Managing Federated Authentication for InfoPrint Manager for Linux
InfoPrint Manager allows you to use federated authentication as an alternative to the existing FST or LDAP/AD security.
Federated authentication is a method of granting users secure access to InfoPrint Manager Web Management Interface and InfoPrint Manager Web Administration Interface by relying on external identity providers (IdPs). Instead of managing separate user credentials within our system, federated authentication allows users to log in using their existing accounts from trusted third-party services.
- Configuring Federated Authentication
- Before enabling federated authentication, the InfoPrint Manager administrator must configure the connection settings between InfoPrint Manager and the federated authentication server.
- To configure federated authentication:
- Start the InfoPrint Manager Web Management Interface.
- Click the Security tab in the left pane.
- Select the Federated Authentication option.
- In the Federated Authentication dialog, specify the required values.
- Select the name of the identity provider (IdP) you want to use to authenticate from the Identity provider list.
- In the Authorization endpoint field, enter the uniform resource identifier (URI) of the identity provider where client applications send the user to get authenticated.
- In the Client ID field, enter the unique string representing the client identifier issued by the identity provider for InfoPrint Manager during the registration process.
- In the Client secret field, enter the string representing the client passkey generated by the identity provider allowing the client to authenticate to the authorization server.
- In the Token endpoint field, enter the uniform resource identifier (URI) of the identity provider where the access token and the ID token are requested.
- In the User information endpoint field, enter the uniform resource identifier (URI) of the identity provider where the user information is requested.
- In the Logout endpoint field, enter the uniform resource identifier (URI) where the user is redirected to end the authentication session.
- In the Redirect hostname and port field, enter the external host name and port for the InfoPrint Manager web server. The host name and port are used to generate the uniform resource identifier (URI) of the application, the location where the authorization server redirects the user once the application has been successfully authorized and granted an authorization code or access token.
- Check the Allow insecure context box if you want to enable the possibility to communicate with identity providers using self-signed certificates.
- Check the Enforce federated authentication box to make federated authentication compulsory and to bypass the standard login dialog of the application.
- Check the Use PKCE box if you want to use a Proof Key for Code Exchange (PKCE).
- In the User roles paramater field, enter the parameter name sent by the identity provider, that contains the
user roles or group membership information relevant to InfoPrint Manager. You have to configure beforehand the identity provider to include the user roles
or group membership information as a claim either in the user identification token
for Active Directory Federation Services™ (AD FS) and Okta, or in the User information endpoint response for CAIA.
- Note:
- Keep in mind that the actual steps and terminology can vary depending on the identity provider being used. The group claim name might be role for CAIA, groups for Okta, and memberof for AD FS. Any other value you currently use is accepted.
- Consult the documentation of your identity provider for detailed instructions on how to do this customization.
- Important:
- InfoPrint Manager validates the user roles to control access to different resources and functionalities based on the roles specified in the user identification token or in the User information endpoint response. To access the Web Management Interface, the system verifies whether the user ID belongs to the acl_admin group. To grant permissions to desired users, they must be members of the acl_admin group defined on the website of your chosen IdP.
- If your company uses proxy servers, ask your IT department for the correct IP address or host name and port number to use. In the Proxy host and port field, enter the host name and port of the proxy server used to communicate through.
- Click Save.
- Enable/Disable Federated Authentication
- The InfoPrint Manager Web Management Interface allows you to enable or disable federated authentication.
- To enable or disable federated authentication:
- Go to the InfoPrint Manager Web Management Interface.
- Click the Security tab in the left pane.
- Select the Federated Authentication option.
- Use the switch at the top of the Federated Authentication dialog to enable or disable federated authentication.