Managing Federated Authentication for InfoPrint Manager for Linux

Federated authentication is a method of granting users secure access to InfoPrint Manager Web Management Interface and InfoPrint Manager Web Administration Interface by relying on external identity providers (IdPs). Instead of managing separate user credentials within our system, federated authentication allows users to log in using their existing accounts from trusted third-party services.

Configuring Federated Authentication

Before enabling federated authentication, the InfoPrint Manager administrator must configure the connection settings between InfoPrint Manager and the federated authentication server.

To configure federated authentication:

1. Start the InfoPrint Manager Web Management Interface.
2. Click the Security tab in the left pane.
3. Select the Federated Authentication option.
4. In the Federated Authentication dialog, specify the required values.
   Important:
   • Make sure that the information that you enter in each field is correct. InfoPrint Manager does not validate the data you enter in the Federated Authentication dialog.
   • For more information about a field property, click the ? button next to it.
5. Select the name of the identity provider (IdP) you want to use to authenticate from the Identity provider list.
6. In the Authorization endpoint field, enter the uniform resource identifier (URI) of the identity provider where client applications send the user to get authenticated.
7. In the Client ID field, enter the unique string representing the client identifier issued by the identity provider for InfoPrint Manager during the registration process.
8. In the Client secret field, enter the string representing the client passkey generated by the identity provider allowing the client to authenticate to the authorization server.
   Note:
   • The Client secret field is not available when the Use PKCE option is checked.
9. In the Token endpoint field, enter the uniform resource identifier (URI) of the identity provider where the access token and the ID token are requested.
10. In the User information endpoint field, enter the uniform resource identifier (URI) of the identity provider where the user information is requested.
    Note:
    • The User information endpoint field is displayed only for the Common Approach to Identity Assurance (CAIA) identity provider.
11. In the Logout endpoint field, enter the uniform resource identifier (URI) where the user is redirected to end the authentication session.
12. In the Redirect hostname and port field, enter the external host name and port for the InfoPrint Manager web server. The host name and port are used to generate the uniform resource identifier (URI) of the application, the location where the authorization server redirects the user once the application has been successfully authorized and granted an authorization code or access token.
    Note:
    • A colon (:) must separate the host name/IP address and the port number. For example, prod.yourcompany.com:14443 or 123.123.123.123:14443.
13. Check the Allow insecure context box if you want to enable the possibility to communicate with identity providers using self-signed certificates.
14. Check the Enforce federated authentication box to make federated authentication compulsory and to bypass the standard login dialog of the application.
    Note:
    • If you entered any incorrect values in the Federated Authentication dialog, after checking the Enforce federated authentication box you no longer have access to the standard login dialog, making you unable to update the configuration values.
15. Check the Use PKCE box if you want to use a Proof Key for Code Exchange (PKCE).
    Note:
    • The Use PKCE field is displayed only for the Okta® identity provider.
16. In the User roles paramater field, enter the parameter name sent by the identity provider, that contains the user roles or group membership information relevant to InfoPrint Manager. You have to configure beforehand the identity provider to include the user roles or group membership information as a claim either in the user identification token for Active Directory Federation Services™ (AD FS) and Okta, or in the User information endpoint response for CAIA.
    Note:
    • Keep in mind that the actual steps and terminology can vary depending on the identity provider being used. The group claim name might be role for CAIA, groups for Okta, and memberof for AD FS. Any other value you currently use is accepted.
    • Consult the documentation of your identity provider for detailed instructions on how to do this customization.
    Important:
    • InfoPrint Manager validates the user roles to control access to different resources and functionalities based on the roles specified in the user identification token or in the User information endpoint response. To access the Web Management Interface, the system verifies whether the user ID belongs to the acl_admin group. To grant permissions to desired users, they must be members of the acl_admin group defined on the website of your chosen IdP.
17. If your company uses proxy servers, ask your IT department for the correct IP address or host name and port number to use. In the Proxy host and port field, enter the host name and port of the proxy server used to communicate through.
    Note:
    • A colon (:) must separate the host name/IP address and the port number. For example, proxy.example.com:3128 or 123.123.123.123:3128.
18. Click Save.
    Note:
    • If you click the Save button while the Federated Authentication switch is set to ON, the web server restarts automatically to apply the changes.

Enable/Disable Federated Authentication

The InfoPrint Manager Web Management Interface allows you to enable or disable federated authentication.

To enable or disable federated authentication:

1. Go to the InfoPrint Manager Web Management Interface.
2. Click the Security tab in the left pane.
3. Select the Federated Authentication option.
4. Use the switch at the top of the Federated Authentication dialog to enable or disable federated authentication.
   Note:
   • When you enable federated authentication, the FST or LDAP/AD security continues to work as before.
   • When you enable or disable federated authentication, the web server restarts automatically.