access management papercut

PaperCut and Access Management

Access Management and Identity as a Service (IDaaS) solutions for PaperCut are questions we are often asked here at Selectec. These solutions are designed to save admins time when onboarding new staff members, or granting access to applications and services, as well as providing a greater level of security by having a centralised credential system.

This provides users with one user account, which means they can use any service they need to use (assuming the provider supports it) without having to generate or store a new username and password per service.

Let’s take a look at a few of the different options and how you can use them with PaperCut (over time this will be updated as we get asked about other providers).

Okta

To get Okta working with PaperCut the quickest and recommended solution would be to use the Okta LDAPS connector, this will allow you to sync your user accounts and authenticate from any of PaperCut’s user-facing clients.

LDAP Server Type: Standard (Unix / Open Directory)

Hostname: <org_subdomain>.ldap.<domain>.com

Use SSL: Checked

Base DN: ou=users,<dc=org_subdomain>, dc=<domain> , dc=com

Admin DN: uid=<username>,<dc=org_subdomain>,dc=<domain>,dc=com

Admin Password: CorrectHorseBatteryStaple

With OKTA <domain> could be oktapreview, Okta or okta-emea depending on region and if you are in the preview program.

OneLogin

Onelogin, like Okta, has a good set of features, APIs and app integrations you can use along with also having an LDAP interface which makes importing and authenticating users in PaperCut simple.

LDAP Server Type: Standard (Unix / Open Directory)

Hostname: ldap.us.onelogin.com

Use SSL: Checked

Base DN: dc=<subdomain>,dc=onelogin,dc=com

Admin DN: cn=<email>,ou=users,dc=<subdomain>,dc=onelogin,dc=com

Admin Password: CorrectHorseBatteryStaple

Jump Cloud

Jump Cloud is one we have covered before, but to make this list a bit more complete, it is worth adding. The quick version is you can use LDAPS to sync and authenticate your users.

LDAP Server Type: Standard (Unix / Open Directory)

Hostname: ldap.jumpcloud.com

Use SSL: Checked

Base DN: ou=users,o=<org_id>,dc=jumpcloud,dc=com 

Admin DN: uid=<username>,ou=users,o=<org_id>,dc=jumpcloud,dc=com

Admin Password: CorrectHorseBatteryStaple

FoxPass

FoxPass gives you all the features you would expect when it comes to access management and has support for Linux desktops and Servers along with wifi authorisation through RADIUS and a bit of management for SSH keys. It also has an LDAP interface that you can use with PaperCut for importing and authenticating users.

LDAP Server Type: Standard (Unix / Open Directory)

Hostname: ldap.foxpass.com

Use SSL: Checked

Base DN: dc=<domain>,dc=<com> 

Admin DN: cn=<LDAP binder name>,dc=<example>,dc=<com>

Admin Password: CorrectHorseBatteryStaple

[well]

TL;DR

The quick version of this is if the ID provider has an LDAP interface, the users can be synced and will be able to authenticate from all of the clients. If there is only a SAML option and you wanted some form of SSO, you would need to import the users manually, then configure a reverse proxy to use Shibboleth with SAML to allow access to the /user or /admin interface.

[/well]

Quick reference guide.

The table below is a quick reference guide to what you would need to put in PaperCut. In the password field, enter your password for that service. We have also (where supported), only opted for LDAPs which should be the default option for everyone now.


Service

Type

Server Address

Port

Use SSL

Base DN

Admin DN

SAML Option

OKTA

Standard

<subdomain>.ldap.<domain>.com

636
Yes
ou=users ,dc=<subdomain>, dc=<domain>, dc=com

uid=<username>,<dc=subdomain>,dc=<domain>,dc=com
Yes

OneLogin

Standard

ldap.us.onelogin.com

636
Yes
dc=<subdomain>,dc=onelogin, dc=com

cn=<email>,ou=users,dc=<subdomain>,dc=onelogin,dc=com
Yes

JumpCloud

Standard

ldap.jumpcloud.com

636
Yes
ou=users,o=<org_id>,dc=jumpcloud,dc=com

uid=<username>,ou=users,o=<org_id>,dc=jumpcloud,dc=com
Yes

Foxpass

Standard

ldap.foxpass.com

636
Yes
dc=<domain>,dc=<com>

cn=<LDAP binder name>,dc=<example>,dc=<com>
No

As always, if you need a helping hand to get your Access Management up and running, then get in touch with the team.