Q Why do users have to log in when accessing the end-user web pages? Can I implement single sign-on (e.g. NTLM/IWA, WebAuth, Shibboleth)?
As of release 13.4, PaperCut offers two single sign-on (SSO) methods for web access, using Integrated Windows Authentication (NTLM/IWA) and WebAuth. With these solutions, users can access the PaperCut web interface simply by clicking on the Details… link in the client or bringing up the required URL in a browser. It may be that one of these two solutions is ideal for your site, but there are security issues to consider.
PaperCut first implemented single sign-on several years ago, however, this caused a number of problems in an education environment. The user web interface exposes sensitive information and features such as funds transfer.
The problem was that students would momentarily leave their desktop and another student could jump in, open the browser, and transfer funds out of their account or gain access to other sensitive data or functions. The same can be said for admin level users, although with more severe consequences!
To prevent this issue, single sign-on was removed from the product for a number of years. More recently, demand from corporate customers and the increased use of two factor authentication systems such as swipe cards for login has prompted us to re-implement this feature.
The new PaperCut SSO implementation offers more configurability and control, so you can selectively offer web SSO for access to the admin or user interfaces. We’ve also implemented the feature in way that should minimise the chance of any Cross-Site Request Forgery (CSRF) attacks. In particular, deep linking is not supported. After session login, all URL parameters are wiped.
If considering SSO for your organization, you must carefully read the PaperCut SSO documentation, weigh the pros and cons and plan your implementation. This is an advanced feature and many PaperCut users will find the standard login solution is the best option for their site.
We have been told that PaperCut’s WebAuth integration can work equally well with Shibboleth, and this may be a valid alternative.
PaperCut versions 9+ include web widgets. If the aim is to provide users with simple access to view their balance or environmental impact within your intranet environment then the web widgets may satisfy these requirements.
Keywords: single sign on, signon, interface, web tools, login, NTLM, integrated authentication, auth, automatic login, Windows authentication