User Authentication Providers

User Authentication Providers define how HP Insights verifies the identity of print users (end users). The configured provider determines where authentication happens, how credentials are validated, and how a verified identity is carried across print workflows including Secure Print, Secure Print Direct, Print Scout, and the User Portal.

This setting is configured once at the tenant level under Account Settings >  Settings > User Authentication Providers and applies to all devices and workflows in your environment.

Note: Administrator access to the web console is configured separately under Account Settings > Admin SSO (or Single Sign-on Configuration for legacy tenants). However, when Admin SSO is enabled, it reuses the same identity provider configuration defined here in User Authentication Provider. You don't configure the IdP twice. What differs is the authentication flow and post-authentication handling: print users authenticate via the identity service for print workflows, while admin users authenticate via the identity-sts SSO endpoint and are mapped to system user roles via SCIM group mapping. See Configure SSO with SCIM for system users for details.

How the configured provider applies across HP Insights

The Authentication Provider setting applies tenant-wide. All HP Insights services use the same configured provider, although support for specific authentication methods may vary by workflow or client.

At the device (Secure Print)

In a Secure Print workflow, the user authenticates at the printer to release held jobs.Secure Print Direct jobs are sent directly to the printer and do not require authentication at the device, see On the workstation (Print Scout) for how Secure Print Direct authentication is handled.

The user initiates authentication at the printer using the configured sign-in method (for example, card, PIN, or passcode). The device submits the credentials to HP Insights, which resolves and validates the user’s identity based on the configured authentication provider. The device communicates only with HP Insights and does not connect directly to the identity provider.

On the workstation (Print Scout)

Print Scout determines the authentication mode from the configured authentication provider and handles authentication accordingly. This applies to both Secure Print (where jobs are held until released at the printer) and Secure Print Direct (where jobs are sent straight to the printer without a release step at the device).

• Active Directory Print Scout resolves the user’s identity from the current workstation session using the logged-in Windows account. No additional user interaction is required.

• OpenID Connect (OIDC) and SAML For OIDC and SAML, the user is initially redirected to the identity provider through a browser-based sign-in flow. After successful authentication, HP Insights issues a token that Print Scout uses for subsequent operations. Print Scout manages the token lifecycle, including renewal, so the user is not prompted again during the session.

• Internal authentication (email and PIN)The user is prompted to enter their email address and PIN during initial registration. Once authenticated, Print Scout associates the identity with the user’s workstation and does not require repeated sign-in unless the session is cleared or expires.

In the browser (User Portal)

Authentication in the User Portal is browser-based. For OpenID Connect and SAML, HP Insights redirects the user to the configured identity provider and validates the returned token or assertion before granting access. For Internal authentication, users sign in directly with their email and password.

On mobile (HP Secure Print mobile app)

The mobile app does not authenticate independently. A user registers their mobile device through Print Scout on their workstation after authenticating there. The app then uses that registered identity for releasing jobs. If the workstation identity changes or the registration is cleared, the user must re-register.

Note: Switching the Authentication Provider clears all existing user registrations, including mobile, card, PIN, SSO, and email/PIN registrations. This action requires Site Encryption Key confirmation. Users will need to re-register under the new provider before they can release jobs.

Available Authentication Providers

Internal

Users register with an email address and PIN managed directly by HP Insights. No external directory or identity provider is required.

This is the default for new tenants and the simplest option for organisations without an existing IdP.

→ Configure Internal Authentication

Active Directory

Print Scout uses the user's logged-in Windows workstation identity. No separate user registration step is required. Users can print immediately after Print Scout is installed. Best for organisations with on-premises Active Directory who want zero-friction onboarding.

→ Configure Active Directory Authentication

OpenID Connect

Users authenticate via an external identity provider (Microsoft Entra ID, Google, PingFederate) using token-based Single Sign-On. Users register once in the HP Secure Print desktop app and receive a passcode for printer authentication. Best for organisations with a modern cloud IdP that requires SSO.

→ Configure OpenID Connect Authentication

SAML 2.0

Users authenticate via a SAML identity provider (Microsoft Entra ID, Okta). HP Insights acts as the SAML Service Provider. Like OIDC, users register once and receive a passcode for printer authentication. SAML can be configured in three ways:

• Dynamic (recommended): Provide a Metadata URL andHP Insights auto-loads the IdP settings

• XML file upload: Upload the federation metadata XML to auto-fill the fields

• Manual: Enter Entity ID, Single Sign-in URL, Signing Certificate, and Email Field directly

Best for enterprise organisations with an existing SAML IdP already in place.

→ Configuring SAML 2.0 for print users

Testing your configuration

After configuring an authentication provider, use the Test button to verify the IdP returns the expected identity. This is useful both for validating print user authentication and for troubleshooting Admin SSO login issues, since both flows rely on the same IdP configuration.

Choosing a provider

When choosing a User Authentication Provider, the most important factor is your organization’s existing identity system.

• Use OpenID Connect (OIDC) for modern cloud-based identity providers such as Microsoft Entra ID, Google, or Okta

• Use SAML if your organization requires SAML-based SSO or has an existing SAML IdP.

• Use Active Directory if your environment relies on on-premises Windows domain authentication.

• Use Internal authentication only for small or standalone deployments without an identity system.

Related Topics:

• Claim Mapping
• Single Sign-on Configuration (administrator console login)