP for the PaperCut Application Server.
Changed line 210 from:
If you manage to authenticate but PaperCut MF is still showing the login page, enable debug logging in the PaperCut Application Server then try again. Open the server.log under @@[install_path]/server/log@@ and do a search for @@[=“WebSsoAuthenticationFilter”=]@@, this will give you a good understanding of what is going on. If you happen to find the error "Not using SSO because remote IP is not on the whitelist" in the log, but you're scratching your head because you can see where you added the server's IPv4 loopback address to @@[=Allowed WebAuth IP addresses=]@@, then try adding the IPv6 loopback address as well: @@0:0:0:0:0:0:0:1@@.
to:
If you manage to authenticate but PaperCut MF is still showing the login page, enable debug logging in the PaperCut Application Server then try again. Open the server.log under @@[install_path]/server/log@@ and do a search for @@[=“WebSsoAuthenticationFilter”=]@@, this will give you a good understanding of what is going on. If you happen to find the error "Not using SSO because remote IP is not on the whitelist" in the log, but you're scratching your head because you can see where you added the server's [=IPv4=] loopback address to @@[=Allowed WebAuth IP addresses=]@@, then try adding the [=IPv6=] loopback address as well: @@0:0:0:0:0:0:0:1@@.
August 29, 2018, at 04:25 PM by Arturo - added IPv6 loopback info
Changed lines 188-189 from:
From the dropdown you are going to want @@[=WebAuth=]@@, The @@HTTP Header Key@@ will be @@ppcuser@@ which will contain the username after a successful authentication attempt. The @@[=Allowed WebAuth IP addresses=]@@ list will only need the IIS server's IP in it but to play it safe also add in localhost (127.0.0.1) and the IP for the PaperCut Application Server.
to:
From the dropdown you are going to want @@[=WebAuth=]@@, The @@HTTP Header Key@@ will be @@ppcuser@@ which will contain the username after a successful authentication attempt. The @@[=Allowed WebAuth IP addresses=]@@ list will only need the IIS server's IP in it but to play it safe also add the IPv4 and v6 localhost addresses (127.0.0.1 and 0:0:0:0:0:0:0:1) and the IP for the PaperCut Application Server.
Changed line 210 from:
If you manage to authenticate but PaperCut MF is still showing the login page, enable debug logging in the PaperCut Application Server then try again. Open the server.log under @@[install_path]/server/log@@ and do a search for @@[=“WebSsoAuthenticationFilter”=]@@, this will give you a good understanding of what is going on.
to:
If you manage to authenticate but PaperCut MF is still showing the login page, enable debug logging in the PaperCut Application Server then try again. Open the server.log under @@[install_path]/server/log@@ and do a search for @@[=“WebSsoAuthenticationFilter”=]@@, this will give you a good understanding of what is going on. If you happen to find the error "Not using SSO because remote IP is not on the whitelist" in the log, but you're scratching your head because you can see where you added the server's IPv4 loopback address to @@[=Allowed WebAuth IP addresses=]@@, then try adding the IPv6 loopback address as well: @@0:0:0:0:0:0:0:1@@.
June 28, 2018, at 09:28 PM by Aaron Pouliot - Added Category SSO
Changed line 218 from:
''Categories:''
to:
''Categories:'' [[Category.SSO|+]]
October 24, 2017, at 01:31 AM by Willem Groenewald -
Changed line 218 from:
''Categories:'' [[Category.SAML|+]], [[Category.Single sign-on|+]]
to:
''Categories:''
Changed line 220 from:
[-Keywords: saml single sign-on-]
to:
[-Keywords: [=saml single sign-on=]-]
October 24, 2017, at 01:29 AM by Willem Groenewald -
Changed line 210 from:
If you manage to authenticate but PaperCut MF is still showing the login page enable debug logging in the app server then try again and open the server.log under @@[install_path]/server/log@@ and do a search for @@[=“WebSsoAuthenticationFilter”=]@@, this will give you a good understanding of what is going on.
to:
If you manage to authenticate but PaperCut MF is still showing the login page, enable debug logging in the PaperCut Application Server then try again. Open the server.log under @@[install_path]/server/log@@ and do a search for @@[=“WebSsoAuthenticationFilter”=]@@, this will give you a good understanding of what is going on.
October 24, 2017, at 01:28 AM by Willem Groenewald -
Changed line 208 from:
You can also find the Shibboleth log files under C:\opt\shibboleth-sp\var\log\shibboleth while working on this I found shibd.log to be the most useful you can do a quick search for “ERROR” or “FATAL” and find out where it went wrong.
to:
You can also find the Shibboleth log files under C:\opt\shibboleth-sp\var\log\shibboleth. While working on this I found shibd.log to be the most useful. You can do a quick search for “ERROR” or “FATAL” and find out where it went wrong.
October 24, 2017, at 01:27 AM by Willem Groenewald -
Changed lines 204-207 from:
*Shibboleth Status: @@https://localhost/Shibboleth.sso/Status@@
*Shibboleth Metadata: @@https://localhost/Shibboleth.sso/Metadata@@
*ADFS Metadata: @@https://[adfs_fqdn]/federationmetadata/2007-06/federationmetadata.xml@@
to:
*Shibboleth Status: @@[=https://localhost/Shibboleth.sso/Status=]@@
*Shibboleth Metadata: @@[=https://localhost/Shibboleth.sso/Metadata=]@@
*ADFS Metadata: @@[=https://[adfs_fqdn]/federationmetadata/2007-06/federationmetadata.xml=]@@
Changed line 210 from:
If you manage to authenticate but PaperCut MF is still showing the login page enable debug logging in the app server then try again and open the server.log under @@[install_path]/server/log@@ and do a search for @@“WebSsoAuthenticationFilter”@@, this will give you a good understanding of what is going on.
to:
If you manage to authenticate but PaperCut MF is still showing the login page enable debug logging in the app server then try again and open the server.log under @@[install_path]/server/log@@ and do a search for @@[=“WebSsoAuthenticationFilter”=]@@, this will give you a good understanding of what is going on.
October 24, 2017, at 01:26 AM by Willem Groenewald -
Changed line 196 from:
Now for the fun bit, Open a browser and go to @@http://[IIS_HOST]/@@ you should see the ADFS login page and you will be able to login by using domain\username and your password which will then take you to the PaperCut MF User page like the gif below.
to:
Now for the fun bit, Open a browser and go to @@[=http://[IIS_HOST]/=]@@ you should see the ADFS login page and you will be able to login by using domain\username and your password which will then take you to the PaperCut MF User page like the gif below.
October 24, 2017, at 01:25 AM by Willem Groenewald -
Changed lines 188-190 from:
From the dropdown you are going to want @@[=WebAuth=]@@, The @@HTTP Header Key@@ will be @@ppcuser@@ which will contain the username after a successful authentication attempt. The @@Allowed WebAuth IP addresses@@ list will only need the IIS servers IP in it but to play it safe also add in localhost (127.0.0.1) and the IP for the PaperCut Application Server.

Now select the pages you want to use SSO for. If you followed the steps above it will just be for the User login page but you can change it as needed. For the logout URL you can use https://[iis_fqdn_or_ip]/Shibboleth.sso/Logout?return=https://papercut.com with this option when the user logs out they will be redirected to the PaperCut website. You can change the return URL to anything you want.
to:
From the dropdown you are going to want @@[=WebAuth=]@@, The @@HTTP Header Key@@ will be @@ppcuser@@ which will contain the username after a successful authentication attempt. The @@[=Allowed WebAuth IP addresses=]@@ list will only need the IIS server's IP in it but to play it safe also add in localhost (127.0.0.1) and the IP for the PaperCut Application Server.

Now select the pages you want to use SSO for. If you followed the steps above it will just be for the User login page but you can change it as needed. For the logout URL you can use [=https://[iis_fqdn_or_ip]/Shibboleth.sso/Logout?return=https://papercut.com=] with this option when the user logs out they will be redirected to the PaperCut website. You can change the return URL to anything you want.
October 24, 2017, at 01:23 AM by Willem Groenewald -
Changed line 188 from:
From the dropdown you are going to want @@[=WebAuth=]@@, The HTTP Header Key will be ppcuser which will contain the username after a successful authentication attempt. The allowed IP list will only need the IIS servers IP in it but to play it safe also add in localhost (127.0.0.1) and the IP for the PaperCut Application Server.
to:
From the dropdown you are going to want @@[=WebAuth=]@@, The @@HTTP Header Key@@ will be @@ppcuser@@ which will contain the username after a successful authentication attempt. The @@Allowed WebAuth IP addresses@@ list will only need the IIS servers IP in it but to play it safe also add in localhost (127.0.0.1) and the IP for the PaperCut Application Server.
October 24, 2017, at 01:22 AM by Willem Groenewald -
Changed line 188 from:
From the dropdown you are going to want WebAuth, The HTTP Header Key will be ppcuser which will contain the username after a successful authentication attempt. The allowed IP list will only need the IIS servers IP in it but to play it safe also add in localhost (127.0.0.1) and the IP for the PaperCut Application Server.
to:
From the dropdown you are going to want @@[=WebAuth=]@@, The HTTP Header Key will be ppcuser which will contain the username after a successful authentication attempt. The allowed IP list will only need the IIS servers IP in it but to play it safe also add in localhost (127.0.0.1) and the IP for the PaperCut Application Server.
October 24, 2017, at 01:20 AM by Willem Groenewald -
Changed line 176 from:
Now for the action set the type to @@Rewrite@@ and for the @@Rewrite URL@@ use http://[papercut_ip_or_fqdn]:9191/{R:1} and check @@Append Query String@@. With a bit more work you can configure this internal route to use HTTPS if needed.
to:
Now for the action set the type to @@Rewrite@@ and for the @@Rewrite URL@@ use [=http://[papercut_ip_or_fqdn]:9191/{R:1} =]and check @@Append Query String@@. With a bit more work you can configure this internal route to use HTTPS if needed.
October 24, 2017, at 01:19 AM by Willem Groenewald -
October 24, 2017, at 01:18 AM by Willem Groenewald -
Changed line 159 from:
Click Add Rules on the right and pick Blank Rule from under Inbound rules.
to:
Click @@Add Rules@@ on the right and pick @@Blank Rule@@ from under @@Inbound rules@@.
October 24, 2017, at 01:17 AM by Willem Groenewald -
Changed line 155 from:
Select your site on the left and click on URL Rewrite.
to:
Select your site on the left and click on @@URL Rewrite@@.
October 24, 2017, at 01:17 AM by Willem Groenewald -
Changed line 143 from:
Once installed we will need to enable the Proxy option, Open IIS Manager and select the local server from the tree on the left then find Application Request Routing Cache.
to:
Once installed we will need to enable the Proxy option, Open IIS Manager and select the local server from the tree on the left then find @@Application Request Routing Cache@@.
October 24, 2017, at 01:16 AM by Willem Groenewald -
Changed line 147 from:
Now on the right select Server Proxy Settings
to:
Now on the right select @@Server Proxy Settings@@
October 24, 2017, at 01:15 AM by Willem Groenewald -
Changed lines 129-130 from:
Now we need to tell Shibboleth where it can find the value we want to set to ppcuser, We used the Windows Account Name option in the claims issuance so that is what we will set here.
to:
Now we need to tell Shibboleth where it can find the value we want to set to ppcuser, We used the @@Windows Account Name@@ option in the claims issuance so that is what we will set here.
Changed line 136 from:
@@net stop shibd_default@@
to:
@@net stop shibd_default@@\\
October 24, 2017, at 01:14 AM by Willem Groenewald -
Changed lines 131-132 from:
   <Attribute name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" id="ppcuser"/>
to:
   <[=Attribute name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" id="ppcuser"/>
=]
October 24, 2017, at 01:14 AM by Willem Groenewald -
Changed line 121 from:
   </SSO>
to:
  </SSO>
Changed lines 126-127 from:
   <MetadataProvider type="XML" url="https://fs.domain.vm/federationmetadata/2007-06/federationmetadata.xml"/>
to:
   <[=MetadataProvider type="XML" url="https://fs.domain.vm/federationmetadata/2007-06/federationmetadata.xml"/>
=]
October 24, 2017, at 01:13 AM by Willem Groenewald -
Changed line 118 from:
   <SSO entityID="http://fs.domain.vm/adfs/services/trust"
to:
   <[=SSO entityID="http://fs.domain.vm/adfs/services/trust"
Changed line 122 from:
to:
=]
October 24, 2017, at 01:12 AM by Willem Groenewald -
Changed lines 107-110 from:
!!!Update ApplicationDefaults
The ApplicationDefaults will set the remote_user variable which will contain the headers we want to set we will want to make sure we include ppcuser here as that is what we will use in the PaperCut MF configuration for Web Auth.

  <ApplicationDefaults entityID="https://iis.domain.vm/shibboleth"
to:
!!!Update [=ApplicationDefaults=]
The [=ApplicationDefaults=] will set the remote_user variable which will contain the headers we want to set we will want to make sure we include ppcuser here as that is what we will use in the PaperCut MF configuration for Web Auth.

  <[=ApplicationDefaults entityID="https://iis.domain.vm/shibboleth"
Changed line 113 from:
to:
=]
October 24, 2017, at 01:11 AM by Willem Groenewald -
Changed lines 95-97 from:
The RequestMapper tells IIS which Paths for a certain host need to use Shibboleth for authentication. We are going to use “user” for ours so any user going to host/user will need to be logged in if not they will be taken to the login page. If you wanted to add /admin to this, you can just copy and paste the user line and replace user with admin.

  <RequestMapper type="Native">
to:
The [=RequestMapper=] tells IIS which Paths for a certain host need to use Shibboleth for authentication. We are going to use “user” for ours so any user going to host/user will need to be logged in if not they will be taken to the login page. If you wanted to add /admin to this, you can just copy and paste the user line and replace user with admin.

  <[=RequestMapper type="Native">
Changed lines 104-105 from:
   </RequestMapper>
to:
  </RequestMapper>
=]
October 24, 2017, at 01:11 AM by Willem Groenewald -
Changed line 92 from:
   </InProcess>
to:
  </InProcess>
October 24, 2017, at 01:10 AM by Willem Groenewald -
Changed lines 92-93 from:
   </InProcess=]>
to:
   </InProcess>
=]
October 24, 2017, at 01:09 AM by Willem Groenewald -
Changed line 92 from:
</InProcess=]>
to:
   </InProcess=]>
October 24, 2017, at 01:09 AM by Willem Groenewald -
Changed lines 89-92 from:
       <ISAPI normalizeRequest="true" safeHeaderNames="true">
          <Site id="1" name="iis.domain.vm" scheme="https" port="443" />
       </ISAPI>
   </InProcess=]>
to:
   <ISAPI normalizeRequest="true" safeHeaderNames="true">
        <Site id="1" name="iis.domain.vm" scheme="https" port="443" />
    </ISAPI>
</InProcess=]>
October 24, 2017, at 01:08 AM by Willem Groenewald -
Changed line 88 from:
   <[=InProcess logger=]="native.logger">
to:
   <[=InProcess logger="native.logger">
Changed line 92 from:
   </InProcess>
to:
   </InProcess=]>
October 24, 2017, at 01:07 AM by Willem Groenewald -
Changed line 88 from:
   <InProcess logger="native.logger">
to:
   <[=InProcess logger=]="native.logger">
October 24, 2017, at 01:04 AM by Willem Groenewald -
Changed line 67 from:
Right click on your @@Party Trust@@ and select @@Edit Claim Issuance Policy@@. For our rule template we are going to use Send LDAP Attributes as Claims
to:
Right click on your @@Party Trust@@ and select @@Edit Claim Issuance Policy@@. For our rule template we are going to use @@Send LDAP Attributes as Claims@@
October 24, 2017, at 01:04 AM by Willem Groenewald -
Changed lines 58-59 from:
Set your access control policy. If you don’t want to lock down what users or groups can authenticate leave the default options set.
to:
Set your access control policy. If you don’t want to lock down which users or groups can authenticate leave the default options set.
Changed line 67 from:
Right click on your Party Trust and select Edit Claim Issuance Policy. For our rule template we are going to use Send LDAP Attributes as Claims
to:
Right click on your @@Party Trust@@ and select @@Edit Claim Issuance Policy@@. For our rule template we are going to use Send LDAP Attributes as Claims
October 24, 2017, at 01:03 AM by Willem Groenewald -
October 24, 2017, at 01:00 AM by Willem Groenewald -
Changed line 35 from:
Attach: SAML_IIS_Compatibility_Options.png
to:
Attach:SAML_IIS_Compatibility_Options.png
October 24, 2017, at 12:57 AM by Willem Groenewald -
Changed line 8 from:
* End users visit the user web interface to submit web print jobs, view statistics and top up their account for example.
to:
* End users visit the [[https://www.papercut.com/tour/user-web-interface/|user web interface]] to submit web print jobs, view statistics and top up their account for example.
October 24, 2017, at 12:55 AM by Willem Groenewald -
Deleted line 1:
Changed lines 3-5 from:
There are a number of places where PaperCut NG and MF authenticate users, which occurs before the document is printed, at the time of printing and after printing.\\
to:
This guide is applicable to both PaperCut NG and MF. For the sake of simplicity, the guide will only refer to PaperCut MF, but the exact same steps can be taken for PaperCut NG. 

There are a number of places where PaperCut MF authenticates
users, which occurs before the document is printed, at the time of printing and after printing.\\
Changed line 7 from:
* Administrate PaperCut software or view reports through the admin web interface
to:
* Administrate PaperCut MF or view reports through the admin web interface
Changed lines 17-18 from:
When authenticating users, PaperCut interfaces directly with directory services like Active Directory or LDAP. Additionally, you can also configure single sign-on on the admin web interface and user web interface, where PaperCut will rely on an external SAML service for authentication.
to:
When authenticating users, PaperCut MF interfaces directly with directory services like Active Directory or LDAP. Additionally, you can also configure single sign-on on the admin web interface and user web interface, where PaperCut MF will rely on an external SAML service for authentication.
Changed lines 27-28 from:
If you have not already done so install IIS onto either the PaperCut Application server or a different server. If you install IIS onto the PaperCut Application server make sure you have not configured PaperCut to use port 80 or 443 and make sure you don’t tell IIS to use any of the standard PaperCut ports (9191, 9192, 9193).
to:
If you have not already done so install IIS onto either the PaperCut Application Server or a different server. If you install IIS onto the PaperCut Application Server make sure you have not configured PaperCut MF to use port 80 or 443 and make sure you don’t tell IIS to use any of the standard PaperCut ports (9191, 9192, 9193).
Changed lines 107-108 from:
The ApplicationDefaults will set the remote_user variable which will contain the headers we want to set we will want to make sure we include ppcuser here as that is what we will use in the PaperCut configuration for Web Auth.
to:
The ApplicationDefaults will set the remote_user variable which will contain the headers we want to set we will want to make sure we include ppcuser here as that is what we will use in the PaperCut MF configuration for Web Auth.
Changed lines 171-172 from:
Our next rule will be to pass anything else off to PaperCut Application server. Create a new blank rule and this time set the pattern to (.*)
to:
Our next rule will be to pass anything else off to PaperCut Application Server. Create a new blank rule and this time set the pattern to (.*)
Changed lines 181-184 from:
!!PaperCut Configuration

Everything should now be good to go so we can get PaperCut configured to use Web Auth for the SSO.
to:
!!PaperCut MF Configuration

Everything should now be good to go so we can get PaperCut MF configured to use Web Auth for the SSO.
Changed lines 187-188 from:
From the dropdown you are going to want WebAuth, The HTTP Header Key will be ppcuser which will contain the username after a successful authentication attempt. The allowed IP list will only need the IIS servers IP in it but to play it safe also add in localhost (127.0.0.1) and the IP for the PaperCut Application server.
to:
From the dropdown you are going to want WebAuth, The HTTP Header Key will be ppcuser which will contain the username after a successful authentication attempt. The allowed IP list will only need the IIS servers IP in it but to play it safe also add in localhost (127.0.0.1) and the IP for the PaperCut Application Server.
Changed lines 195-196 from:
Now for the fun bit, Open a browser and go to @@http://[IIS_HOST]/@@ you should see the ADFS login page and you will be able to login by using domain\username and your password which will then take you to the PaperCut User page like the gif below.
to:
Now for the fun bit, Open a browser and go to @@http://[IIS_HOST]/@@ you should see the ADFS login page and you will be able to login by using domain\username and your password which will then take you to the PaperCut MF User page like the gif below.
Changed lines 209-210 from:
If you manage to authenticate but PaperCut is still showing the login page enable debug logging in the app server then try again and open the server.log under @@[install_path]/server/log@@ and do a search for @@“WebSsoAuthenticationFilter”@@, this will give you a good understanding of what is going on.
to:
If you manage to authenticate but PaperCut MF is still showing the login page enable debug logging in the app server then try again and open the server.log under @@[install_path]/server/log@@ and do a search for @@“WebSsoAuthenticationFilter”@@, this will give you a good understanding of what is going on.
Changed lines 215-216 from:
TODO link your page here: https://www.papercut.com/kb/Main/Miscellaneous
to:
Changed line 217 from:
''Categories:'' [[Category.TODOFirstCategory|+]], [[Category.TODOSecondCategoryIfNeeded|+]]
to:
''Categories:'' [[Category.SAML|+]], [[Category.Single sign-on|+]]
Changed line 219 from:
[-Keywords: TODO keywords here if needed-]
to:
[-Keywords: saml single sign-on-]
October 24, 2017, at 12:46 AM by Willem Groenewald -
Changed lines 168-169 from:
Our next rule will be to pass anything else off to PaperCut. Create a new blank rule and this time set the pattern to (.*)
to:
Attach:SAML_IIS_proxy_edit_inbound_rule.png

Our next rule will be to pass anything else off to PaperCut Application server. Create a new blank rule and this time set the pattern to (.*)

Attach:SAML_IIS_proxy_forward_to_PaperCut.png

Added lines 176-177:
Attach:SAML_IIS_proxy_query.png
Added lines 190-191:
Attach:SAML_PaperCut_config.png
Added line 196:
Attach:SAML.gif
October 24, 2017, at 12:40 AM by Willem Groenewald -
Changed lines 82-83 from:
Open shibboleth2.xml
to:
Open shibboleth2.xml with a text editor.
Added lines 143-144:
Attach:SAML_IIS_proxy_request_routing.png
Changed lines 147-148 from:
Check the Enable Proxy box and click Apply on the right
to:
Attach:SAML_IIS_proxy_server_settings.png

Check the Enable Proxy checkbox and click Apply on the right

Attach:SAML_IIS_proxy_apply.png

Added lines 155-156:
Attach:SAML_IIS_proxy_url_rewrite.png
Added lines 158-159:

Attach:SAML_IIS_proxy_inbound_rules.png
October 24, 2017, at 12:32 AM by Willem Groenewald -
Changed lines 65-66 from:
Edit Claim Issuance Policy
to:
!!!Edit Claim Issuance Policy
Changed lines 68-69 from:

to:
Attach:SAML_ADFS_edit_claim_policy.png
Changed lines 72-73 from:

to:
Attach:SAML_ADFS_claim_rule.png
Deleted lines 74-77:



October 24, 2017, at 12:29 AM by Willem Groenewald -
Changed lines 46-47 from:
Attach:ADFS_Relying_Party Trust.png
to:

Attach:SAML_ADFS_Relying_Party_Trust.png
Added lines 51-52:
Attach:SAML_ADFS_select_data_source.png
Added lines 55-56:
Attach:SAML_ADFS_display_name.png
Changed lines 59-60 from:
to:
Attach:SAML_ADFS_access_control_policy.png
Changed line 63 from:
to:
Attach:SAML_ADFS_add_trust.png
October 24, 2017, at 12:22 AM by Willem Groenewald -
Changed lines 26-29 from:
If you have not already done so install IIS onto either the PaperCut Application server or a different server. If you put IIS onto the PaperCut Application server make sure you have not configured PaperCut to use port 80 or 443 and make sure you don’t tell IIS to use any of the standard PaperCut ports (9191, 9192, 9193).

You will need to make sure that you have ISAPI Extensions and Filters installed to IIS which can both be found under @@Add Server Roles > Web Server (IIS) > Web Server > App Development@@
to:
If you have not already done so install IIS onto either the PaperCut Application server or a different server. If you install IIS onto the PaperCut Application server make sure you have not configured PaperCut to use port 80 or 443 and make sure you don’t tell IIS to use any of the standard PaperCut ports (9191, 9192, 9193).

You will need to make sure that you have @@ISAPI Extensions@@ and @@ISAPI Filters@@ installed on IIS which can both be found under @@Add Server Roles > Web Server (IIS) > Web Server > App Development@@

Attach:SAML_IIS_ISAPI.png

Added lines 34-35:
Attach: SAML_IIS_Compatibility_Options.png
Changed line 44 from:
Add Relying Party Trust
to:
!!!Add Relying Party Trust
Changed line 46 from:
to:
Attach:ADFS_Relying_Party Trust.png
October 23, 2017, at 11:26 PM by Willem Groenewald -
Changed lines 1-2 from:
(:title How to deploy PaperCut Application Server with SAML single sign-on Page Title:)
to:
(:title How to deploy PaperCut Application Server with SAML single sign-on:)
Changed lines 4-5 from:
There are a number of places where PaperCut NG and MF authenticate users, which occurs before the document is printed, at the time of printing and after printing.
Before printing:
to:
There are a number of places where PaperCut NG and MF authenticate users, which occurs before the document is printed, at the time of printing and after printing.\\
 '''
Before printing:'''
Changed line 10 from:
At the time of printing:
to:
'''At the time of printing:'''
Changed line 13 from:
Add accountability to the document forever:
to:
'''Add accountability to the document forever:'''
October 23, 2017, at 11:23 PM by Willem Groenewald -
Deleted lines 70-79:









Changed lines 146-147 from:
The first rule to create is one to ignore any requests that come in to [FQDN]/Shibboleth.sso/ as we don’t want to block any of the Shibboleth functions.  Give your rule a name and set the @@Requested URL@@ to @@Matches the Pattern@@ and set @@Using@@ to @@Regular Expression@@. Set the Pattern to @@Shibboleth.sso/.*@@ and make sure @@Ignore case”@@ is checked. Set the Action type at the bottom to @@None@@ and check @@Stop Processing@@ of subsequent rules.
to:
The first rule to create is one to ignore any requests that come in to [FQDN]/Shibboleth.sso/ as we don’t want to block any of the Shibboleth functions. 
#
Give your rule a name and set the @@Requested URL@@ to @@Matches the Pattern@@ and set @@Using@@ to @@Regular Expression@@.
#
Set the Pattern to @@Shibboleth.sso/.*@@
# Check the
@@Ignore case”@@ checkbox
#
Set the @@Action type@@ at the bottom to @@None@@
# Check @@Stop Processing@@ of subsequent rules.
Changed lines 155-182 from:


Now for the action set the type to Rewrite and for the Rewrite URL use http://[papercut_ip_or_fqdn]:9191/{R:1} and check Append Query String. With a bit more work you can configure this internal route to use HTTPS if needed.



Now restart IIS by clicking restart on the right or by opening a command prompt window and running iisreset.



















PaperCut Configuration

to:
Now for the action set the type to @@Rewrite@@ and for the @@Rewrite URL@@ use http://[papercut_ip_or_fqdn]:9191/{R:1} and check @@Append Query String@@. With a bit more work you can configure this internal route to use HTTPS if needed.

Now restart IIS by clicking restart on the right or by opening a command prompt window and running @@iisreset@@.

!!PaperCut Configuration

Changed lines 163-166 from:
Login to the PaperCut admin portal and go to Options > Advanced. Look for Web Single Sign-On (SSO) and enable it.

From the dropdown you are going to want WebAuth, The HTTP Header Key will be ppcuser which will contain the username after a successful authentication attempt. The allowed IP list will only need the IIS servers IP in it but to play it safe also add in localhost (127.0.0.1) and the IP for the PaperCut Server.
to:
Login to the PaperCut admin portal and go to @@Options > Advanced@@. Look for Web Single Sign-On (SSO) and enable it.

From the dropdown you are going to want WebAuth, The HTTP Header Key will be ppcuser which will contain the username after a successful authentication attempt. The allowed IP list will only need the IIS servers IP in it but to play it safe also add in localhost (127.0.0.1) and the IP for the PaperCut Application server.
Changed lines 169-199 from:










Testing

Now for the fun bit, Open a browser and go to http://[IIS_HOST]/ you should see the ADFS login page and you will be able to login by using domain\username and your password which will then take you to the PaperCut User page like the gif below.
















Troubleshooting

to:
!!Testing

Now for the fun bit, Open a browser and go to @@http://[IIS_HOST]/@@ you should see the ADFS login page and you will be able to login by using domain\username and your password which will then take you to the PaperCut User page like the gif below.


!!Troubleshooting

Changed lines 178-181 from:
Shibboleth Status: https://localhost/Shibboleth.sso/Status
Shibboleth Metadata: https://localhost/Shibboleth.sso/Metadata
ADFS Metadata: https://[adfs_fqdn]/federationmetadata/2007-06/federationmetadata.xml
to:
*Shibboleth Status: @@https://localhost/Shibboleth.sso/Status@@
*
Shibboleth Metadata: @@https://localhost/Shibboleth.sso/Metadata@@
*
ADFS Metadata: @@https://[adfs_fqdn]/federationmetadata/2007-06/federationmetadata.xml@@
Changed lines 184-189 from:
If you manage to authenticate but PaperCut is still showing the login page enable debug logging in the app server then try again and open the server.log under [install_path]/server/log and do a search for “WebSsoAuthenticationFilter” this will give you a good understanding of what is going on.

If you are running PaperCut 17.3.2 or later and run into a CSRF error after authenticating check the KB article here https://www.papercut.com/kb/Main/CSRFValidationError which will tell you how to resolve the issue.

If you have enabled SSO for the Admin and can’t login add /nosso to the end of the URL and it will skip the SSO option so that you can login and check your settings.
to:
If you manage to authenticate but PaperCut is still showing the login page enable debug logging in the app server then try again and open the server.log under @@[install_path]/server/log@@ and do a search for @@“WebSsoAuthenticationFilter”@@, this will give you a good understanding of what is going on.

If you are running PaperCut MF / NG 17.3.2 or later and run into a CSRF error after authenticating check the KB article [[https://www.papercut.com/kb/Main/CSRFValidationError|here]] which will tell you how to resolve the issue.

If you have enabled SSO for the Admin and can’t login add @@/nosso@@ to the end of the URL and it will skip the SSO option so that you can login and check your settings.
October 23, 2017, at 11:06 PM by Willem Groenewald -
Added lines 1-247:
(:title How to deploy PaperCut Application Server with SAML single sign-on Page Title:)

!! Background 
There are a number of places where PaperCut NG and MF authenticate users, which occurs before the document is printed, at the time of printing and after printing.
Before printing:
* Administrate PaperCut software or view reports through the admin web interface
* End users visit the user web interface to submit web print jobs, view statistics and top up their account for example.
* Identify the owner of a print job, whether they print from a managed, shared or self managed BYOD device

At the time of printing:
* Authenticate the user at the release station, through methods like username and password, card swipe, two factor authentication with card and pin or even biometric options. 

Add accountability to the document forever:
* Optionally apply a watermark / digital signature to all pages, which adds an encrypted HMAC signature to the page which can be traced back to the user who printed the document. 

When authenticating users, PaperCut interfaces directly with directory services like Active Directory or LDAP. Additionally, you can also configure single sign-on on the admin web interface and user web interface, where PaperCut will rely on an external SAML service for authentication.

This article covers how to configure SAML single sign-on with PaperCut NG and MF, using Active Directory Federation Services (ADFS), IIS and Shibboleth. Although, the same concept can be applied to similar services.

We would love to hear from you if you used different tools, especially if you can help others by providing a how-to guide which we can publish on our web site.

Special thank you to Jonathan at [[https://www.selectec.com|Selectec]] for providing this guide.

!!IIS Configuration (Shibboleth)

If you have not already done so install IIS onto either the PaperCut Application server or a different server. If you put IIS onto the PaperCut Application server make sure you have not configured PaperCut to use port 80 or 443 and make sure you don’t tell IIS to use any of the standard PaperCut ports (9191, 9192, 9193).

You will need to make sure that you have ISAPI Extensions and Filters installed to IIS which can both be found under @@Add Server Roles > Web Server (IIS) > Web Server > App Development@@

You will also need the IIS 6 Management Compatibility options installed which can be found under @@Add Server Roles > Web Server (IIS) > Management Tools > IIS 6 Management Compatibility@@

!!ADFS Configuration

If you have not already installed ADFS on your Domain Controller take a few minutes to go and do that.

We found that the steps [[https://technet.microsoft.com/en-us/library/gg188612.aspx|here]] were helpful when doing the install if you have never done it before.

Make sure you make a note of your Federation Service Name, as we will need this later.

Add Relying Party Trust
Select Claims Aware then click Next


Select Import Data about the relying party and enter the FQDN for your IIS Server followed by /Shibboleth.sso/Metadata (For iis.domain.vm the URL would be iis.domain.vm/Shibboleth.sso/Metadata)

Optionally edit the display name and add a note if you want to.

Set your access control policy. If you don’t want to lock down what users or groups can authenticate leave the default options set.


Double check the settings and make sure you are happy with them and click Next so it can finish.



Edit Claim Issuance Policy

Right click on your Party Trust and select Edit Claim Issuance Policy. For our rule template we are going to use Send LDAP Attributes as Claims



Now we are going to select the AD attribute we want to send back and what type of outgoing claim type to set it to. Give your claim a name and select Active Directory from the Attribute Store. Under LDAP Attribute select SAM-Account-Name and set the Outgoing type to Windows account name.



Click Finish















!!Shibboleth Installation & Configuration

Download the latest version of Shibboleth from https://shibboleth.net/downloads/service-provider/latest/ and install it using the default options

All files are under [C:\opt\shibboleth-sp\etc\shibboleth]

Open shibboleth2.xml

!!!Edit [=InProcess=] so we use the correct IIS Site
We need to change the site name. This will be the fully qualified domain name (FQDN)  that your users connect to.

  <InProcess logger="native.logger">
      <ISAPI normalizeRequest="true" safeHeaderNames="true">
          <Site id="1" name="iis.domain.vm" scheme="https" port="443" />
      </ISAPI>
  </InProcess>

!!!Update [=RequestMapper=]
The RequestMapper tells IIS which Paths for a certain host need to use Shibboleth for authentication. We are going to use “user” for ours so any user going to host/user will need to be logged in if not they will be taken to the login page. If you wanted to add /admin to this, you can just copy and paste the user line and replace user with admin.

  <RequestMapper type="Native">
      <RequestMap>
          <Host name="iis.domain.vm">
              <Path name="secure" authType="shibboleth" requireSession="true"/>
              <Path name="user" authType="shibboleth" requireSession="true"/>
          </Host>
      </RequestMap>
  </RequestMapper>

!!!Update ApplicationDefaults
The ApplicationDefaults will set the remote_user variable which will contain the headers we want to set we will want to make sure we include ppcuser here as that is what we will use in the PaperCut configuration for Web Auth.

  <ApplicationDefaults entityID="https://iis.domain.vm/shibboleth"
    REMOTE_USER="eppn persistent-id targeted-id ppcuser"   
  cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2">


!!!Update SSO
The SSO section contains the location of our Identity Provider which will be your Federation Service Name followed by /adfs/services/trust.

  <SSO entityID="http://fs.domain.vm/adfs/services/trust"
      discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
      SAML2 SAML1
  </SSO>

!!!Add automatic metadata fetching
There are 2 ways you can load the metadata for your identity provider the first is from a local file which you would need to manually update if you ever make changes to it and the other is by using a URL which will automatically grab the metadata as needed and will make life easier later. This URL is going to be your Federation Service Name followed by /federationmetadata/2007-06/federationmetadata.xml

  <MetadataProvider type="XML" url="https://fs.domain.vm/federationmetadata/2007-06/federationmetadata.xml"/>

!!!Open attribute-map.xml
Now we need to tell Shibboleth where it can find the value we want to set to ppcuser, We used the Windows Account Name option in the claims issuance so that is what we will set here.

  <Attribute name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" id="ppcuser"/>

!!!Restart Shibboleth
You have 2 ways to do this, either load up Services Manager (services.msc) and find Shibboleth 2 Daemon and click restart or open a command prompt window and run:

@@net stop shibd_default@@
@@net start shibd_default@@


!!IIS Configuration (Proxy)
The only thing left to do now is to setup IIS to act as a proxy to do this we will the IIS ARR (Application Request Routing) module which can be found here: https://www.iis.net/downloads/microsoft/application-request-routing

Once installed we will need to enable the Proxy option, Open IIS Manager and select the local server from the tree on the left then find Application Request Routing Cache.

Now on the right select Server Proxy Settings

Check the Enable Proxy box and click Apply on the right

Select your site on the left and click on URL Rewrite.

Click Add Rules on the right and pick Blank Rule from under Inbound rules.

The first rule to create is one to ignore any requests that come in to [FQDN]/Shibboleth.sso/ as we don’t want to block any of the Shibboleth functions.  Give your rule a name and set the @@Requested URL@@ to @@Matches the Pattern@@ and set @@Using@@ to @@Regular Expression@@. Set the Pattern to @@Shibboleth.sso/.*@@ and make sure @@Ignore case”@@ is checked. Set the Action type at the bottom to @@None@@ and check @@Stop Processing@@ of subsequent rules.

Our next rule will be to pass anything else off to PaperCut. Create a new blank rule and this time set the pattern to (.*)



Now for the action set the type to Rewrite and for the Rewrite URL use http://[papercut_ip_or_fqdn]:9191/{R:1} and check Append Query String. With a bit more work you can configure this internal route to use HTTPS if needed.



Now restart IIS by clicking restart on the right or by opening a command prompt window and running iisreset.



















PaperCut Configuration

Everything should now be good to go so we can get PaperCut configured to use Web Auth for the SSO.

Login to the PaperCut admin portal and go to Options > Advanced. Look for Web Single Sign-On (SSO) and enable it.

From the dropdown you are going to want WebAuth, The HTTP Header Key will be ppcuser which will contain the username after a successful authentication attempt. The allowed IP list will only need the IIS servers IP in it but to play it safe also add in localhost (127.0.0.1) and the IP for the PaperCut Server.

Now select the pages you want to use SSO for. If you followed the steps above it will just be for the User login page but you can change it as needed. For the logout URL you can use https://[iis_fqdn_or_ip]/Shibboleth.sso/Logout?return=https://papercut.com with this option when the user logs out they will be redirected to the PaperCut website. You can change the return URL to anything you want.











Testing

Now for the fun bit, Open a browser and go to http://[IIS_HOST]/ you should see the ADFS login page and you will be able to login by using domain\username and your password which will then take you to the PaperCut User page like the gif below.
















Troubleshooting

While the steps above should be enough to get you up and running every environment is a little bit different. If you do run into any issues the first thing to do is to check the URLs you used. Some of them will work if you enter them into a browser from the IIS host. The 3 to check are listed below.

Shibboleth Status: https://localhost/Shibboleth.sso/Status
Shibboleth Metadata: https://localhost/Shibboleth.sso/Metadata
ADFS Metadata: https://[adfs_fqdn]/federationmetadata/2007-06/federationmetadata.xml

You can also find the Shibboleth log files under C:\opt\shibboleth-sp\var\log\shibboleth while working on this I found shibd.log to be the most useful you can do a quick search for “ERROR” or “FATAL” and find out where it went wrong.

If you manage to authenticate but PaperCut is still showing the login page enable debug logging in the app server then try again and open the server.log under [install_path]/server/log and do a search for “WebSsoAuthenticationFilter” this will give you a good understanding of what is going on.

If you are running PaperCut 17.3.2 or later and run into a CSRF error after authenticating check the KB article here https://www.papercut.com/kb/Main/CSRFValidationError which will tell you how to resolve the issue.

If you have enabled SSO for the Admin and can’t login add /nosso to the end of the URL and it will skip the SSO option so that you can login and check your settings.


TODO link your page here: https://www.papercut.com/kb/Main/Miscellaneous

----
''Categories:'' [[Category.TODOFirstCategory|+]], [[Category.TODOSecondCategoryIfNeeded|+]]
----
[-Keywords: TODO keywords here if needed-]

Comments

Share your findings and experience with other PaperCut users. Feel free to add comments and suggestions about this Knowledge Base article. Please don't use this for support requests.

Article last modified on August 07, 2019, at 03:05 AM
Printable View   |   Article History   |   Edit Article