Configure OpenID Connect Authentication

Once the HP Insights application has been registered in your identity provider, you can enter the OIDC settings into the HP Insights web console.

Required Configuration Values

You will need the following three values, collected during the Entra ID registration steps above:

  • Well-Known Endpoint — The OpenID Connect metadata document URL from Entra ID Endpoints.

  • Client ID — The Application (Client) ID from the app Overview page.

  • Client Secret — The secret value created under Certificates & Secrets.

For step-by-step instructions for registering in Microsoft Entra ID, see Configuring OIDC with Microsoft Entra ID.

Entering OpenID Settings in HP Insights

After you’ve registered the HP Insights application to your OpenID provider, you can now add the client-specific OpenID Connect settings into HP Insights.

  1. Log in to the web console.

  2. Navigate to the Account Settings> Settings tab.

  3. In the User Authentication Providers section, select OpenID Connect.

  4. Enter the following details:

    • Well-Known Endpoint

    • Client ID

    • Client Secret

  1. Click Test to verify the connection to your IdP before saving.

  2. Click Save and enter the Site Encryption Key when prompted.

Note: After saving, configure Claim Mapping to control how user attributes from the IdP token map to HP Insights user properties. See Claim Mapping.

Verifying the Configuration

  • Launch the HP Secure Print desktop app on a test workstation (Windows or Mac) or submit a print job (Linux).

  • Click Login to continue and confirm you are redirected to your organisation's identity provider login page.

  • Authenticate with your organisational credentials.

  • Confirm the message "Authenticated successfully" appears.

Field Description
Well-Known Endpoint

HP Insights uses Well-Known Endpoint (also called “discovery document”) to retrieve metadata about your Identity Provider. This is used to configure user authentication sessions automatically. It returns information like the issuer name, key material, supported scopes, token endpoint URL, and so on. See the OpenID specification document (https://openid.net/specs/openid-connect-discovery-1_0.html) for more details.

Note: All URLs contained with the discovery metadata need to publicly accessible.

OpenID providers publish their metadata at a well-known URL. Here are some examples:

  • https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
  • https://accounts.google.com/.well-known/openid-configuration
Client ID The application ID assigned to the HP Insights application in your IdP. Called 'Application ID" in Microsoft Entra ID.
Client Secret

The client secret generated for the HP Insights application in your IdP. Store this value securely, it is not displayed again after saving. If the secret expires, OIDC authentication stops for all print users until the secret is updated.

Also called "Application Password".
Redirect URI

The Redirect URI (also referred to as the reply URL or callback URL) defines the endpoint where the identity provider sends authentication responses after the user signs in.

The redirect uri looks like this:

https://<hosting-environment>/login/connect/external/signin-openidconnect

HP EU: https://api-eu.insights.hpondemand.com/login/connect/external/signin-openidconnect

HP US: https://api.insights.hpondemand.com/login/connect/external/signin-openidconnect

The user completes the OIDC login flow successfully but the HP Secure Print desktop app does not display a passcode. Reinstalling Print Scout or deleting the user registration does not resolve this. This is a known tenant-level cloud configuration issue. Contact Support with your tenant GUID.

Users experience a period where OIDC authentication fails completely and then recovers on its own. The cloud logs show an error similar to: System.Security.Cryptography.CryptographicException: An error occurred during a cryptographic operation with an inner exception referencing invalid Base-64 characters.

This is a known intermittent issue in the Identity Service component. It typically resolves without intervention. If it persists beyond 30 minutes, contact Support with your tenant GUID and the approximate time of the outage so the cloud logs can be reviewed.

If the Client ID, Client Secret, or Well-Known Endpoint is changed after users have registered, existing users fail to authenticate because their stored tokens are no longer valid for the new configuration. When making any change to the OIDC configuration, purge all existing user registrations at the same time. Users must re-register from the HP Secure Print desktop app.

Related Topics: