Difference between revisions of "Papercut"

From Studentnet Wiki
Jump to navigation Jump to search
Line 55: Line 55:
 
</ISAPI>
 
</ISAPI>
 
</InProcess></code>
 
</InProcess></code>
 +
 +
'''NOTE:''' If you are running Shibboleth V3 then an additional entry needs to be put into the code above. V3 requires the command useHeaders="true". Therefore, if you are implementing a Shibboleth V3 configuration, please use
  
 
[[Category:Single Sign On Services]]
 
[[Category:Single Sign On Services]]

Revision as of 06:01, 8 August 2019

PaperCut is a print and copy output management software

Setup

Background

There are a number of places where PaperCut authenticates users, which occurs before the document is printed, at the time of printing and after printing. Before printing:

  • Administrate PaperCut or view reports through the admin web interface
  • End users visit the user web interface to submit web print jobs, view statistics and top up their account for example.
  • Identify the owner of a print job, whether they print from a managed, shared or self managed BYOD device

At the time of printing:

  • Authenticate the user at the release station, through methods like username and password, card swipe, two factor authentication with card and pin or even biometric options.

Add accountability to the document forever:

Optionally apply a watermark / digital signature to all pages, which adds an encrypted HMAC signature to the page which can be traced back to the user who printed the document. When authenticating users, PaperCut interfaces directly with directory services like Active Directory or LDAP. Additionally, you can also configure single sign-on on the admin web interface and user web interface, where PaperCut will rely on an external SAML service for authentication.

IIS Configuration (Shibboleth)

If you have not already done so install IIS onto either the PaperCut Application Server or a different server. If you install IIS onto the PaperCut Application Server make sure you have not configured PaperCut MF to use port 80 or 443 and make sure you don’t tell IIS to use any of the standard PaperCut ports (9191, 9192, 9193).

You will need to make sure that you have ISAPI Extensions and ISAPI Filters installed on IIS which can both be found under Add Server Roles > Web Server (IIS) > Web Server > App Development

Cloudwork Configuration

Download the metadata from here enter the FQDN for your IIS Server followed by /Shibboleth.sso/Metadata (For iis.domain.vm the URL would be iis.domain.vm/Shibboleth.sso/Metadata) and then upload the XML file

Edit Claim Issuance Policy

Right click the Party Trust and select Edit Claim Insurance Policy and choose the best suiting rule template.

Select the AD attribute to send back and what type of outgoing claim type to set this to. Give the claim a name and select Active Directory from the Attribute store. Under LDAP Attribute select SAM-Account-Name and set the Outgoing type to Windows Account Name.

Finish

Shibboleth Installation & Configuration

Download the latest version of Shibboleth from: https://shibboleth.net/downloads/service-provider/latest/ and install it using the default options. All files will be found under [C:\opt\shibboleth-sp\etc\shibboleth]

Open shibboleth2.xml with a text editor

Edit InProcess so we use the correct IIS site

We need to change the site name. This will be the Fully Qualified Domain Name (FQDN) that your users connect to.

<InProcess logger="native.logger">

<ISAPI normalizeRequest="true" safeHeaderNames="true">

<Site id="1" name="iis.domain.vm" scheme="https" port="443"/>

</ISAPI> </InProcess>

NOTE: If you are running Shibboleth V3 then an additional entry needs to be put into the code above. V3 requires the command useHeaders="true". Therefore, if you are implementing a Shibboleth V3 configuration, please use