OpenID Connect (OIDC)

This document covers how OpenID Connect works as an authentication provider for both Secure Print and Secure Print Direct.

What is OpenID Connect?

The OpenID Foundation defines OpenID Connect (OIDC) as a simple identity layer built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the end-user based on the authentication performed by an identity provider, as well as to obtain basic profile information about the end-user.

You can get more information about OpenID Connect from this website.

Benefits of OpenID Connect

  • Integrates with well-known identity providers like Microsoft® Entra ID, Google, etc.
  • Eliminates the responsibility of storing and managing user credentials.
  • Separates the user’s print identity from the workstation’s login identity. It does not matter what the user logs in as.

Authentication Providers

Before users can submit and release print jobs, they need to register with HP Insights. Registration establishes their print identity: the email address that links their workstation, print queue, and device authentication. Print Scout handles this on their behalf.

HP Insights supports four authentication providers:

  • Internal – Uses a familiar email-based account verification workflow. This is the default option.

  • Active Directory – This option is suitable for organizations that use Windows Active Directory (AD) for managing users. The Print Scout uses the user’s workstation ID to establish the identity of the user. This option does not require user registration, which means users can submit and release print jobs at once.

  • OpenID Connect – This option uses token-based OpenID Connect technology to verify print user identity. This option is suitable for organizations with an existing supported OpenID Connect Identity Provider (e.g., Microsoft Entra ID, Google) and has well-governed and well-known badges for user access and identity.

  • SAML (Securiy Assertion Markup Language) 2.0 - This option uses the SAML protocol to authenticate the identity of print users. It is ideal for organizations that already have a SAML configuration in place.

How OpenID works in HP Insights

Install Print Scout on Users' Workstations

Print Scout must be installed on users’ workstations. The Print Scout installs the HP Secure Print desktop app, which enables user registration. During user registration, the Print Scout will obtain the user’s email address from the returned identity token. That email address then becomes the user’s identity for printing.

HP Insights supports Print Scout installation on Windows, macOS, and Linux.

Refer to the HP Insightsdocumentation for the list of supported versions.

Note: Linux Print Scout does not install the HP Secure Print desktop app. User registration starts by submitting a print job to the default HP Secure Printer that the Print Scout installs.

User Registration

The registration steps differ slightly by platform:

  • On a Windows or Mac workstation, the user launches the HP Secure Print desktop app.
  • On a Linux machine, the user starts registration by sending a print job to the default HP Secure Printer.

On the screen that appears, the user clicks the Login to continue.

The app redirects the authentication request to the organization’s identity provider. The user is prompted for their email address and password.

The screen shown to the user depends on the organization’s identity provider.

When authentication is successful, the user sees the message “Authenticated successfully”. From this point, Print Scout manages token refresh silently. The user is not prompted to sign in again unless the refresh token expires or the authentication provider changes.

What happens during registration

When a user registers with HP Insights using OpenID Connect, the HP Insights Identity Service acts as the broker between Print Scout and your identity provider. The user's credentials never pass through Pharos. Authentication is handled entirely by your identity provider, and HP Insights receives only the resulting tokens.

The diagram below shows the authentication sequence from the moment a user clicks Login to continue through to their print identity being established.

  1. Authentication request - Print Scout sends an authentication request to the HP Insights Identity Service, which redirects the user to the configured identity provider. The request includes the client ID, requested scopes, redirect URI, and response type.

  2. Identity provider login - The identity provider returns its login page, displayed to the user in an embedded browser. The user enters their organisational credentials, password, or whatever the identity provider requires.

  1. Authorisation code returned - On successful authentication, the identity provider redirects back to the HP Insights Identity Service and issues a short-lived authorisation code.

  1. Token exchange - The Identity Service exchanges the authorisation code for three tokens: an access token, an ID token, and a refresh token. This exchange happens server-side, the tokens are never exposed to the client.

  1. Identity established - The Identity Service reads the email address from the ID token and registers it as the user's print identity in HP Insights. From this point, the user's email is used to attribute jobs, authenticate at devices, and link print activity across Secure Print andSecure Print Direct.

For user-facing instructions, see Register using OpenID Connect credentials.

OpenID Specifications

Authorization Flows

Authorization flow defines how an application receives tokens. OpenID Connect supports the following flows (also called grant types) for authentication:

  • Authorization Code
  • Implicit
  • Hybrid

The Identity Service uses the “Authorization Code Flow” by default. When the Print Scout sends an authentication request to the identity provider, the identity provider returns a short-lived authorization code to the HP Insights Identity Service. This authorization code is used by the HP Insights Identity Service to get access token, refresh token, and identity token.

Note: Implicit Flow is not supported.

Default Scopes

The HP Insights Identity Service redirects the user to identity provider with the following scopes by default.

Scope Description Claims Supported
openid Required. This indicates that the Print Scout intends to use the Open ID protocol to verify a user’s identity.  
email Required. This scope returns the email claim, which contains the user’s email address. This email address is used to identify the user at the Secure Printer when releasing print jobs. email
profile Optional. This can be used to personalize HP Insights. For example, you can request the user’s name to show in the printer.  

Notes:

  • HP Insights uses the standard scopes and claims as defined in Oauth 2.0. If your identity provider uses customized scopes (e.g. your system expects mail instead of the standard email scope), contact the operations team.
  • Offline_access is not part of the scope list.