- #Papercut ng server installation guide install#
- #Papercut ng server installation guide download#
- #Papercut ng server installation guide windows#
Get a copy of the IdPs metadata and put this on the Papercut server in C:\opt\shibboleth-sp\etc\shibboleth\ as a file called idp_metadata.xml (or whatever you decided to call the file in the previous section).Ħ. Grab a copy of your new SPs Metadata, usually by going to and submit this to the people that manage your Idp.ĥ. From painful experience I’ve found that not restarting the IIS site causes odd inconsistencies and so must be done along with the service restart whenever a change is made to shibboleth2.xml.Ĥ. Restart the Shibboleth service and then restart the IIS site Shibboleth is associated with. You may well have to tweak the section in bold to match your own environment.ģ. In our case we only want to pass on uid so the entire file consists of the following: We use the LDAP attribute uid but it’s really up to you.Įdit the file C:\opt\shibboleth-sp\etc\shibboleth\attribute-map.xml. We need to edit one more file in order to pass the attribute holding the users identifier to Papercut. This sections sets the location of our IdP and we only support SAML2 so other options have been removed.įinally we set the locate of the file that will hold the IdP metadata once we’ve downloaded it.Ģ. To increase security we make sure SSL is forced for connections and cookies. You can probably leave this out if you wish. IIS doesn’t actually do this properly, but I added uid for completeness. Next we set the entityID and choose what attributes to populate the REMOTE_USER variable with. The secure path is a default and one we use for testing and user is the one used for Papercut (we’ve chosen only to enable SSO for user logins, not for admins). Here we set the hostname for the service as presented to the end users and also define the paths that Shibboleth will protect. If you only have one site the ID will be 1, if you have more you will have to choose appropriately. This tells Shibboleth which IIS site to associate with. The changes we needed to make were to the following sections: You will need to edit the file C:\opt\shibboleth-sp\etc\shibboleth\shibboleth2.xml (you will need to use an elevated editor to edit the file if UAC is enabled, and if UAC isn’t enabled you might want to reconsider that!) in order to change the defaults to something that will work. Verify the Shibboleth 2 Daemon (Default) service is running (If it isn’t you will want to check the log files in C:\opt\shibboleth-sp\var\log\shibboleth, especially shibd logs) Step 2 – Configure Shibbolethġ. The instructions assume you’ve just selected the default options from this point on.Ħ. Run the Shibboleth installer on the Papercut server.
#Papercut ng server installation guide install#
On the Papercut server install the Web Server (IIS) role is installed along with the ISAPI Extensions and ISAPI Filters which are under Application Development and also the full set of IIS6 Management Compatibility features.Ĥ.
#Papercut ng server installation guide download#
Download the latest Shibboleth SP win32/win64 binary from here and verify the sha256/sha1/md5 signature as appropriateģ. Shutdown Papercut to prevent any issues whilst configuring Shibboleth (you will need to restart the server anyway)Ģ. We still allow direct onsite access to Papercut on 9192 as a workaround to this. One word of warning – if you implement SSO you’ll stop any Papercut internal accounts from being able to authenticate. We already had IIS in front of Papercut to force users from port 80 to 443 so our starting state may be slightly different to people using just the default 9192 but you can just ignore the instructions for switching ports around if so.Īt the end of these instructions you’ll have IIS with ARR and a Shibboleth SP installed on the same server as the Papercut application. The Papercut instructions assume you will be running Apache or similar in front of it to undertake the Service Provider (SP) role but ideally we wanted to use as much native Microsoft infrastructure as possible and so we used IIS along with the Application Request Routing (ARR) module.
#Papercut ng server installation guide windows#
Papercut supports Integrated Windows Authentication and Webauth options for SSO, with Webauth being the most suitable for our setup. With release 13.4 this changed and we began to look at the options. For some time we had wanted to implement SSO on our Papercut installation but any form of SSO was not supported by Papercut.
0 kommentar(er)
