How to sync and authenticate G Suite and Google Cloud Identity users in PaperCut

The upcoming PaperCut MF and NG v18.3 release will be sweet news for G Suite and Google Cloud Identity organizations. From November 2018, they'll be able to sync and authenticate G Suite users directly from PaperCut MF and NG.

This integration simplifies the printing process for Chromebook, G Suite, and Google Cloud Identity workplaces by allowing users to authenticate with their Google credentials.

When used in conjunction with PaperCut's Mobility Print, organizations such as K-12 Chromebook schools will have a seamless solution for BYOD printing and Google authentication.

This topic describes how to:

• set up user/group synchronization and user authentication with Google Cloud Directory
• set up Single Sign on with Google for Chromebooks, Admin, and User web interfaces (optional).

Both G Suite and Google Cloud Identity use Google Cloud Directory to synchronize users and groups.

Environments with Google Cloud Directory as a user sync source are cost effective and quick to implement because they use Mobility Print and PaperCut NG/MF for end-to-end print requirements, including authentication, reporting, filters, and restrictions.

All you need to do is make sure users can access your WiFi. There's no need to set up or manage a domain (for example Active Directory) or deal with the complexities inherent in managing multiple printer drivers (OSs, multiple vendors, multiple models, etc.).

If you don't want users to access your network, Google Cloud Directory still works with Web print, Email to print and Google Cloud print.

Some examples of Google Cloud Directory environments

A pure Google Cloud Directory environment

Install PaperCut NG/MF in a pure, Google Cloud Directory-only environment.

An existing directory is going to be replaced with a Google Cloud Directory

If your current environment uses an on-premises directory, for example Active Directory (AD), and you want to replace it completely with a Google Cloud Directory, then you first need to migrate all users from your current directory into G Suite. If you prefer, you can do this in stages over a period of time and run a hybrid environment until the full migration is finished. Keep the original directory until you've completed and tested the entire new Google Cloud Directory setup.

An existing directory and new Google Cloud Directory are both going to be synced with PaperCut NG/MF

You can sync PaperCut NG/MF with two user directory sources, one being a traditional directory such as Active Directory and one being a new Google Cloud Directory account. You can even sync directories from two Google Cloud Directories. You set up one directory as the primary sync source and one as the secondary sync source.

If you have internal users and their usernames are the same as any of the Google Cloud Directory user names (without the domain part), then PaperCut NG/MF will merge those users into Google Cloud Directory during the synchronization. These users become G suite users who use their Google credentials with PaperCut NG/MF instead of having an additional PaperCut NG/MF password.

Synchronize user and group details with Google Cloud Directory

This section explains how to connect your PaperCut NG/MF Application Server to Google Cloud Directory.

After you set up LDAP access and permissions for Google Cloud Directory it can take Google Cloud Directory up to 24 hours to apply the changes.

Set up at a glance

The high-level process to set up Google Cloud Directory authentication is as follows:

1. Set up your G Suite or Google Cloud Identity users.
2. Set up Google Cloud Directory access and permissions.
   

   It can take up to 24 hours for Google Cloud Directory changes to apply.

3. Set up Google Cloud Directory sync in PaperCut NG/MF:
   1. If you are planning to remove your local directory, Set up Mobility Print.
   2. Set up the primary sync source
   3. (Optional) Set up the secondary sync source
   4. Set up the Sync Options
   5. Test your new print environment
   6. (Optional) Manage Google Single sign on for Chromebooks

Step 1: Set up your G Suite or Google Cloud Identity users

In Google, depending on your planned environment:

• add users into G Suite
• migrate users into G Suite
• create Cloud Identity user accounts.

Step 2: Set up LDAP access and permissions for G Suite or Google Cloud Identity

Before you start, make sure you can log in to Google as a Super Admin.

1. Log in to admin.google.com using your Super Admin user login details. The Google Admin console is displayed.
2. Click the Apps tile. The Apps screen is displayed.
3. Click the LDAP tile. The LDAP screen is displayed with no LDAP access clients in the list.
4. Click ADD CLIENT. The Add LDAP client screen is displayed showing the Client Details section.
5. Type the name and a description of the LDAP you'll be using to access PaperCut NG/MF; then click CONTINUE. The Access permissions screen is displayed.

   You can find more information from Google about configuring access permissions.

6. In the Verify user credentials section, select Entire domain <domain name>.
7. In the Read user information section, select Entire domain <domain name>.
8. In the Read group information section, click the switch to set it to On; then click ADD LDAP CLIENT. Google displays a confirmation message and information about downloading the certificate.
9. On the same screen, click Download certificate; then save the downloaded PDF in a secure location.
10. Click CONTINUE TO CLIENT DETAILS. The Settings for <LDAP client name> screen is displayed.
    

    The service status is initially set to OFF.

11. Click anywhere in the Service Status box. The Service Status screen is displayed.
12. Select On for everyone. The service status is updated for everyone.
    

    Depending on the size of your organization, it can take up to 24 hours for Google Cloud Directory changes to apply.

Step 3: Set up G Suite or Google Cloud Identity Sync in PaperCut NG/MF

Set up Mobility Print

If you're planning to remove your local directory, you need to set up Mobility Print.

Mobility Print authenticates users without the need for their devices to be logged on to a domain. And it also enables the users' devices to automatically discover the printers you share, so you don't need to push print queues to them.

Using Mobility Print with Google Cloud Directory gives users a consistent and native experience on their devices, whether they are managed or BYOD.

Follow the steps in set up Mobility Print. Make sure you select the Allow users to sign in with their Google account check box.

Set up the primary sync source

1. Log in to the PaperCut NG/MF Admin interface.
2. Select Options > User/Group Sync.
3. In the Sync Source area, in Primary sync source, select Google Cloud Directory.
4. If you haven't already downloaded your LDAP certificate, follow the steps in Set up LDAP access and permissions for Google Cloud Directory.
5. Type your Google Cloud Directory Domain name, for example, melbourneschoolzones.com.
6. Click Choose file and select the Google-generated certificate zip file that you downloaded earlier; then click Install certificate.
   If installation is successful, the message 'The certificate has been installed. It will expire on <day month year>.' is displayed.
7. Select which users to import.
   • Import all users.
   • Import users from selected groups. This option is useful if the domain contains groups of users, where certain groups contain the users who you want to allow to print:
     1. Click Select Groups.
     2. Select the groups you want to import. You can filter the list to find the groups you're after.
        
        • The groups' names are displayed.
        • Nested (sub) groups are not currently supported.
   • Import users by domain using the Config Editor. For example, you might have a domain for staff and a separate domain for students.
     Config key: user-source.gsuite.domain-filter
     Value field: Comma separated list of the domains you want to import. For example, schoolname-students.com
     
8. (Optional) Add card/ID numbers.
   Card and ID numbers are used as an alternative to usernames/passwords for authentication at software Release Stations, or at hardware terminals attached to photocopiers. The card/ID number can also be searched in the user quick-find in the User List page. For more information, see User card and ID numbers.
   In PaperCut NG/MF, you can associate one or two unique card/ID numbers with each user. These are known as the primary and secondary card/ID number. PaperCut NG/MF automatically generate these card/ID numbers for each user.
   
   • Sys Admins can use the number to search for users on the User List page. For more information, see User card and ID numbers.
   • Syncing a card ID from a Google Cloud Directory field is currently not supported. Please contact us so we can update you if this becomes available.
   To add card/ID numbers:
   
   1. In Primary number, select Auto-generate random ID. The Length field is displayed.
      
   2. Type the number of digits you want the card/ID number to be.
      • Short numbers are easy for users to remember and fast to key in, but are also easier for someone to guess.
      • Make the Length long enough to generate numbers for all of your users.
   3. If you require a secondary card/ID number for each user, repeat the above two steps for Secondary number.
9. Scroll down and click Test Settings; PaperCut NG/MF displays progress and the results in the Testing sync settings popup.
10. Review the results to make sure all the expected users are there, and then click Close.
11. Click Apply.
12. If you:
    • have a secondary sync source you need to set up, continue below.
    • do not have a secondary sync source, go to Set up the Sync Options.

(Optional) Set up the secondary sync source

How usernames are handled during a merge with a secondary sync source

A secondary sync source allows you to import users and groups from a second independent external directory source into PaperCut NG/MF.

PaperCut NG/MF treats Google Cloud Directory usernames as globally unique—if the same username exists in both the primary and secondary sync sources, it generates only a single user. When PaperCut NG/MF merges the user's details from both sync sources, it prioritizes the primary sync source details, and then adds any additional details that are in the secondary source.

The priority that PaperCut NG/MF enters details into the Card/Identity Numbers and Other Details fields for the Primary and Secondary fields is:

• Priority 1 — The primary sync source details.
• Priority 2 — The secondary sync source details.
• Priority 3 — The PaperCut NG/MF existing details in the Users > Other Details section.

When you sync, the source details always overwrite what's already in PaperCut NG/MF. PaperCut NG/MF will retain the details in the fields that are not changed in the sync source. If at a later time you stop using the primary or secondary sync source, or if a G Suite or Google Cloud Identity field becomes blank, PaperCut NG/MF will still retain the details in the fields.

Set up the secondary sync source:

1. Set up a second LDAP connection and generate a second certificate for the second sync source. Refer to Set up LDAP access and permissions for Google Cloud Directory.
2. On the User/Group Sync page, in the Secondary Sync Source (Advanced) area, select the Enable secondary sync source check box.
3. If the secondary sync source is a second G Suite account, go to the next step to complete the secondary sync source details.
   For all other directory sources, refer to:
   • Synchronize user and group details with Active Directory
   • Synchronize user and group details with LDAP
   • Synchronize user and group details with Azure AD Secure LDAP
4. Type your G Suite or Google Cloud Identity Domain name, for example, melbourneschoolzones.com.
5. Click Choose file and select the LDAP certificate zip file that you downloaded earlier; then click Install certificate.
   If installation is successful, the message ‘The certificate has been installed. It will expire on <day month year>.' is displayed.
6. Select which users to import.
   • Import all users.
   • Import users from selected groups. This option is useful if the domain contains groups of users, where certain groups contain the users who you want to allow to print:
     1. Click Select Groups.
     2. Select the groups you want to import. You can filter the list to find the groups you're after.

        The groups' names are displayed.

        Sub groups are not currently supported.

   • Import users by domain using the Config Editor. For example, you might have a domain for staff and a separate domain for students.
     Config key: user-source.gsuite.domain-filter
     Value field: Comma separated list of the domains you want to import. For example, schoolname-students.com
     
7. (Optional) Add card/ID numbers.
   Card and ID numbers are used as an alternative to usernames/passwords for authentication at software Release Stations, or at hardware terminals attached to photocopiers. The card/ID number can also be searched in the user quick-find in the User List page. For more information, see User card and ID numbers.
   In PaperCut NG/MF, you can associate one or two unique card/ID numbers with each user. These are known as the primary and secondary card/ID number. PaperCut NG/MF automatically generate these card/ID numbers for each user.

   Syncing a card ID from a Google Cloud Directory field is currently not supported. Please contact us so we can update you if this becomes available.

   To add card/ID numbers:
   1. In Primary number, select Auto-generate random ID. The Length field is displayed.
      
   2. Type the number of digits you want the card/ID number to be.
      • Short numbers are easy for users to remember and fast to key in, but are also easier for someone to guess.
      • Make the Length long enough to generate numbers for all of your users.
   3. If you require a secondary card/ID number for each user, repeat the above two steps for Secondary number.
8. Scroll down and click Test Settings; PaperCut NG/MF displays progress and the results in the Testing sync settings popup.
9. Review the results to make sure all the expected users are there, and then click Close.

   If while matching PaperCut NG/MF detects the same username with different domains after the @ (because they are coming from different sync sources or different domains), it will sync and merge the user. If you want to create separate users in PaperCut NG/MF from the separate domains, please contact us.

10. Click Apply.

Set up the Sync Options

Whereas the sync source(s) you specified above determine where PaperCut NG/MF imports users from, the Sync Options section lets you make choices about what happens during the sync itself.

The options you select in this section:

• affect only users added via the synchronization source
• do not delete users in the PaperCut NG/MF database during the overnight automatic synchronizing
• do not delete users added via Printing solutions for guests and anonymous users. To delete users that do not exist in the Sync source, you must manually synchronize (click Synchronize Now).

1. In the Sync Options area, select what's appropriate for your environment:
   • Update users' full-name, email, department and office when synchronizing
     If a user's details in PaperCut NG/MF do not match those in the synchronization source, update the details in PaperCut NG/MF with the details from the sync source.
   • Import new users and update details overnight
     Synchronization automatically occurs overnight at approximately 12:55am. PaperCut NG/MF imports all new and changed user details. No users are deleted during this sync.
2. Click Test Settings.
   A Testing sync settings popup is displayed, the test runs, and the details of users and user groups that will be modified (updated, added, or deleted) when the actual sync operation runs are displayed. By default a maximum of 100 users are displayed.

   You can configure the maximum number of deletion candidates that are displayed in the Testing sync settings popup. Use the config key user-source.test-sync.max-pending-deletion-entries-displayed.

   For information about setting config keys, see Using the Config Editor.
3. Confirm that the number of users being added and, optionally, being deleted, matches your expectations.
4. Click Apply.
5. Click Synchronise Now. PaperCut NG/MF syncs with Google Cloud Directory. You can view the users in the User List.
6. After the sync, in Users > User List, select a username. The Details screen is displayed.
7. In the Other Details section, check and confirm the Card/Identity Numbers fields show the correct details.

Test your new print environment

Test the end-to-end printing experience on all interfaces to make sure it matches what you intended.

Work with real users and get their feedback on their experience.

If you are not going to set up Google Single sign on, then that's it!

(Optional) Manage Google Single sign on for Chromebooks

By default there will be a Sign in with Google button on Chromebooks so users don't have to re-enter their credentials to log in to PaperCut NG/MF.

If in your environment there are user accounts that do not have gmail email addresses, you might want to consider turning off Single sign on. If you don’t, these users might click the Sign in with Google button and not be logged in because their account won’t be registered in PaperCut NG/MF.

1. Select Options > Mobile/BYOD.
2. In the Mobility Print section, clear the Allow users to sign in with their Google account check box to turn it off.
3. Click Apply.