PrinterLogic, the world leader in Serverless Printing Infrastructure (SPI), has announced General Availability of Version 1 of its integrations with the cloud-based IdPs Okta and Azure AD. For PrinterLogic SaaS customers, this release provides support for SAML 2.0-based federated authentication. 

PrinterLogic gives organizations the ability to eliminate print servers and provides a centrally managed direct IP print infrastructure. PrinterLogic publishes two distinct web pages and installs a client on end-user workstations to communicate with the server and facilitate printing.

To function properly all these elements have the need for user authentication and authorization. This blog explains where the integration points are.

No more Active Directory

The PrinterLogic web-based Admin Console enables administrators to centrally manage both printer and driver deployments by users and groups. This console supports role-based access control (RBAC) so admins have access rights only to the information they need. Traditionally, PrinterLogic SaaS has relied on Active Directory and LDAP to authenticate admins and automate deployment of printers to end users.

PrinterLogic’s Self-service Installation Portal enables end users to perform routine printer installs by themselves with a single click, and traditionally relies on their AD identity to grant them access to only the printers they are allowed to install.

Windows and Mac clients also traditionally rely on the user’s AD identity to perform their tasks such as installing and removing printers and/or new profiles.

What is a cloud-based IdP?

Cloud-based IdPs allow IT admins to deliver SaaS applications securely and to the right person. Identity management also supports Multi-factor Authentication (MFA) and Single Sign-on (SSO). 

Authentication and Authorization are both common terms in the world of Identity and Access Management (IAM). Cloud-based IdP is a subset of this larger IAM market space.

Authentication is the act of validating that users are who they claim to be, while Authorization is the process of giving the user permission to access a specific resource or function. Authorization is often used interchangeably with Access Control or Client Privilege.

SAML (Security Assertion Markup Language) is an XML-based standard used for exchanging authentication and authorization data between an IdP and a Service Provider (SP). The SP is typically a cloud-based application, and in Figure 1 below the SP is PrinterLogic.

In an SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one.

PrinterLogic SaaS support for IdP

PrinterLogic SaaS is part of the Okta Integration Network (OIN) as both a SAML- and Provisioning-enabled Application. It is also part of the Microsoft Azure App Gallery. 

Online documentation is available for Azure AD and Okta to help IT teams configure PrinterLogic for integration with these services.

Figure 1 illustrates the integration between PrinterLogic SaaS and a cloud-based IdP.

Figure 1: Integration between PrinterLogic SaaS and a Cloud-based IdP.

How IdPs and PrinterLogic work together

The flow of communication between the the IdP and PrinterLogic is as follows:

1. The end user logs into PrinterLogic SaaS Self Service Portal via a web browser.
2. PrinterLogic SaaS generates a SAML authentication request and redirects the browser to the IdP’s SSO portal.
3. The end user enters their credentials and requests authentication from the IdP.
4. The IdP parses the SAML request and authenticates the end user.
5. The IdP generates an encoded SAML response and returns it to PrinterLogic SaaS.
6. PrinterLogic SaaS authorizes the client and grants access to the Self Service Portal.

There are two separate sign-in flows through which authentication can be handled by SAML, both of which are supported by PrinterLogic SaaS. 

1. The first known as an SP-initiated flow, occurs when the user attempts to sign in to a SAML-enabled SP via its login page. Instead of prompting the user to enter a password, an SP that has been configured to use SAML will redirect the user to the IdP which will then handle the authentication and redirect the user back to the SP as a verified user.
2. The second flow is known as an IdP-initiated flow. This occurs when the user logs into the IdP and launches the SP application by clicking its icon from their home page. If the user has an account on the SP side, they will be authenticated as a user of the application and will generally be delivered to its default landing page, which in the case of PrinterLogic is the Self-service Installation Portal page.

PrinterLogic SaaS IdP integration also supports the System for Cross-domain Identity Management (SCIM), which allows for the automation of user provisioning. When changes to identities are made in the IdP, including create, update, and delete, they are automatically synced to the SP in real-time according to the SCIM protocol.

A look at Version 1’s functionalities

Version 1 of IdP integration supports the following core functionalities of PrinterLogic SaaS:

• Support for Windows and Mac workstations
• Access to the Admin Console and full RBAC
• Full Reporting
• Deployments by User or Group
• Portal Security by User or Group
• User login via IdP Website
• Adding/Removing IdP Groups
• Adding/Removing IdP Users

Version 2 of the PrinterLogic IdP integration will support Secure Printing while Version 3 will support the Mobile Printing modules. These updates will be automatically delivered to PrinterLogic SaaS customers later in 2020.

Support for Google Cloud Identity is also set for later in 2020, which combined with the recent release of the PrinterLogic Chrome OS Client Extension, will provide a robust solution for Chrome OS printing and give enterprises a uniform print experience independent of end user operating systems.

Seamless integration with PrinterLogic

PrinterLogic SaaS now integrates seamlessly with leading cloud-based IdPs, ensuring customers secure, appropriate and convenient user access to cloud-based networks and applications. Organizations already standardized on a cloud-based IdP can confidently take advantage of PrinterLogic’s infrastructure reduction, centralized printer management, and secure print benefits.

You can start a PrinterLogic SaaS trial here. For more information on IdP, see our Printerlogic-IdP integration FAQ here.

To talk with someone at PrinterLogic in North America, phone 1. 435.652.1288. Click here for international contact information.

A key benefit of cloud computing is user mobility, but this requires traditional authentication methods to ensure adequate security. Active Directory, for example, must be moved to the cloud. Microsoft’s answer is Azure AD, an identity and access-management solution for SaaS applications.

PrinterLogic SaaS (formerly PrinterCloud) gives IT administrators the ability to eliminate print servers and centrally manage printer and driver deployments in a SaaS solution. As an option, PrinterLogic SaaS will leverage Active Directory and LDAP to authenticate its mobile- and pull- printing features.

Figure 1: PrinterLogic SaaS Authentication Paths

When using PrinterLogic SaaS for driver management and printer deployments, there is no need to configure an LDAP connection with Active Directory. The PrinterLogic SaaS client—installed on the end user’s workstation—uses a Windows API to request information about the user and domain, which is enough to perform these basic functions as shown in Figure 1 above.

For mobile and pull printing in PrinterLogic SaaS, the LDAP connection field must be completed. This is found under Tools > Settings > General as shown in Figure 2 below.

Active Directory Authentication: If features such as pull printing or mobile printing are used, the entire top section down to the LDAP port field (“Secondary LDAP Server” optional), as well as the Domain Alias, Bind User, and Bind Password fields, must be configured (Figure 2) so end users can release their pull/mobile print jobs from either a web-release portal, a control-panel application, or via badge release.

Figure 2: LDAP Settings for PrinterLogic SaaS

Microsoft Azure AD offers three variants that can be used, depending on organization size and the level of authentication required:

Azure AD—Cloud Identity Only. Azure AD is a basic identity service that can be used for single sign-on authentication (SSO) to give access to SaaS applications such as Office 365, Salesforce.com, and Dropbox. See Figure 3, below, for more details.

Azure AD Hybrid. Azure AD Hybrid offers full Windows Active Directory services synchronized with Azure AD using Azure AD Connect. This extends local AD accounts to Azure and allows end users access to both local and SaaS applications using single sign-on (SSO). See Figure 4, below, for more details.

Azure AD Domain Services (DS). Azure AD with Domain Services provides full Windows Active Directory without needing to create an additional Windows Server VM. This option is shown in Figure 5, below.

Figure 3: Azure AD Cloud Identity Only Model

Azure AD stores a few basic attributes such as name, tenant, role, and password. No on-premises Windows Servers are required. All information is stored and managed in the Azure AD instance in the cloud. Authentication is performed through SAML, WS-Federation, OAuth 2.0, and OpenID Connect protocols. In this scenario, all PrinterLogic SaaS core features work, aside from AD-based printer deployments; however, authentication for mobile and pull printing does not yet support these forms of authentication.

Figure 4: Azure AD Hybrid Model

Windows Server Active Directory is synchronized with Azure AD using an Azure AD Connect Server. This allows end users to access SaaS applications with their current AD credentials. PrinterLogic SaaS will integrate seamlessly with this architecture because it connects to the Windows Server Active Directory for authentication using LDAP, making all features available.

Figure 5: Azure AD Domain Services

With Azure AD Domain Services (DS), administrators create an entire virtual network, complete with domain controllers. Azure AD DS is available for cloud-only organizations and hybrid organizations, whereas Azure AD Connect is used to support identity synchronization. If Azure AD DS is used, PrinterLogic SaaS can be deployed and authenticates against the domain service using secure LDAP.

This is done by configuring secure LDAP (LDAPS) for the Azure AD Domain Services (Secure LDAP Configuration Guide) and filling out the LDAP configuration section under Tools > Settings > General in PrinterLogic SaaS. (See Figure 6 below for an example.)

Figure 6: LDAP configuration for Azure AD Domain Services.

PrinterLogic SaaS integrates seamlessly with this architecture because it connects to the Azure AD Domain Services for authentication using LDAPS. This makes all features available.

To see all these PrinterLogic SaaS features, go to www.printerlogic.com/printercloud and click “Start Trial.” This gives you 30 days of free access so you can see how PrinterLogic SaaS integrates with a Azure AD and gives IT administrators the ability to eliminate print servers and centrally manage printer and driver deployments in today’s SaaS environment.