Synchronize user and group details with Google Cloud Directory
This functionality is available for organizations using:
-
Google Workspace for Education
-
Google Workspace Enterprise for Education
-
Google Workspace Enterprise
-
Cloud Identity Premium.
This topic describes how to:
-
set up user/group synchronization and user authentication with Google Cloud Directory
-
set up Google Single sign on for Chromebooks, Admin, and User web interfaces (optional).
-
connect your PaperCut NG/MF Application ServerAn Application Server is the primary server program responsible for providing the PaperCut user interface, storing data, and providing services to users. PaperCut uses the Application Server to manage user and account information, manage printers, calculate print costs, provide a web browser interface to administrators and end users, and much more. to Google Cloud Directory.
Both Google Workspace and Google Cloud Identity use Google Cloud Directory to synchronize users and groups.
Environments with Google Cloud Directory as a user sync source are cost effective and quick to implement because they use Mobility Print and PaperCut NG/MF for end-to-end print requirements, including authentication, reporting, filtersFilters allow you to control attributes of the print settings by either forcing a particular attribute or denying a a print job that does not meet specific criteria. There are two types of print filters: conversions and restrictions., and restrictionsRestrictions are a type of print filter that ensures jobs meet certain criteria (denying those that don't). For example, you can restrict access to one or more printer, define a maximum number of pages allowed in a single job, or allow only duplex..
All you need to do is make sure users can access your WiFi. There's no need to set up or manage a domain (for example Active Directory) or deal with the complexities inherent in managing multiple printer drivers (OSs, multiple vendors, multiple models, etc.).
If you don’t want users to access your network, Google Cloud Directory still works with Web print, Email to print and Google Cloud print.
Examples of Google Cloud Directory environments
A pure Google Cloud Directory environment
Install PaperCut NG/MF in a pure, Google Workspace-only environment.
An existing directory is going to be replaced with Google Workspace
If your current environment uses an on-premises directory, for example Active Directory (AD), and you want to replace it completely with Google Cloud Directory, then you first need to migrate all users from your current directory into Google Workspace. If you prefer, you can do this in stages over a period of time and run a hybrid environment until the full migration is finished. Keep the original directory until you’ve completed and tested the entire new Google Cloud Directory setup.
An existing directory and new Google Cloud Directory are both going to be synced with PaperCut NG/MF
You can sync PaperCut NG/MF with two user directory sources, one being a traditional directory such as Active Directory and one being a new Google Cloud Directory. You can even sync directories from two Google Cloud Directories. You set up one directory as the primary sync source and one as the secondary sync source.
If the username for an internal user is the same as a Google Cloud Directory username (without the domain part), then PaperCut NG/MF will convert the existing internal user to a standard PaperCut NG/MF user and merge the data. If there are discrepancies in the data in the existing internal account and Google Cloud Directory, the Google Cloud Directory information will override the existing internal user information.
Set up at a glance
The high-level process to set up Google Cloud Directory authentication is as follows:
-
In Google, Set up your Google Workspace or Google Cloud Identity users.
-
Set up LDAP access and permissions for Google Workspace or Google Cloud Identity.
NOTEDepending on the size of your organization, it can take up to 24 hours for Google Cloud Directory changes to apply.
-
Set up Google Workspace or Google Cloud Identity sync in PaperCut NG/MF:
Step 1: Set up your Google Workspace or Google Cloud Identity users
In Google, depending on your planned environment:
Step 2: If not already done, set up your printing solution
If you haven't already set up a printing solution, select and set up the solution that best suits your environment:
-
Native Print
Step 3: Set up LDAP access and permissions for Google Workspace or Google Cloud Identity
Remember, this functionality is available for organizations using G Suite Education, G Suite Enterprise for Education, G Suite Enterprise, and Cloud Identity Premium.
Before you start, make sure you can log in to Google as a Super Admin.
-
Log in to admin.google.com using your Super Admin user login details. The Google Admin console is displayed.
-
Click the Apps tile. The Apps screen is displayed.
-
Click the LDAP tile. The LDAP screen is displayed.
-
Click ADD CLIENT.
-
Type a name for the LDAP client connection you’ll be configuring to use for PaperCut NG/MF (for example, "PaperCut MF"), and optionally type a description; then click CONTINUE. The Access permissions screen is displayed.
-
In the Verify user credentials section, select either:
-
Entire domain <domain name>
-
Selected organizational units; then click Add and select the units from the list. (Use this to limit syncing to users in a subset of groups.)
-
-
In the Read user information section, select either
-
Entire domain <domain name>
-
Selected organizational units; then either click Copy from Verify user credentials or click Add and select the units from the list. (Use this to limit syncing to users in a subset of groups.)
-
Depending on your organizational policies, tick all boxes for System attributes, Public custom attributes, and Private custom attributes as this will allow PaperCut to sync primary number and secondary number from custom fields of your choice stored under individual users as per your organization's schema on Google Cloud Directory. More details on this in (Optional) Add card/ID numbers..
-
-
In the Read group information section, click the switch to set it to On; then click ADD LDAP CLIENT. Google displays a confirmation message and information about downloading the certificate.
-
On the same screen, click Download certificate; then save the downloaded certificate (which is a PDF file) in a secure location.
-
Click CONTINUE TO CLIENT DETAILS. The Settings for <LDAP client name> screen is displayed.
-
Click anywhere in the Service Status box. The Service Status screen is displayed.
-
Select On for everyone. The service status is updated for everyone.
-
Click SAVE.
This adds PaperCut NG/MF to the list of permitted LDAP clients. You can find more information about configuring access permissions from Google.
The service status, displayed at the top right of the screen, is initially set to OFF.
Depending on the size of your organization, it can take up to 24 hours for Google Cloud Directory changes to apply.
Step 4: Set up Google Workspace or Google Cloud Identity sync in PaperCut NG/MF
Set up the primary sync source
-
Log in to the PaperCut NG/MF Admin interface.
-
Select Options > User/Group Sync.
-
In the Sync Source area, in Primary sync source, select Google Cloud Directory.
-
If you haven’t already downloaded your LDAP certificate, follow the steps in Set up LDAP access and permissions for Google Workspace or Google Cloud Identity.
-
Type your Google Cloud Directory Domain name, for example, melbourneschoolzones.com.
-
Click Choose file and select the Google-generated certificate zip file that you downloaded earlier; then click Install Certificate. If installation is successful, the message ‘The certificate has been installed. It will expire on <day month year>.’ is displayed.
-
Select which users to import.
-
Import all users.
-
Import users from selected groups. This option is useful if the domain contains groups of users, where certain groups contain the users who you want to allow to print:
-
Click Select Groups.
-
Select the groups you want to import. You can filter the list to find the groups you’re after.
NOTE-
The groups’ names are displayed.
-
In Google Admin, the members of groups are listed in Advanced Group Settings. PaperCut NG/MF syncs users whose names are listed as a link. If a name is listed as an email address or is in any other format, it is not synced.
-
Nested (sub) groups are not currently supported.
-
-
-
-
(Optional) Add card/ID numbers.
Card and ID numbers are used as an alternative to usernames/passwords for authentication at software Release Stations, or at hardware terminals attached to photocopiers. The card/ID number can also be searched in the user quick-find in the User List page. For more information, see User card and ID numbers.
In PaperCut NG/MF, you can associate one or two unique card/ID numbers with each user. These are known as the primary and secondary card/ID number. PaperCut NG/MF automatically generate these card/ID numbers for each user.
NOTESys Admins can use the number to search for users on the User List page. For more information refer to User card and ID numbers.
To add card/ID numbers:
-
In Primary number, select Auto-generate random ID. The Length field is displayed.
-
Type the number of digits you want the card/ID number to be.
TIP-
Short numbers are easy for users to remember and fast to key in, but are also easier for someone to guess.
-
Make the Length long enough to generate numbers for all of your users.
-
-
If you require a secondary card/ID number for each user, repeat the above two steps for Secondary number.
OR,
-
Alternatively, as of PaperCut NG/MF 21.1, you can sync these card or ID numbers stored in Google Cloud Directory's user details. This is done by choosing Sync from AD/LDAP field option in step 5's drop down menu.
-
The system will then allow you to input a field name to sync from. The field name must be identical to the name of the custom field created on Google Cloud Directory's user schema. This field must be accessible by the certificate you created and installed previously.
TIPThere are 2 types of values in Google Cloud Directory's fields when you add custom attribute fields to users. They can be either Whole numbers or Text. Choose carefully. This is managed on the Google Admin's dashboard by navigating through (menu on the left) Directory > Users > (top right) More > Manage custom attributes.
-
-
Scroll down and click Test Settings.(It is gray but you can still click on it.) PaperCut NG/MF displays progress and the results in the Testing sync settings popup.
-
Review the results to make sure all the expected users are there, and then click Close.
-
Click Apply.
-
If you:
-
have a secondary sync source you need to set up, continue below.
-
do not have a secondary sync source, go to Set up the Sync Options.
-
(Optional) Set up the secondary sync source
How usernames are handled when syncing from two sources
A secondary sync source allows you to import users and groups from a second independent external directory source into PaperCut NG/MF.
PaperCut NG/MF treats Google Cloud Directory usernames as globally unique—if the same username exists in both the primary and secondary sync sources, it generates only a single user. When PaperCut NG/MF merges the user’s details from both sync sources, it prioritizes the primary sync source details, and then adds any additional details that are in the secondary source.
The priority that PaperCut NG/MF enters details into the Card/Identity Numbers and Other Details fields for the Primary and Secondary fields is:
-
Priority 1—The primary sync source details.
-
Priority 2—The secondary sync source details.
-
Priority 3—The PaperCut NG/MF existing details in the Users > Other Details section.
When you sync, the source details always overwrite what’s already inPaperCut NG/MF. PaperCut NG/MF will retain the details in the fields that are not changed in the sync source. If at a later time you stop using the primary or secondary sync source, or if a Google Workspace or Google Cloud Identity field becomes blank, PaperCut NG/MF will still retain the details in the fields.
Set up the secondary sync source
-
Set up a second LDAP connection and generate a second certificate for the second sync source. Refer to Set up LDAP access and permissions for Google Workspace or Google Cloud Identity.
-
On the User/Group Sync page, in the Secondary Sync Source (Advanced) area, select the Enable secondary sync source check box.
-
If the secondary sync source is a second Google Cloud Directory, go to the next step to complete the secondary sync source details.
For all other directory sources, refer to:
-
Type your Google Workspace or Google Cloud Identity Domain name, for example, melbourneschoolzones.com.
-
Click Choose file and select the LDAP certificate zip file that you downloaded earlier; then click Install certificate.
If installation is successful, the message ‘The certificate has been installed. It will expire on <day month year>.’ is displayed.
-
Select which users to import.
-
Import all users.
-
Import users from selected groups. This option is useful if the domain contains groups of users, where certain groups contain the users who you want to allow to print:
-
Click Select Groups.
-
Select the groups you want to import. You can filter the list to find the groups you’re after.
NOTE-
The groups’ names are displayed.
-
In Google Admin, the members of groups are listed in Advanced Group Settings. PaperCut NG/MF syncs users whose names are listed as a link. If a name is listed as an email address or is in any other format, it is not synced.
-
Nested (sub) groups are not currently supported.
-
-
-
(Optional) Add card/ID numbers.
Card and ID numbers are used as an alternative to usernames/passwords for authentication at software Release Stations, or at hardware terminals attached to photocopiers. The card/ID number can also be searched in the user quick-find in the User List page. See User card and ID numbers for more information.
In PaperCut NG/MF, you can associate one or two unique card/ID numbers with each user. These are known as the primary and secondary card/ID number. You can automatically generate these card/ID numbers for each user.
To add card/ID numbers:
-
In Primary number, select Auto-generate random ID. The Length field is displayed.
-
Type the number of digits you want the card/ID number to be.
-
Short numbers are easy for users to remember and fast to key in, but are also easier for someone to guess.
-
Make the Length long enough to generate numbers for all of your users.
-
If you require a secondary card/ID number for each user, repeat the previous two steps for Secondary number.
TIP -
OR,
-
Alternatively, as of PaperCut NG/MF 21.1, you can sync these card or ID numbers stored in Google Cloud Directory's user details. This is done by choosing Sync from AD/LDAP field option in step 5's drop down menu.
-
The system will then allow you to input a field name to sync from. The field name must be identical to the name of the custom field created on Google Cloud Directory's user schema. This field must be accessible by the certificate you created and installed previously.
There are 2 types of values in Google Cloud Directory's fields when you add custom attribute fields to users. They can be either Whole numbers or Text. Choose carefully. This is managed on the Google Admin's dashboard by navigating through (menu on the left) Directory > Users > (top right) More > Manage custom attributes.
Sys Admins can use the number to search for users on the User List page. For more information refer to User card and ID numbers.
Scroll down and click Test Settings. PaperCut NG/MF displays the progress of the test and the results in the Testing sync settings popup.
Review the results to make sure all the expected users are there; then click Close.
Click Apply.
Set up the Sync Options
Whereas the sync source(s) you specified above determine where PaperCut NG/MF imports users from, the Sync Options section lets you make choices about what happens during the sync itself.
The options you select in this section:
-
affect only users added via the synchronization source
-
do not delete users in the PaperCut NG/MF database during the overnight automatic synchronizing
-
do not delete users added via Guest and anonymous user management. To delete users that do not exist in the Sync source, you must manually synchronize (click Synchronize Now).
-
In the Sync Options area, select what’s appropriate for your environment:
-
Update users' full-name, email, department and office when synchronizing
If a user's details in PaperCut NG/MF do not match those in the synchronization source, update the details in PaperCut NG/MF with the details from the sync source.
-
Import new users and update details overnight
Synchronization automatically occurs overnight at approximately 12:55am. PaperCut NG/MF imports all new and changed user details. No users are deleted during this sync.
-
-
Click Test Settings.
A Testing sync settings popup is displayed, the test runs, and the details of users and user groups that will be modified (updated, added, or deleted) when the actual sync operation runs are displayed. By default a maximum of 100 users are displayed.
TIPYou can configure the maximum number of deletion candidates that are displayed in the Testing sync settings popup. Use the config keyA config key stores information about a specific advanced setting in PaperCut. Config keys are editable by an administrator in the Config Editor. user-source.test-sync.max-pending-deletion-entries-displayed.
For information about setting config keys, see Using the Advanced Config Editor.
-
Confirm that the number of users being added and, optionally, being deleted, matches your expectations.
-
Click Apply.
-
Click Synchronise Now. PaperCut NG/MF syncs with Google Cloud Directory. You can view the users in the User List.
-
After the sync, in Users > User List, select a username. The Details screen is displayed.
-
In the Other Details section, check and confirm the Card/Identity Numbers fields show the correct details.
Test your new print environment
Test the end-to-end printing experience on all interfaces to make sure it matches what you intended.
Work with real users and get their feedback on their experience.
If you are not going to set up Google Single sign on, then that’s it!
Step 5: (Optional) Set up Google Single sign on
(Optional) Manage Google Single sign on for Chromebooks
By default there will be a Sign in with Google button on Chromebooks so users do not have to re-enter their credentials to log in to PaperCut NG/MF.
If in your environment there are user accounts that do not have Gmail email addresses or Gmail accounts, you might want to consider turning off Single sign on. If you don’t, these users might click the Sign in with Google button and not be logged in because their account won’t be registered in PaperCut NG/MF.
To turn off Single sign on for Chromebooks:
-
Select Options > Mobile/BYOD.
-
In the Mobility print section, set up Mobility Print.
-
Click Apply.
(Optional) Set up Google Single sign on for Admin and User web interfaces
Google Workspace users can always log in to Chromebooks or PaperCut NG/MF Admin or User web interfaces by typing their Google credentials in the Username and Password fields.
However, if you set up Google Single sign on, users who have already logged in to their Chromebook or Google account in a browser will not need to re-enter their credentials to log in toPaperCut NG/MF. The Username and Password fields will still show on the login screen, but there will also be a Sign in with Google button for users to click instead.
Create the client secret JSON file in Google Workspace
-
Ensure your PaperCut NG/MF system environment is ready before you start to set up users to login to PaperCut NG/MF using their Google credentials.
-
Ensure your organization owns a top-level, public fully qualified domain name (FQDN), for example:
-
schoolname.region.edu
-
campusname.school.region.edu
-
-
We highly recommend you use a secure browser connection, so ensure that:
Refer to Forcing use of HTTPS/SSL only.
-
-
Log in to the Google Workspace Developer’s API console. The Google APIs Dashboard screen is displayed.
-
In the title bar, next to the Google APIs heading, click the dropdown list showing a project name. The Select from popup is displayed.
-
Do one of the following:
-
If a project is already set up for synchronization withPaperCut NG/MF, click the project’s name. The APIApplication Programming Interface (API) is a set of routines, protocols, and tools for building software and applications. An API expresses a software component in terms of its operations, inputs, outputs, and underlying types, defining functionalities that are independent of their respective implementations, which allows definitions and implementations to vary without compromising the interface. Dashboard is displayed with the project name in the title bar. Go to the next step.
-
If a project is not set up yet, create a new project:
-
At the top right of the popup, click NEW PROJECT. The New Project screen is displayed.
-
In the Project name field, type a name that identifies the project you’ll use for PaperCut NG/MF, for example, PaperCut NG/MF Authorise.
-
Click Create. The Credentials screen is displayed.
-
In the title bar, next to the Google APIs heading, click the project name drop-down. The Select from popup is displayed.
-
Click the new project’s name. The Google APIs main screen is displayed with the project name in the title bar, and the APIs Credentials popup is displayed.
-
-
-
Select the OAuth consent screen tab. The OAuth consent screen is displayed.
-
Type the details you want users to see when users log in to PaperCut NG/MF Admin or the User Web interface.
NOTEIf the PaperCut NG/MF Application Server isn't available on the internet, the Homepage URL will fail to validate on the OAuth consent screen and the message "Request contains an invalid argument" is displayed.
-
Click Save. The Credentials screen is displayed.
-
Click Create credentials; then select OAuth client ID.
The Create OAuth client ID screen is displayed.
-
Select Web application. Additional fields are displayed.
-
In the Name field, type the name for your OAuth Client ID.
NOTEThis is the name that PaperCut NG/MF will use to identify itself to Google when authorizing/authenticating users. A good example here is PaperCut MF OAuth Client ID.
-
In the Authorised redirect URIs field, type the full URI of your PaperCut NG/MF Application Server, for example:
https://papercut.schoolname.region.edu:9192/api/oauth2callback
NOTEUnlike the Authorised JavaScript origins URI, this field requires the full URI. Make sure you include the trailing path.
-
Click Create. The OAuth client popup displays your client ID and client secret. You will use these credentials when you set up the sync source in PaperCut NG/MF.
-
Click OK. The Credentials screen is displayed. No need to save the credentials from here because you’ll download them in a few steps.
-
Click to download the credentials as a JSON file.
NOTEThe file is called client_secret_<your Client ID>.JSON. This is the client secret JSON file you need to be able to authorize PaperCut NG/MF to sync with Google.
-
Close the browser window.
Set up Google Single sign on (Sign in with Google) in PaperCut NG/MF
This part of the interface is for setting up Sign in with Google on the PaperCut NG/MF Admin web interface and User Web interface. You set up Single sign on for Mobility Print via the link at the bottom of this section.
-
Sign in to PaperCut NG/MF.
NOTEEnsure the URI for the Admin interface you log in to is exactly the same as the URI specified you entered when setting up Google Workspace (on the Create OAuth client ID screen, in the Authorized JavaScript origins field).
For example: https://papercut.schoolname.region.edu:9192/admin
-
In the Admin web interface, select Options > User/Group Sync; then scroll to the Single Sign on with Google section.
-
Select the Enable the “Sign in with Google” button on the Admin and User web interfaces checkbox.
-
Click Choose file and select the JSON file you downloaded.
-
Click Upload client secret. The file is uploaded.
-
Test with real users to confirm the Sign in with Google button is visible on the PaperCut NG/MF login screen and works as expected.
-
If your environment uses Mobility Print, click Set up 'Sign in with Google' for Mobility Print and follow the instructions in Mobility Print.