PrinterLogic Feature Updates – April 2022

We’re excited to announce some feature updates that are now available with PrinterLogic. Check out what’s new in serverless printing: 

Secure Release Printing Updates

  • New Ricoh and Fuji Xerox printer support. We recently launched new CPAs for Ricoh and Fuji. The Gen 2 CPA for Ricoh means SaaS now supports the manufacturer’s MP-series printers. In addition, we now support the ApeosPort series of Fuji Xerox printers (more than 60 models). 
  • New Control Panel Application (CPA) Manager. SaaS and the Virtual Appliance now include a new CPA Manager tool that’s found on your Service Client object on the Printer Apps tab. The CPA Manager is a quick way to get status or help troubleshoot all CPA installations in your environment. It allows up to 250 printer app installations or reconfigurations in batch mode. More information can be found in the CPA Manager topic in our documentation.

Identity (IdP) Update

Concurrent IdP support now in production. As part of our new Advanced Security Bundle, multiple IdPs can be configured and enabled simultaneously. This is especially helpful when bringing a new acquisition into the organization. New workgroups can be merged into the organization’s print environment even if the new acquisition uses a different IdP.

Mobile App Updates

  • Full suite of IdPs now supported.  Our PrinterLogic App for iOS and Android now supports the same IdPs that are available within our SaaS platform. The roster now incorporates 10 providers, including Ping One, Ping Federate, CyberArk (formerly Idaptive), JumpCloud, OneLogin, ForgeRock, Google Identity, and more. 
  • Enhanced Mobile Device Manager (MDM) support. App deployments now include preconfiguring the customer’s PrinterLogic instance URL. This simplifies the sign-in process for the end user and reduces help-desk calls.

Virtual Appliance Updates

  • Security vulnerability fix now available in VA Host update (1.0.742). Recently, an out-of-bounds vulnerability assigned to CVE-2021-44142 was disclosed in Samba versions prior to 4.13.17. This has been remediated. PrinterLogic VA customers with host versions 1.0.735 and earlier should update their VA Host, which includes the latest application release as well. Release notes and associated files can be found here.
  • Just in Time (JIT) provisioning for IdP-managed Badge/PIN and more. We know that for Virtual Appliance customers, JIT provisioning is preferred to SCIM. With that in mind, we just expanded the list of user attributes that can be provisioned, including authPin, authPinUser, badge, manager, department, and job title—if they are configured in the IdP. This means you can take advantage of IdP-managed badge and PIN, a feature that was only available in SCIM apps previously.

Advanced Reporting Update

Enterprise Data Warehouse (EDW) now available in PrinterLogic SaaS and the VA. The EDW feature facilitates data mining using your own Business Intelligence (BI) tools. The feature lets business analysts create custom reports for resources managed by PrinterLogic, including print jobs in a specific time frame filtered by printer type, region, paper type, black/white vs. color, etc. It supports standard BI tools such as Crystal Reports, Domo, Tableau, and more.

To learn more about these feature updates or our full PrinterLogic feature set, contact our customer support team.

PrinterLogic Announces Concurrent Identity Providers (IdPs) Support

In 2019, when PrinterLogic first previewed its integration with two leading cloud-based Identity Providers, we were ahead of the pack. At the time, no other enterprise print management solution supported Okta and Azure AD. 

Since then, the roster of IdPs we support has expanded to 10 providers, including Ping One, Ping Federate, CyberArk (formerly Idaptive), JumpCloud, OneLogin, ForgeRock, Google Identity, and more. This list covers all of Gartner’s Magic Quadrant leaders as of October 2021.

Identity Process Diagram

Core benefits of cloud-based IdPs

IdP integration allows customers to loop PrinterLogic into their existing access-management environment, which provides the following benefits:

  • Removes the need to set up separate users and passwords
  • Enables multifactor authentication (MFA) for improved security
  • Reduces help-desk tickets related to forgotten passwords

Until now, PrinterLogic IdP support was limited to one IdP at a time. But that limitation is over

Integration of acquired workgroups

With new concurrent IdP support, you can now have multiple IdPs configured and enabled simultaneously. Enterprises can support multiple instances of an IdP (Azure, Okta, Ping, etc.) in a homogenous network with the same SaaS instance of PrinterLogic. 

Likewise, companies can use multiple instances of different IdPs in a heterogeneous network for access to a single PrinterLogic instance. This is especially helpful for IT managers tasked with bringing a new acquisition into the organization. New workgroups can be merged into the organization’s print environment even if the new acquisition uses a different IdP. This can save IT a lot of time.

For example, let’s say a parent organization uses Okta as their IdP, and they just acquired a second company that uses Azure AD. Without PrinterLogic’s concurrent IdP support, the parent company has to create new user records in their existing Okta environment for the new workgroup. This could amount to several days of downtime for the new employees. 

With PrinterLogic’s new concurrent IdP feature, however, the parent company can add the Azure AD group in our Admin Console in about five minutes. Both IdPs are available to PrinterLogic and work in tandem. The newly acquired users are up and running in the new environment with almost zero downtime.  

Managing different user teams within the same enterprise

Another use case for the new feature is when organizations prefer to manage their administrative users and other end users in separate environments. This can be done via two different applications of the same IdP, or via two different IdP providers (e.g., administrative users are managed in PingFederate, and end users managed in Okta). One reason for this approach is to satisfy security policies or better serve existing infrastructure and processes.

PrinterLogic’s integration with more than 10 Identity Provider services—including cloud-based and on-premises IdPs—means we offer easy to manage serverless printing to security-conscious companies who want Zero Trust, MFA, and SSO benefits. We’re one of the few SaaS print management solutions that can do this, making our product ideal for large enterprises, especially those that have grown through acquisition.

For more information about how our IdP integration works, see our white paper, titled “PrinterLogic Integration with Cloud-based Identity Providers”.

A true SaaS solution that eliminates all print-related infrastructure

Unlike some “cloud-optimized” print management software, PrinterLogic is a true, multi-tenant SaaS offering. It’s not a cloud-hosted shortcut that leaves you stuck with server licensing, configuration, and maintenance. Automatic updates ensure you have the most current and reliable solution possible—backed by a guaranteed service-level agreement.

Provisioning Users and Groups in PrinterLogic with an IdP

As companies move to the cloud, they often retire their legacy LDAP systems and begin using SaaS Identity Providers (IdPs), a topic discussed in an earlier blog. One of the specifications required by many IdPs is SCIM, a System for Cross-domain Identity Management. SCIM synchronizes data related to which employees are authorized users of an application and which ones are not.

At Vasion, we created a SCIM client to automatically provision users and groups inside the PrinterLogic application. The interface complies with the SCIM specification and works with all three SCIM implementations used by major IdPs. In this blog post, we’ll discuss the purpose of SCIM, how it works, and how you can set it up in PrinterLogic.

What is SCIM?

SCIM is an open standard that manages user identity information. It securely automates the exchange of user identity data between an organization and SaaS applications such as PrinterLogic. Cloud applications like PrinterLogic are known as “service providers” (SPs) in the SCIM topology.

As company employees come and go, their access to enterprise applications is added or removed. If the enterprise uses an IdP that employs SCIM, an IT admin makes employee access changes in one place – the IdP – and those changes are automatically forwarded to SP applications (see diagram below). This greatly simplifies an IT admin’s job and ensures that employee app permissions don’t fall through the cracks.

Identity Process Diagram

How does SCIM work?

SCIM is an open standard specification used by an IdP for automating the exchange of user identity information. Consider an organization hiring new workers to replace employees who have recently left the company. The organization’s directory must be updated to reflect these changes, which enables access for the new employees and removes access for those who have gone.

To make a directory update, the IT administrator simply makes the needed change in the IdP admin console and the change is automatically pushed to all SCIM-enabled applications. This “edit once, change all” feature lets IT teams manage user identities faster and easier. Users authenticated by the IdP are then authorized to access PrinterLogic. They can print needed documents and use other SaaS applications to accomplish their assigned tasks.

Here’s a more in-depth look at how the SCIM process works. SCIM provides four basic capabilities: Create, Read, Update, and Delete. When an employee joins a company, a few steps take place:

  1. An IT admin creates their profile in the IdP admin console.
  2. The new employee’s userName, firstName, lastName, and email are “pushed” to the relevant applications via SCIM, and the account is created in the data store within the application.
  3. If needed, cloud apps can query or read the group info from the IdP. 
  4. If an employee’s data changes (name change, email change, etc.), the IdP uses SCIM to push the data updates to SCIM-enabled apps like PrinterLogic. 
  5. When an employee leaves the company, they are deleted from the IdP, which in turn deletes them from all application data stores.

How do I set up SCIM? 

Setting up SCIM is fairly straightforward. First, the SP needs to provide the link to their SCIM client and a SCIM token. Every Service Provider creates a small software client (called a tenant) to receive SCIM information. For example, PrinterLogic provides the SCIM tenant on Tools>Settings>General>IdP Settings, as shown in the image below.

Service Provider Information

Second, the SCIM token is generated in the SCIM tab, as you can see below.

SCIM Settings

Finally, once you have the Relay State, IdP Identifier, and the SCIM token, that information will be used in the IdP. 

The following are screen shot examples that show where that information is used in several leading IdPs.

Microsoft Azure

In Microsoft Azure, the SCIM tenant URL and token are easily identified under the Admin Credentials pane.

Azure Admin Credentials

Okta

In Okta the Tenant URL is set up in the Sign On tab – it is automatically created by entering the IdP ID of the instance.

Okta Sign-On

The SCIM token is entered on the Provisioning tab under Integration.

PrinterLogic Configuration

CyberArk (formerly Idaptive)

For companies using CyberArk, the relevant information is found under the “SCIM Server URL” and “Bearer Token” fields, which live on the Provisioning page.

CyberArk Provisioning

Conclusion

Vasion’s PrinterLogic platform provides an enterprise solution that supports all of the major open specifications like SCIM, Security Assertion Markup Language (SAML), OpenID Connect (OIDC), and Just-In-Time (JIT). This enables organizations to take advantage of the benefits of IdPs with confidence that security protocols like SCIM are protecting their data.