Single Sign-On (SSO) helps users without re-entering credentials to access PaperCut NG/web MF’s interface. For example, on the PaperCut NG/MF login screen, you can give a logged-in Windows user direct access to the PaperCut NG/MF web interface without having to re-enter their username and password. SSO is also especially appealing to sites with an intranet portal, as it enables various IT systems to be incorporated seamlessly into the portal without the need for separate logins. Single Sign-On also goes hand in hand with technologies such as two-factor authentication used in high-security environments. Sign-on will require the display of an ID card or reading a card with two-factor authentication.
In certain instances, user passwords are controlled and not known to the user by the security system, making it difficult to log in using a conventional login screen. The SSO support from PaperCut NG/MF enables PaperCut NG/MF to exploit the two-factor protection already in place.
An advanced subject is Web Single Sign-on. For many pages, the regular web login built-in with PaperCut NG/MF is most fitting.
Two separate web SSO approaches are provided by PaperCut NG/MF:
A Stanford University developed and freely licenced web authentication framework. It is deployed as an Apache module and operates on the PaperCut NG/MF Application Server by intercepting requests.WebAuth is operating system neutral, but needs to be set up with professional experience. The WebAuth integration of PaperCut NG/MF is actually very generic and is also used at many customer sites for Shibboleth SSO integration.
Integrated Windows Authentication
For Windows domain environments where the same Windows domain and intranet zone are accessed by both PaperCut NG/MF Application Server and user computers. PaperCut NG/MF uses current Windows technologies via Integrated Windows Authentication to securely recognise Windows domain users as PaperCut NG/MF users.
- Session Cookies
In the default browser configuration, these two choices are often allowed. Please note that cookies only need to be allowed at the (temporary) session level – these cookies do not live through the restart of the browser and cannot be used to monitor your past visits to different websites.
Mobile devices as access credentials
Using mobile devices as access credentials, a new variant of single sign-on authentication has been developed. By using authentication methods including OpenID Connect and SAML in combination with the X.509 ITU-T cryptography certificate used to identify the mobile device to the access server, users’ mobile devices can be used to automatically log them into various systems, such as building-access-control systems and computer systems.
In comparison to a password that is “something you have” a mobile device is “something you know” or biometrics (fingerprint, retinal scan, facial recognition, etc.), which is “something you are” For the best defence, security experts suggest using at least two of these three factors (multi-factor authentication).