PaperCut NG User Web Interface Logins

KB Home   |   PaperCut NG User Web Interface Logins

Main.PaperCutNGEndUserLogin History

Hide minor edits - Show changes to output

June 28, 2018, at 09:26 PM by Aaron Pouliot - Added Category SSO
Changed line 27 from:
''Categories:'' [[Category.Authentication|+]], [[Category.UserWebInterface|+]]
to:
''Categories:'' [[Category.SSO|+]], [[Category.Authentication|+]], [[Category.UserWebInterface|+]],
Changed lines 18-19 from:
If considering SSO for your organization, you must carefully read the [[https://www.papercut.com/products/ng/manual/ch-sso | PaperCut SSO documentation]], weigh the pros and cons and plan your implementation.  This is an advanced feature and many PaperCut users will find the standard login solution is the best option for their site.
to:
If considering SSO for your organization, you must carefully read the [[https://www.papercut.com/products/ng/manual/ch-sso.html | PaperCut SSO documentation]], weigh the pros and cons and plan your implementation.  This is an advanced feature and many PaperCut users will find the standard login solution is the best option for their site.
Changed lines 3-4 from:
Q: Why do users have to log in when accessing the end-user web pages?  Can I implement single sign-on (e.g. NTLM/IWA, WebAuth, Shibboleth)?
to:
Q: Why do users have to log in when accessing the end-user web pages?  Can I implement single sign-on (e.g. NTLM/IWA, `WebAuth, Shibboleth)?
Changed lines 16-17 from:
configurability and control, so you can selectively offer web SSO for access to the admin or user interfaces.
to:
configurability and control, so you can selectively offer web SSO for access to the admin or user interfaces.  We've also implemented the feature in way that should minimise the chance of any Cross-Site Request Forgery (CSRF) attacks.  In particular, deep linking is not supported.  After session login, all URL parameters are wiped.
Changed line 21 from:
We have been told that PaperCut's WebAuth integration can work equally well with [[http://shibboleth.net | Shibboleth]],
to:
We have been told that PaperCut's `WebAuth integration can work equally well with [[http://shibboleth.net | Shibboleth]],
Changed lines 3-4 from:
Q: Why do users have to log in when accessing the end-user web pages?  Can I implement single sign-on (e.g. NTLM/IWA, WebAuth)?
to:
Q: Why do users have to log in when accessing the end-user web pages?  Can I implement single sign-on (e.g. NTLM/IWA, WebAuth, Shibboleth)?
Added lines 21-23:
We have been told that PaperCut's WebAuth integration can work equally well with [[http://shibboleth.net | Shibboleth]],
and this may be a valid alternative.

Changed lines 3-6 from:
Q: Why do users have to log in when accessing the end-user web pages?  Can I implement single sign-on (e.g. NTLM, Yale CAS)?

A: Older versions of PaperCut used to implement single sign-on, meaning that users could access the user interface by simply clicking on the ''Details...'' link in the client or bringing up the required URL in a browser.  No login was required.  However, this caused a number of problems in an education environment.  The user web interface exposes sensitive information and features such as funds transfer.
to:
Q: Why do users have to log in when accessing the end-user web pages?  Can I implement single sign-on (e.g. NTLM/IWA, WebAuth)?

A: As of release 13.4, PaperCut offers two single sign-on (SSO) methods for web access, using [[http://en.wikipedia.org/wiki/Integrated_Windows_Authentication | Integrated Windows Authentication (NTLM/IWA)]] and [[WebAuthAndPaperCut | WebAuth]].  With these solutions, users can access the PaperCut web interface simply by clicking on the ''Details...'' link in the client or bringing up the required URL in a browser.  It may be that one of these two solutions is ideal for your site, but there are security issues to consider.

PaperCut first implemented single sign-on several years ago, however
, this caused a number of problems in an education environment.  The user web interface exposes sensitive information and features such as funds transfer.
Changed lines 11-18 from:
To prevent this issue we have designed newer versions of PaperCut to ''require'' username/password authentication when the end-user pages are initially accessed.  The new authentication method also provides a consistent login interface for users across all operating systems.  The login screen can also be quickly customized to include your organization logo providing an official look.

For larger organizations, PaperCut provides [[WebAuthAndPaperCut | WebAuth integration]]. This is only suitable
for organizations that have a dedicated security team capable of understanding and mitigating the potential security issues that come with SSO integration.

!!Security Review

'''April 2008''' - The PaperCut code base was externally reviewed from a security standpoint.  As a result of this review a number of potential [[http://en.wikipedia.org/wiki/Cross-site_request_forgery | cross-site request forgery]] attacks (XSRF) were found. The potential XSRF vectors were closed up in the 8.2 release
.
to:
To prevent this issue, single sign-on was removed from the product for a number of years.  More recently, demand from
corporate customers and the increased use of two factor authentication systems
such as swipe cards for login has prompted us to re-implement this feature.

The new PaperCut SSO implementation offers more
configurability and control, so you can selectively offer web SSO for access to the admin or user interfaces.

If considering SSO
for your organization, you must carefully read the [[https://www.papercut.com/products/ng/manual/ch-sso | PaperCut SSO documentation]], weigh the pros and cons and plan your implementation.  This is an advanced feature and many PaperCut users will find the standard login solution is the best option for their site.
Changed lines 5-18 from:
A: This is a controversial topic.  Older versions of PaperCut used to implement single sign-on, meaning that users could access the user interface by simply clicking on the ''Details...'' link in the client or bringing up the required URL in a browser.  No login was required.  This however caused a number of problems in an education environment.  The user web interface exposes sensitive information and features such as funds transfer.

The problem was that students would momentarily leave their desktop and another student could jump in, open the browser, and transfer funds out of their account or gain access to other sensitive data or functions.  The same can be said for "admin" level users, although with more severe consequences! 

Another related issue covers a new area of security attack, [[http://en.wikipedia.org/wiki/Cross-site_request_forgery | cross-site request forgery]] (XSRF).  In 2008 an external security advisor demonstrated a successful attack against PaperCut with SSO enabled.

To prevent these issue we have designed [[https://www.papercut.com/solutions/printer-control-for-education/ | PaperCut NG]] to ''require'' username/password authentication when the end-user pages are initially accessed.  The new authentication method also provides a consistent login interface for users across all operating systems.  The login screen can also be quickly customized to include your organization logo providing an official look
.

Most customers prefer the security and consistency of the new authentication system.  Some however prefer the legacy behavior of the older releases.  The developers have noted this request and are considering adding a ''non-default'' option to re-enable the legacy single sign-on (SSO) behavior in a future release.  This will only happen after XSRF mitigation measures such as image captcha are in place in key areas of the application (e.g. balance transfer).

!!Latest Review

'''April 2008''' - The PaperCut code based has been recently externally reviewed from a security standpoint.  As a result of this review a number of potential [[http://en.wikipedia.org/wiki/Cross-site_request_forgery | cross-site request forgery]] attacks (XSRF) were found.  This is a relatively new and emerging attack vector.  The potential XSRF vectors were closed up in the 8.2 release.  The security advice on the NTLM topic was that we should keep with our transient authentication method and all SSO code should be removed.  Moving back to NTLM/SSO would be equivalent to introducing persistent authentication and would be against XSRF best security practice, unnecessarily exposing users
.
to:
A: Older versions of PaperCut used to implement single sign-on, meaning that users could access the user interface by simply clicking on the ''Details...'' link in the client or bringing up the required URL in a browser.  No login was required.  However, this caused a number of problems in an education environment.  The user web interface exposes sensitive information and features such as funds transfer.

The problem was that students would momentarily leave their desktop and another student could jump in, open the browser, and transfer funds out of their account or gain access to other sensitive data or functions.  The same can be said for admin level users, although with more severe consequences! 

To prevent this issue we have designed newer versions of PaperCut to ''require'' username/password authentication when the end-user pages are initially accessed.  The new authentication method also provides a consistent login interface for users across all operating systems.  The login screen can also be quickly customized to include your organization logo providing an official look.

For larger organizations, PaperCut provides [[WebAuthAndPaperCut | WebAuth integration]]. This is only suitable for organizations that have a dedicated security team capable of understanding and mitigating the potential security issues that come with SSO integration
.

!!Security Review

'''April 2008''' - The PaperCut code base was externally reviewed from a security standpoint.  As a result
of this review a number of potential [[http://en.wikipedia.org/wiki/Cross-site_request_forgery | cross-site request forgery]] attacks (XSRF) were found. The potential XSRF vectors were closed up in the 8.2 release.
Changed lines 18-19 from:
PaperCut NG version 9+ now includes some [[https://www.papercut.com/products/ng/manual/ch-user-services-gadgets.html|web widgets]].  If the aim is to provide users with simple access to view their balance or environmental impact within your intranet environment then the web widgets may satisfy these requirements.
to:
PaperCut versions 9+ include [[https://www.papercut.com/products/ng/manual/ch-user-services-gadgets.html|web widgets]].  If the aim is to provide users with simple access to view their balance or environmental impact within your intranet environment then the web widgets may satisfy these requirements.
Changed line 21 from:
''Categories:'' [[Category.UserWebInterface|+]]
to:
''Categories:'' [[Category.Authentication|+]], [[Category.UserWebInterface|+]]
Changed line 23 from:
[-keywords: single sign on, signon, interface, web tools, login, NTLM, integrated authentication, auth, automatic login, Windows authentication-]
to:
[-Keywords: single sign on, signon, interface, web tools, login, NTLM, integrated authentication, auth, automatic login, Windows authentication-]
June 08, 2011, at 04:10 AM by tim - fix typo
Changed lines 17-18 from:
'''April 2008''' - The PaperCut code based has been recently externally reviewed from a security standpoint.  As a result of this review a number of potential [[http://en.wikipedia.org/wiki/Cross-site_request_forgery | cross-site request forgery]] attacks (XSRF) were found.  This is a relatively new and emerging attack vector.  The potential XSRF vectors were closed up in the 8.2 release.  The security advice on the NTLM topic was that we should keep with our transient authentication method and all SSO code should be remove.  Moving back to NTLM/SSO would be equivalent to introducing persistent authentication and would be against XSRF best security practice, unnecessarily exposing users.
to:
'''April 2008''' - The PaperCut code based has been recently externally reviewed from a security standpoint.  As a result of this review a number of potential [[http://en.wikipedia.org/wiki/Cross-site_request_forgery | cross-site request forgery]] attacks (XSRF) were found.  This is a relatively new and emerging attack vector.  The potential XSRF vectors were closed up in the 8.2 release.  The security advice on the NTLM topic was that we should keep with our transient authentication method and all SSO code should be removed.  Moving back to NTLM/SSO would be equivalent to introducing persistent authentication and would be against XSRF best security practice, unnecessarily exposing users.
Changed line 25 from:
[-keywords: single sign on, interface, web tools, login, NTLM, integrated authentication, auth, automatic login, Windows authentication-]
to:
[-keywords: single sign on, signon, interface, web tools, login, NTLM, integrated authentication, auth, automatic login, Windows authentication-]
Changed lines 11-12 from:
To prevent these issue we have designed [[https://www.papercut.com/products/ng/ | PaperCut NG]] to ''require'' username/password authentication when the end-user pages are initially accessed.  The new authentication method also provides a consistent login interface for users across all operating systems.  The login screen can also be quickly customized to include your organization logo providing an official look.
to:
To prevent these issue we have designed [[https://www.papercut.com/solutions/printer-control-for-education/ | PaperCut NG]] to ''require'' username/password authentication when the end-user pages are initially accessed.  The new authentication method also provides a consistent login interface for users across all operating systems.  The login screen can also be quickly customized to include your organization logo providing an official look.
Changed lines 7-10 from:
The problem was that students would momentarily leave their desktop and another student could jump in, open the browser, and transfer funds out of their account or gain access to other sensitive data or functions.  The same can be said for "admin" level users, although with more severe consequences!  To prevent this we have designed [[https://www.papercut.com/products/ng/ | PaperCut NG]] to ''require'' username/password authentication when the end-user pages are initially accessed.  The new authentication method also provides a consistent login interface for users across all operating systems.  The login screen can also be quickly customized to include your organization logo providing an official look.

Most customers prefer the security and consistency of the new authentication system.  Some however prefer the legacy behavior of the older releases.  The developers have noted this request and are considering adding a ''non-default'' option to re-enable
the legacy single sign-on (SSO) behavior in a future release.
to:
The problem was that students would momentarily leave their desktop and another student could jump in, open the browser, and transfer funds out of their account or gain access to other sensitive data or functions.  The same can be said for "admin" level users, although with more severe consequences! 

Another related issue covers a new area of security attack,
[[http://en.wikipedia.org/wiki/Cross-site_request_forgery | cross-site request forgery]] (XSRF).  In 2008 an external security advisor demonstrated a successful attack against PaperCut with SSO enabled.

To prevent these issue we have designed [[https://www
.papercut.com/products/ng/ | PaperCut NG]] to ''require'' username/password authentication when the end-user pages are initially accessed.  The new authentication method also provides a consistent login interface for users across all operating systems.  The login screen can also be quickly customized to include your organization logo providing an official look.

Most customers prefer the security and consistency of
the new authentication system.  Some however prefer the legacy behavior of the older releases.  The developers have noted this request and are considering adding a ''non-default'' option to re-enable the legacy single sign-on (SSO) behavior in a future release.  This will only happen after XSRF mitigation measures such as image captcha are in place in key areas of the application (e.g. balance transfer).
Changed lines 17-18 from:
'''April 2008''' - The PaperCut code based has been recently externally reviewed from a security standpoint.  As a result of this review a number of potential [[http://en.wikipedia.org/wiki/Cross-site_request_forgery | cross-site request forgery]] attacks (XSRF) were found.  This is a relatively new and emerging attack vector.  The potential XSRF vectors were closed up in the 8.2 release.  The security advice on the NTLM topic was that we should keep with our transient authentication method.  Moving to NTLM/SSO would be equivalent to introducing persistent authentication and would be against XSRF best security practice, unnecessarily exposing users.
to:
'''April 2008''' - The PaperCut code based has been recently externally reviewed from a security standpoint.  As a result of this review a number of potential [[http://en.wikipedia.org/wiki/Cross-site_request_forgery | cross-site request forgery]] attacks (XSRF) were found.  This is a relatively new and emerging attack vector.  The potential XSRF vectors were closed up in the 8.2 release.  The security advice on the NTLM topic was that we should keep with our transient authentication method and all SSO code should be remove.  Moving back to NTLM/SSO would be equivalent to introducing persistent authentication and would be against XSRF best security practice, unnecessarily exposing users.
September 16, 2009, at 11:45 AM by 218.214.136.115 -
Changed lines 3-4 from:
Q: Why do users have to log in when accessing the end-user web pages?  Can I implement single sign-on?
to:
Q: Why do users have to log in when accessing the end-user web pages?  Can I implement single sign-on (e.g. NTLM, Yale CAS)?
Added line 17:
Changed line 19 from:
''Categories:'' [[Category.WebTools|+]]
to:
''Categories:'' [[Category.UserWebInterface|+]]
Changed lines 1-10 from:
(:title PaperCut NG End-user Web login:)

Q: Why do users have to log in when accessing the end-user web pages?  Can I implement single-signon.

A: This is a controversial topic.  Older versions of PaperCut use to implement single-signon, meaning that users could access the end-user pages by simply clicking on the ''Details...'' link in the client or bringing up the required URL in a browser.  No login was required.  This however caused a number of problems in an education environment.  The end-user pages expose sensitive information and a number of advanced features such as funds transfers.

The problem was that students would momentarily leave their desktop and another student could jump in
, open the browser, and transfer funds out of their account or gain access to other sensitive data or functions.  The same can be said for "admin" level users, although with more severe consequences!  To prevent this, we have designed [[https://www.papercut.com/products/ng/ | PaperCut NG]] to ''require'' username/password authentication when the end-user pages are initially accessed.  The new authentication method also provides a consistent login interface for users across all operating systems.  The login screen can also be quickly customized to include your organization logo providing an official look.

Most customers prefer the security and consistency of the new authentication system.  Some however prefer the legacy behavior of the older releases.  The developers have noted this request and are considering adding a ''non-default'' option to re-enable the legacy single-signon (SSO) behavior in a future release.
to:
(:title PaperCut NG User Web Interface Logins:)

Q: Why do users have to log in when accessing the end-user web pages?  Can I implement single sign-on?

A: This is a controversial topic.  Older versions of PaperCut used to implement single sign-on, meaning that users could access the user interface by simply clicking on the ''Details...'' link in the client or bringing up the required URL in a browser.  No login was required.  This however caused a number of problems in an education environment.  The user web interface exposes sensitive information and features such as funds transfer.

The problem was that students would momentarily leave their desktop and another student could jump in, open the browser
, and transfer funds out of their account or gain access to other sensitive data or functions.  The same can be said for "admin" level users, although with more severe consequences!  To prevent this we have designed [[https://www.papercut.com/products/ng/ | PaperCut NG]] to ''require'' username/password authentication when the end-user pages are initially accessed.  The new authentication method also provides a consistent login interface for users across all operating systems.  The login screen can also be quickly customized to include your organization logo providing an official look.

Most customers prefer the security and consistency of the new authentication system.  Some however prefer the legacy behavior of the older releases.  The developers have noted this request and are considering adding a ''non-default'' option to re-enable the legacy single sign-on (SSO) behavior in a future release.
Changed lines 13-14 from:
'''April 2008''' - The PaperCut code based has been recently externally reviewed from a security standpoint.  As a result of this review a number of potential [[http://en.wikipedia.org/wiki/Cross-site_request_forgery | cross-site request forgery]] attacks (XSRF) were found.  This is a relatively new and emerging attach vector.  The potential XSRF vectors were closed up in the 8.2 release.  The security advice on the NTLM topic was that we should keep with our transient authentication method.  Moving to NTLM/SSO would be equivilent to introducing persistent authentication and would be against XSRF best security practice and would unnecessarily expose users.
to:
'''April 2008''' - The PaperCut code based has been recently externally reviewed from a security standpoint.  As a result of this review a number of potential [[http://en.wikipedia.org/wiki/Cross-site_request_forgery | cross-site request forgery]] attacks (XSRF) were found.  This is a relatively new and emerging attack vector.  The potential XSRF vectors were closed up in the 8.2 release.  The security advice on the NTLM topic was that we should keep with our transient authentication method.  Moving to NTLM/SSO would be equivalent to introducing persistent authentication and would be against XSRF best security practice, unnecessarily exposing users.
Changed line 16 from:
PaperCut NG version 9+ now includes some [[https://www.papercut.com/products/ng/manual/ch-user-services-gadgets.html|web widgets]].  If the aim is to provide users with simple access to view their balance or environmental impact within your intranet environment, the web widgets may satisfy these requirements.
to:
PaperCut NG version 9+ now includes some [[https://www.papercut.com/products/ng/manual/ch-user-services-gadgets.html|web widgets]].  If the aim is to provide users with simple access to view their balance or environmental impact within your intranet environment then the web widgets may satisfy these requirements.
Changed line 18 from:
''Categories:'' [[!WebTools]]
to:
''Categories:'' [[Category.WebTools|+]]
Changed line 20 from:
[-keywords: single sign on, interface, web tools, login, NTLM, integrated authentication, auth-]
to:
[-keywords: single sign on, interface, web tools, login, NTLM, integrated authentication, auth, automatic login, Windows authentication-]
Changed line 16 from:
PaperCut NG version 9 now includes some [[https://www.papercut.com/products/ng/manual/ch-user-services-gadgets.html|web widgets]].  If the aim is to provide users with simple access to view their balance or environmental impact within your intranet environment, the web widgets may satisfy these requirements.
to:
PaperCut NG version 9+ now includes some [[https://www.papercut.com/products/ng/manual/ch-user-services-gadgets.html|web widgets]].  If the aim is to provide users with simple access to view their balance or environmental impact within your intranet environment, the web widgets may satisfy these requirements.
Added lines 15-16:
!!Other Options:
PaperCut NG version 9 now includes some [[https://www.papercut.com/products/ng/manual/ch-user-services-gadgets.html|web widgets]].  If the aim is to provide users with simple access to view their balance or environmental impact within your intranet environment, the web widgets may satisfy these requirements.
Changed lines 13-14 from:
'''April 2008''' - The PaperCut code based has been recently externally reviewed from a security standpoint.  As a result of this review a number of potential [[http://en.wikipedia.org/wiki/Cross-site_request_forgery | cross-site request forgery]] attacks (XSRF) were found.  This is a relatively new and emerging attach vector.  The potential XSRF vectors were closed up in the 8.2 release.  The security advice on the NTLM topic was that we should keep with our transient authentication method.  Moving to NTLM/SSO would be equivilent to introducing persistent authentication and would be against XSRF best security practice.  NTLM would be equivilent to introducing persistent authentication and would unnecessarily expose users.
to:
'''April 2008''' - The PaperCut code based has been recently externally reviewed from a security standpoint.  As a result of this review a number of potential [[http://en.wikipedia.org/wiki/Cross-site_request_forgery | cross-site request forgery]] attacks (XSRF) were found.  This is a relatively new and emerging attach vector.  The potential XSRF vectors were closed up in the 8.2 release.  The security advice on the NTLM topic was that we should keep with our transient authentication method.  Moving to NTLM/SSO would be equivilent to introducing persistent authentication and would be against XSRF best security practice and would unnecessarily expose users.
Changed lines 7-10 from:
The problem was that students would momentarily leave their desktop and another student could jump in, open the browser, and transfer funds out of their account or gain access to other sensitive data or functions.  The same can be said for "admin" level users, although with more severe consequences!  To prevent this, we have designed [[https://www.papercut.com/products/ng/ | PaperCut NG]] to require username/password authentication when the end user pages are initially accessed.  The new authentication method also provides a consistent login interface for users across all operating systems.  The login screen can also be quickly customized to include your organization logo providing an official look.

Most customers prefer the security and consistency of the new authentication system.  Some however prefer the legacy behavior of the older releases.  The developers have noted this request and are planing on adding a ''non-default'' option to re-enable the legacy single-signon (SSO) behavior in a future release.
to:
The problem was that students would momentarily leave their desktop and another student could jump in, open the browser, and transfer funds out of their account or gain access to other sensitive data or functions.  The same can be said for "admin" level users, although with more severe consequences!  To prevent this, we have designed [[https://www.papercut.com/products/ng/ | PaperCut NG]] to ''require'' username/password authentication when the end-user pages are initially accessed.  The new authentication method also provides a consistent login interface for users across all operating systems.  The login screen can also be quickly customized to include your organization logo providing an official look.

Most customers prefer the security and consistency of the new authentication system.  Some however prefer the legacy behavior of the older releases.  The developers have noted this request and are considering adding a ''non-default'' option to re-enable the legacy single-signon (SSO) behavior in a future release.
Changed lines 9-10 from:
Most customers prefer the security and consistency of the new authentication system.  Some however prefer the legacy behavior of the older releases.  The developers have noted this request and are planing on adding a ''non-default'' option to re-enable the legacy single-signon behavior in a future release.
to:
Most customers prefer the security and consistency of the new authentication system.  Some however prefer the legacy behavior of the older releases.  The developers have noted this request and are planing on adding a ''non-default'' option to re-enable the legacy single-signon (SSO) behavior in a future release.
Changed lines 13-14 from:
'''April 2008''' - The PaperCut code based has been recently externally reviewed from a security standpoint.  As a result of this review a number of potential [[http://en.wikipedia.org/wiki/Cross-site_request_forgery | cross-site request forgery]] attacks (XSRF) were found.  This is a relatively new and emerging attach vector.  The potential XSRF vectors were closed up in the 8.2 release.  The security advice on the NTLM topic was that we should keep with our transient authentication method.  Moving to NTLM would be equivilent to introducing persistent authentication and would be against XSRF best security practice.  NTLM would be equivilent to introducing persistent authentication and would unnecessarily expose users.
to:
'''April 2008''' - The PaperCut code based has been recently externally reviewed from a security standpoint.  As a result of this review a number of potential [[http://en.wikipedia.org/wiki/Cross-site_request_forgery | cross-site request forgery]] attacks (XSRF) were found.  This is a relatively new and emerging attach vector.  The potential XSRF vectors were closed up in the 8.2 release.  The security advice on the NTLM topic was that we should keep with our transient authentication method.  Moving to NTLM/SSO would be equivilent to introducing persistent authentication and would be against XSRF best security practice.  NTLM would be equivilent to introducing persistent authentication and would unnecessarily expose users.

Comments

Share your findings and experience with other PaperCut users. Feel free to add comments and suggestions about this Knowledge Base article. Please don't use this for support requests.

Article last modified on June 28, 2018, at 09:26 PM
Printable View   |   Article History   |   Edit Article