JumpCloud

An Identity Provider (IdP) vouches for the identity of a person through the use of an authentication token. PrinterLogic SaaS uses IdP for several things, including logging in to the Admin Console and portals, deploying printers, releasing print jobs, and more.

If you use an IdP, the Control Panel Application (CPA) only supports badge and PIN authentication.

Configure JumpCloud

To add an app integration for the PrinterLogic SaaS connection do the following:

  1. Create JumpCloud App.
  2. Add IdP Template.
  3. Configure Single Sign On.
  4. Add the X509 Certificate.
  5. Complete IdP Settings.
  6. Configure Provisioning.
  7. Add PrinterLogic SaaS Admins.

1. Create JumpCloud App

Open a browser and log into your JumpCloud Administrator Console. (console.jumpcloud.com/login/admin).

  1. Expand the User Authentication option in the left-side menu.

  2. Select the SSO Applications option.

    JumpCloud user authentication menu expanded and the SSO Applications option highlighted.

  3. Select the + Add New Application button.
  4. Search for PrinterLogic, and select the PrinterLogic SaaS application.
  5. Select the Next button.
  6. In the Display Label field, name your app.
    1. (Optional): Add a description and upload a logo.
  7. Select Save Application.
  8. Select Configure Application.

JumpCloud Create New Application window showing the app's display name, description, and logo.

Leave the current browser open to the new app page. To continue the app configuration, you need to open another browser and open the PrinterLogic SaaS Admin Console and access the service provider information.

If the IdP Settings page does not look like the image shown below, you may not be using the latest version and should contact Product Support to upgrade your IdP settings.

2. Add IdP Template

  1. In a separate browser tab, open your PrinterLogic SaaS Admin Console and sign in.
  2. Select Tools then Settings then General, and scroll down to the Identity Provider Settings section.
  3. Select IdP, and then select Add.
  4. Select the identity provider you want to configure in the IdP Template drop-down.
  5. Select SAML2 in the Authentication Protocol section.

  6. In the Provisioning section if you are using SCIM, leave the JIT option unchecked.

    By default, it is assumed you are using SCIM for provisioning. Only select JIT if SCIM is not being used.

  7. In the Name field, enter the name you want displayed on the login button for users, e.g. My Company, Login, Acme Corp, etc.
  8. Scroll down and select the desired enable setting(s).
    • Enable for End Users Login — Allows end users to login using this IdP. (Self-service Portal)
    • Enable for Admin Login — Allows Admin users to login using this IdP. (Admin Console)
    • Both boxes can be checked when using a single IdP, or if the admin and end users use the same IdP to log in.

Keep the IdP Settings screen open so that the Service Provider Information at the bottom is available for the following steps.

IdP Settings window showing the different fields and the Service provider information section.

3. Configure Single Sign On

  1. In the JumpCloud app, select the SSO tab.

  2. In the IdP Entity ID field enter the following URL.

    Copy Code 
    https://jumpcloud.com/<your_IdP_ID>
  3. Copy the IdP Identifier from the PrinterLogic SaaS Service Provider Information section and replace the <your_IdP_ID> portion of the IdP Entity ID URL with the identifier.
  4. Back in the PrinterLogic SaaS IdP Settings page, enter https://jumpcloud.com/ in the Issuer URL field.
  5. Under the Service Provider Information section, copy the IdP Identifier and paste the value in the PrinterLogic SaaS Issuer ID field.
  6. In the IdP Settings window, copy and paste the following into the JumpCloud SSO tab:
    1. Copy the PrinterLogic SaaS Identifier (Entity Id) and paste the value into the JumpCloud SP Entity ID field
    2. Copy the PrinterLogic SaaS Reply Url (ACS) and paste the value into the JumpCloud ACS URLs Default URL field.
    3. Copy the PrinterLogic SaaS Relay State and paste the value into the JumpCloud Default RelayState field.
  7. In the JumpCloud Login URL field, replace the “YOUR_SUBDOMAIN” portion of the URL with your instance subdomain.
  8. Check the Declare Redirect Endpoint box.
  9. Copy the IDP URL in JumpCloud, and paste this into the PrinterLogic SaaS SSO URL field.

  10. Scroll down to the Attributes section and configure mappings as needed.

    For more information about the SSO Connector fields in JumpCloud see SSO Application Connector Fields.

Jumpcloud app's SSO tab showing the different configuration fields and URLs.

4. Add the X-509 Certificate

  1. Scroll up to the JumpCloud Metadata section in the app's SSO tab, and select the Export Metadata button.
  2. Open the XML file with a text editor, like Notepad++.

  3. Remove the export content before and after the X-509 Certificate.

    Ensure you are copying only the X-509 certificate content from the text editor. This is the section between the > and < characters as shown in the image. The rest can be removed.

    XML file showing the portion for the 509 certificate highlighted, and arrows pointing to the beginning and end sections.

  4. Add the following headers before and after the X-509 Certificate content.

    Copy Code 
    -----BEGIN CERTIFICATE-----
    Copy Code 
    -----END CERTIFICATE-----
  5. Copy the X-509 Certificate with the adjusted headers.
  6. Return to the PrinterLogic SaaS IdP Settings window and paste the certificate into the X-509 Certificate field.
  7. Select Apply in PrinterLogic SaaS.
  8. Select Save in PrinterLogic SaaS.
  9. Select Save in JumpCloud.

IdP Settings template showing the X509 cert and other fields configured.

5. Complete IdP Settings

  1. On the PrinterLogic SaaS General page, navigate back to the Identity Provider Settings section.

  2. To have PrinterLogic SaaS prompt your users to authenticate through the IdP when performing any function requiring authorization, such as installing a printer, select the Automatically Open Browser to Login on Desktop Client option.

    If this option is not selected, the user must manually navigate to the IdP login screen to sign in.

  3. We recommend enabling the Use Loopback with SAML2 option. The IdP needs to provide an authentication token to the desktop clients whenever authentication happens. This option allows the client to handle the token and automatically log in without interaction from end users.

    General tab's Identity Provider Settings section with the IdP option selected and two additonal options selected below the IdP.

  4. The option to Use Domain User (Windows only) will automatically authorize domain-joined Windows users and not require login via the configured IdPs.
  5. Select Save in the top-right corner of the General page.

6. Configure Provisioning

The provisioning steps vary depending on whether you are using SCIM or JIT provisioning. Please choose the appropriate option below to view the corresponding steps for the method you are using.

SCIM Provisioning

Enable SCIM Provisioning

These steps are only for the JumpCloud SCIM configuration.

  1. In the JumpCloud app, select the Identity Management tab.
  2. Select Configure.
  3. Check the box for Enable management of User Groups and Group Membership in this application.
  4. In PrinterLogic SaaS, select the IdP and then select Modify.
  5. In the PrinterLogic SaaS IdP Settings window, copy the SCIM Tenant URL.
  6. Paste the SCIM Tenant URL into the JumpCloud Identity Management tab's Base URL field.
  7. Select Apply in PrinterLogic SaaS.
  8. Select Save in PrinterLogic SaaS.

For more information about SCIM identity management in JumpCloud see Custom SCIM Identity Management.

JumpCloud's Identity Management tab showing the Authentication section expanded and the SCIM information entered in.

Generate SCIM Token

  1. In the PrinterLogic SaaSGeneral settings, select the SCIM option in the Identity Provider Settings section.
  2. Select your IdP configuration in the drop-down menu.

  3. Select Generate SCIM Token.

    SCIM section showing the IdP selected in the drop-down, and the Generate SCIM Token button to the right.

    Generating a SCIM token invalidates any previous tokens for that IdP.

  4. Select Proceed.
  5. Copy the token, close the modal, and select Save at the top-right corner of General settings.
  6. Paste the token into the JumpCloud Identity Management tab's Token Key field.
  7. Select Activate in JumpCloud.
  8. Select Save in JumpCloud.

Add User Groups

  1. In JumpCloud, select the app's User Groups tab.
  2. Search for and select the groups that you would like to bind to PrinterLogic SaaS.
  3. Select Save.

JumpCloud's User Groups tab showing the different groups with one selected.

JIT Provisioning

If you wish to use JIT Provisioning, make sure the JIT option in the IdP Settings modal is checked and do not enable SCIM. Doing so will create duplicate users and impact login and user authentication.

JIT does not support the provisioning of group membership associations, so you cannot apply RBAC roles, printer deployments or portal security roles to groups. All assignments have to be done individually for each user.

When using JIT Provisioning, the application creates users during the first sign-in attempt.

  1. Access your PrinterLogic SaaS instance and select Sign in with <IdP Name>.
  2. Attempt to login with your IdP credentials.

  3. This login attempt will fail and return you to the PrinterLogic SaaS login page.

    This is expected. With JIT, this action triggers the user creation in PrinterLogic SaaS.

  4. The following login attempt with valid credentials initiates a typical login sequence.

Administrators who need access to the Admin Console still need to be added to the Tools then Users page using the steps in Admin Console Users .

7. Add PrinterLogic SaaS Admins

For steps on assigning users and roles to the PrinterLogic SaaS Admin Console reference Admin Console Users .