Entra ID (Azure AD)

An Identity Provider (IdP) vouches for the identity of a person through the use of an authentication token. PrinterLogic SaaS uses IdP for several things, including logging in to the Admin Console and portals, deploying printers, releasing print jobs, and more.

If you use an IdP, the Control Panel Application (CPA) only supports badge and PIN authentication.

Configure Connection

To add and configure enterprise app properties for the PrinterLogic SaaS connection do the following:

  1. Create Entra ID (Azure AD) App.
  2. Add IdP Template.
  3. Configure Single Sign On.
  4. Add the X-509 Certificate.
  5. Complete IdP Settings.
  6. Configure Provisioning.
  7. Add PrinterLogic SaaS Admins.

1. Create Entra ID (Azure AD) App

  1. In your preferred browser, navigate to the Entra ID (Azure AD) Admin Portal at https://portal.azure.com/#home and log in with your Entra ID (Azure AD) credentials.
  2. Under Manage Microsoft Entra ID select the View button.
  3. Select Enterprise Applications from the side navigation.

  4. Select + New Application.

    Azure Portal Enterprise Applications tab showing the New Application button in the upper middle.

  5. Search for PrinterLogic and select the app from the results.
  6. Give your app a unique name and select Create.

Azure Search results and PrinterLogic app selected.

Leave the current browser open to the new app page. To continue the app configuration, you need to open another browser and open the PrinterLogic SaaS Admin Console and access the service provider information.

If the IdP Settings page does not look like the image shown below, you may not be using the latest version and should contact Product Support to upgrade your IdP settings.

2. Add IdP Template

  1. In a separate browser tab, open your PrinterLogic SaaS Admin Console and sign in.
  2. Select Tools then Settings then General, and scroll down to the Identity Provider Settings section.
  3. Select IdP, and then select Add.
  4. Select the identity provider you want to configure in the IdP Template drop-down.
  5. Select SAML2 in the Authentication Protocol section.

  6. In the Provisioning section if you are using SCIM, leave the JIT option unchecked.

    By default, it is assumed you are using SCIM for provisioning. Only select JIT if SCIM is not being used.

  7. In the Name field, enter the name you want displayed on the login button for users, e.g. My Company, Login, Acme Corp, etc.
  8. Scroll down and select the desired enable setting(s).
    • Enable for End Users Login — Allows end users to login using this IdP. (Self-service Portal)
    • Enable for Admin Login — Allows Admin users to login using this IdP. (Admin Console)
    • Both boxes can be checked when using a single IdP, or if the admin and end users use the same IdP to log in.

Keep the IdP Settings screen open so that the Service Provider Information at the bottom is available for the following steps.

IdP Settings window showing the different fields and the Service provider information section.

3. Configure Single Sign On

  1. In the app Overview page select Get Started in 2. Set up single sign on.
  2. In Select a single sign on method section select SAML.
  3. In the Setup Single Sign-On with SAML page select the three dots, then select Edit in the 1 Basic SAML Configuration section.
  4. In Basic SAML Configuration complete the following:
    1. Copy the PrinterLogic SaaS Identifier (Entity ID) URL and paste it into the Entra ID (Azure AD) Identifier (Entity ID) field.
    2. Copy the PrinterLogic SaaS Reply Url (ACS) URL and paste it into the Entra ID (Azure AD) Reply URL (Assertion Consumer Service URL) field.
    3. Copy the PrinterLogic SaaS Relay State URL and paste it into the Entra ID (Azure AD) Relay State (Optional) field.
  5. Select Save at the top of the Entra ID (Azure AD) modal.
  6. Select the X on the top-right to close the modal.
  7. Navigate to 4. Set Up <App Name>, copy the Login URL and paste it into the PrinterLogic SaaS IdP Information's SSO URL field.
  8. Press Tab on your keyboard to auto-populate the PrinterLogic SaaS Issuer URL and Issuer ID fields.
    1. If the Issuer URL and Issuer ID fields don't auto-populate:
      1. Navigate back to the Entra ID (Azure AD) 4. Set Up <App Name> section.
      2. Copy the Microsoft Entra Identifier.
      3. Paste it into the Issuer URL field.

      4. Cut the numerical portion after the "/" and paste it into the Issuer ID field.

        Example: Issuer URL: https://sts.windows.net/, Issuer ID: a1b2cd34-fb1f-4f71-9248-8675309d/

Entra ID's Basic SAML Configuration modal with the Service Provider Information values pasted into the related fields.

4. Add the X-509 Certificate

  1. Return to the Azure Portal, scroll to section 3 SAML Signing Certificate and select the Download link for Certificate (Base64).
  2. Open the file in your preferred text editor.

  3. Copy the certificate body, including the Begin / End Certificate headers, and paste it into the PrinterLogic SaaS X-509 Certificate field.

    SAML Certificate opened in Notepad, showing the body of the content highlighted, excluding the being and end certificate lines.

  4. Select Apply in PrinterLogic SaaS.
  5. Select Save at the top-right corner of the General page.

The Admin Group Name field will be left blank unless you are using an Attribute Statement for additional security. Steps to configure that are found in Additional Admin Console Security , and can be setup after the initial IdP configuration.

IdP Settings template showing the X509 cert and other fields configured.

5. Complete IdP Settings

  1. On the PrinterLogic SaaS General page, navigate back to the Identity Provider Settings section.

  2. To have PrinterLogic SaaS prompt your users to authenticate through the IdP when performing any function requiring authorization, such as installing a printer, select the Automatically Open Browser to Login on Desktop Client option.

    If this option is not selected, the user must manually navigate to the IdP login screen to sign in.

  3. We recommend enabling the Use Loopback with SAML2 option. The IdP needs to provide an authentication token to the desktop clients whenever authentication happens. This option allows the client to handle the token and automatically log in without interaction from end users.

    General tab's Identity Provider Settings section with the IdP option selected and two additonal options selected below the IdP.

  4. The option to Use Domain User (Windows only) will automatically authorize domain-joined Windows users and not require login via the configured IdPs.
  5. Select Save in the top-right corner of the General page.

6. Configure Provisioning

The provisioning steps vary depending on whether you are using SCIM or JIT provisioning. Please choose the appropriate option below to view the corresponding steps for the method you are using.

SCIM Provisioning

Modify the Manifest File

  1. In the Entra ID (Azure AD) Portal navigate to the Home page and select App Registrationsin the Azure services section or use the search bar to search and select it.
  2. In the App registrations page, select the app you created.
  3. Select Manifest in the left-side menu.

  4. Copy the following code segment.

    By default, the Admin Group is designed to be called PrinterLogicAdmin. If this needs to be changed, ensure you adjust the "PrinterLogicAdmin" portion of the line "value": "PrinterLogicAdmin" to match the desired admin group name. This is important if using a group attribute statement for Additional Admin Console Security.

    Copy Code
    Manifest File Code
    {
    "allowedMemberTypes": [
    "User"
    ],
    "description": "Can login to the PrinterCloud/PrinterInstaller admin portal.",
    "displayName": "PrinterLogic Administrator",
    "id": "b5943639-ea79-4254-a71c-a8466225115a",
    "isEnabled": true,
    "lang": null,
    "origin": "Application",
    "value": "PrinterLogicAdmin"
    },

  5. In the Manifest page, place the cursor at the end of line 20 and press the [Enter] key.

  6. Paste the code you copied on line 21. The finished file should appear as shown below.

    Manifest file showing the PrinterLogic portion added in and highlighted.

  7. Select Save.

It can take up to 5 minutes for the above script added to the manifest file to work. It's suggested that after saving the file, to give it 5 minutes, and then refresh the screen.

Enable SCIM Provisioning

  1. Return to the Entra ID (Azure AD) Enterprise Applications page and select the app you created.
  2. In the Entra ID (Azure AD) app window, select Provisioning from the left-side Manage menu.
  3. Select the Get Started button.
  4. For Provisioning Mode, select the Automatic option.
  5. In PrinterLogic SaaS, select the IdP and then select Modify.

  6. Copy the SCIM Tenant URL from the PrinterLogic SaaS Service Provider Information section and paste the URL into the Entra ID (Azure AD) Tenant URL field.

  7. Close out of the PrinterLogic SaaS IdP Settings window.

Entra ID's Provisioning modal showing the fields for the Mode, Admin Credentials, and the Status button at the bottom.

Generate and Apply SCIM Token

  1. In the PrinterLogic SaaSGeneral settings, select the SCIM option in the Identity Provider Settings section.
  2. Select your IdP configuration in the drop-down menu.

  3. Select Generate SCIM Token.

    SCIM section showing the IdP selected in the drop-down, and the Generate SCIM Token button to the right.

    Generating a SCIM token invalidates any previous tokens for that IdP.

  4. Select Proceed.
  5. Copy the token, close the modal, and select Save at the top-right corner of General settings.
  6. In the Entra ID (Azure AD) Provisioning panel, paste the SCIM token into the Secret Token field.
  7. Select Test Connection.
  8. Select Save in the top-left.
  9. Refresh the page to see the Provisioning Status button, and select On.
  10. Select Save.

The initial provisioning can take up to 45 minutes to "Automatically" provision after changes are made. Select the Start Provisioning option on the Entra ID (Azure AD) Provisioning tab to start the process sooner.

Add Users / Groups

  1. Navigate back to the Entra ID (Azure AD) app's Overview page, and select 1. Assign Users and Groups.
  2. Select the + Add User/Group option.
  3. In the Users and Groups section of the Add Assignments page, select None Selected.
  4. Add the users and groups you want to provision over.
  5. For users or groups accessing the PrinterLogic SaaS Admin Console, in the Select a Role section, select None Selected and choose the PrinterLogic Administrator option. Assign the Users role for end users.
  6. Select the Select button.
  7. Select Assign.

Entra ID Add Assignment Users and Groups window.

Nested groups, or sub-groups within another group, are not supported and will not provision over. Any nested groups you wish to provision will need to be adjusted.

JIT Provisioning

If you wish to use JIT Provisioning, make sure the JIT option in the IdP Settings modal is checked and do not enable SCIM. Doing so will create duplicate users and impact login and user authentication.

JIT does not support the provisioning of group membership associations, so you cannot apply RBAC roles, printer deployments or portal security roles to groups. All assignments have to be done individually for each user.

When using JIT Provisioning, the application creates users during the first sign-in attempt.

  1. Access your PrinterLogic SaaS instance and select Sign in with <IdP Name>.
  2. Attempt to login with your IdP credentials.

  3. This login attempt will fail and return you to the PrinterLogic SaaS login page.

    This is expected. With JIT, this action triggers the user creation in PrinterLogic SaaS.

  4. The following login attempt with valid credentials initiates a typical login sequence.

Administrators who need access to the Admin Console still need to be added to the Tools then Users page using the steps in Admin Console Users .

7. Add PrinterLogic SaaS Admins

For steps on assigning users and roles to the PrinterLogic SaaS Admin Console reference Admin Console Users .