There are multiple areas in PaperCut where Google SSO can be configured, including Mobility Print, Print Deploy, and when logging into the PaperCut admin and user web interfaces.
Info Google SSO is only applicable for instances of Mobility Print used in conjunction with PaperCut NG/MF.
SSO is not available for those customers running the free version of Mobility Print. Setup Google SSO for Mobility Print (Chromebooks) For Mobility Print on Chromebook devices, by default the Sign in with Google button will be enabled so users don’t have to re-enter their credentials to log in. This is for environments where user accounts have Gmail email addresses or Gmail accounts.
In the case of an environment where there are user accounts that do NOT have Gmail email addresses or Gmail accounts, you might want to consider turning off Single sign on. If you don’t, these users might click the Sign in with Google button and not be logged in because their account won’t be registered in PaperCut NG/MF.
To turn off Google SSO for Chromebooks:
Select Enable Printing > Mobile/BYOD. In the Mobility print section, uncheck the option ‘Allow users to sign-in with their Google account’. Click Apply. Setup Google SSO for Print Deploy Note: Ensure the email address being used to log in to SSO already has an associated user account in PaperCut NG/MF.
Select Enable Printing > Print Deploy. Click Settings. Under Authentication methods, ensure that the Google checkbox is selected. Set the User Identity method to PROMPT. Click Save. Note: Switching the User Identity method to PROMPT will impact the configuration for all of your Print Deploy clients, so all Windows, Mac, Chrome, and Linux clients will now be prompted to authenticate.
Set up Google SSO for Admin and User web interfaces Google Workspace users can always log in to the PaperCut NG/MF Admin or User web interfaces by typing their Google credentials in the Username and Password fields.
If Google SSO has been configured as below, the Username and Password fields will still show on the login screen, but there will also be a Sign in with Google button for users to click instead.
Create the client secret JSON file in Google Workspace Ensure your PaperCut NG/MF system environment is ready before you start to set up users to log in to PaperCut NG/MF using their Google credentials.
Ensure your organization owns a top-level, public fully qualified domain name (FQDN), for example:
schoolname.region.edu campusname.school.region.edu We highly recommend you use a secure browser connection, so ensure that you have one. Refer to Forcing use of HTTPS/SSL only . Ensure:
user and admin access to the system is restricted to be only via SSL HSTS is turned on. Log in to the Google Workspace Developer’s API console . The Google APIs Dashboard screen is displayed.
In the title bar, next to the Google APIs heading, click the dropdown list showing a project name. The Select from popup is displayed.
Do one of the following:
If a project is already set up for synchronization withPaperCut NG/MF, click the project’s name. The API Dashboard is displayed with the project name in the title bar. Go to the next step. If a project is not set up yet, create a new project: At the top right of the popup, click NEW PROJECT. The New Project screen is displayed. In the Project name field, type a name that identifies the project you’ll use for PaperCut NG/MF, for example, PaperCut NG/MF Authorise. Click Create. The Credentials screen is displayed. In the title bar, next to the Google APIs heading, click the project name drop-down. The Select from popup is displayed. Click the new project’s name. The Google APIs main screen is displayed with the project name in the title bar, and the APIs Credentials popup is displayed. Select the OAuth consent screen tab. The OAuth consent screen is displayed.
Type the details you want users to see when users log in to PaperCut NG/MF Admin or the User Web interface.
Note: If the PaperCut NG/MF Application Server isn’t available on the internet, the Homepage URL will fail to validate on the OAuth consent screen and the message “Request contains an invalid argument” is displayed.
Click Save. The Credentials screen is displayed.
Click Create credentials, then select OAuth client ID.The Create OAuth client ID screen is displayed.
Select Web application. Additional fields are displayed.
In the Name field, type the name for your OAuth Client ID.
Note: This is the name that PaperCut NG/MF will use to identify itself to Google when authorizing/authenticating users. A good example here is PaperCut MF OAuth Client ID.
In the Authorised redirect URIs field, type the full URI of your PaperCut NG/MF Application Server. This URI must exactly match the address that the end-user is accessing in the browser, including the server hostname, domain, and port. For example: https://papercut.schoolname.region.edu:9192/api/oauth2callback Note: Unlike the Authorised JavaScript origins URI, this field requires the full URI. Make sure you include the trailing path.
Note Unlike the Authorised JavaScript origins URI, this field requires the full URI. Make sure you include the trailing path.
Additionally, since recent security updates, the URI must match the address that the end-user is browsing to including the server hostname, domain, and port. That means if you’ve enabled standard ports 80 (HTTP) and 443 (HTTPS) , which allows users to browse to the address of the server without specifying a port number then you should add https://papercut.schoolname.region.edu/api/oauth2callback as a trusted URI.
This also means that if an administrator is using “localhost” to access the server, then SSO will only work if that URI has been added to the trusted list. The answer would be to add http://localhost:9191/api/oauth2callback for HTTP and https://localhost:9192/api/oauth2callback for HTTPS. If the address is not added to the list of trusted URIs then users may see the error: “access blocked: this app’s request is invalid” and “error 400: redirect_uri_mismatch” after clicking the Sign in with Google button to log in. Click Create. The OAuth client popup displays your client ID and client secret. You will use these credentials when you set up the sync source in PaperCut NG/MF.
Click OK. The Credentials screen is displayed. No need to save the credentials from here because you’ll download them in a few steps.
Click to download the credentials as a JSON file.
Note: The file is called client_secret_<your Client ID>.JSON. This is the client secret JSON file you need to be able to authorize PaperCut NG/MF to sync with Google.
Note: Ensure the URI for the Admin interface you log in to is exactly the same as the URI specified you entered when setting up Google Workspace (on the Create OAuth client ID screen, in the Authorized JavaScript origins field). For example, https://papercut.schoolname.region.edu:9192/admin In the Admin web interface, select Options > User/Group Sync; then scroll to the Single Sign on with Google section.
Select the Enable the “Sign in with Google” button on the Admin and User web interfaces checkbox.
Click Choose file, then select the JSON file you downloaded.
Click Upload client secret. The file is uploaded.
Test with real users to confirm the Sign in with Google button is visible on the PaperCut NG/MF login screen and works as expected.
Comments
0 comments
Please sign in to leave a comment.