User Authentication Providers

Every print user must first register to Secure Print before they can print documents. Registration is required to establish the identity of users who submitted a print job. The Print Scout component is responsible for facilitating user registration.

Secure Print supports three authentication providers for user registration.

• Email Authentication – Uses a familiar email-based account verification workflow. This is the default option.
• Active Directory – This option is suitable for organizations that use Windows Active Directory (AD) for managing users. The Print Scout uses the user’s workstation ID to establish the identity of the user. This option does not require user registration, which means users can submit and release print jobs at once.
• OpenID Connect – This option uses token-based OpenID Connect technology to verify print user identity. This option is suitable for organizations with an existing supported OpenID Connect Identity Provider (e.g., Azure AD, Google) and has well-governed and well-known badges for user access and identity.

Note: Changing authentication providers will clear all existing user registrations, meaning all existing users will need to register again. You'll also need the Site Encryption Key to switch authentication providers.

Email Authentication

With email-based authentication, users register with HP Secure Print by providing an email address. Secure Print then sends an email containing a unique link and verification code to the email address provided, allowing the user to validate ownership of the email account and complete their registration.

Users register their proximity card at a printer using their email address and PIN combination. After this initial setup, the user's ID card is all that's required to authenticate at a network device to release documents. If a user’s proximity card is lost, damaged, or forgotten, users can authenticate at a printer using their registered email address and PIN code.

For information on how to register an email address to Secure Print, refer to the Register email address to HP Secure Print topic.

Email domain whitelist

The Email domain whitelist section allows you to add email domains that you wish users to be able to register with. Email domains that are not on the list are blocked. Users will see the message "<domain>" is not allowed when registering an email address from a domain that is not on the list. If you leave the list empty, HP Secure Print allows users to register from any domain. This is the default behavior.

Adding a domain to the whitelist

In the Email domain whitelist field, enter the domain that you want to whitelist and then click Add. You can add more than one email domain. Click Save for changes to take effect.

Deleting a domain from the whitelist

To delete a domain, select the domain you want to remove and then click the Delete selected button.

Note: If you delete a domain that users are already registered with, existing users will be able to use Secure Print as usual, but new users will only be allowed to register with domains in the whitelist.

Active Directory

This authentication option is suitable for organizations that use Windows Active Directory (AD) for managing users. With this option, users authenticate at secure printers using their network credentials.

If card registration is enabled (under Proximity Card Settings in the Secure > Settings screen), users can walk to any printer, swipe their card and enter their network ID. After this initial setup, a user's ID card is all that's required to authenticate at a printer to release documents.

OpenID Connect

Secure Print supports OpenID Connect for Single Sign-on (SSO). When a user prints a document for the first time, they are redirected to the authentication provider’s (Azure AD, Google, etc.) login page. Users log in to Secure Print using their credentials from the authentication provider configured in the system. Once logged in to their provider, users are automatically logged in to Secure Print.

Note: Secure Print supports the following authentication providers: Microsoft Azure AD, Google and PingFederate.

Prerequisite:

Before you can use OpenID Connect with Secure Print, you must first create and register an application for Secure Print in your OpenID provider. The OpenID provider assigns a unique Client ID/Application ID and Client Secret for the application after a successful registration. Record these values because you need them to configure Secure Print.

Before you Begin

Refer to the following documents to set up OpenID Connect as an authentication provider for Secure Print:

• Secure Print and OpenID Connect
• Configuring Secure Print with OpenID Connect

Configuring OpenID Connect

To configure an OpenID Connect authentication provider, follow these steps:

1. Navigate to the Secure > Settings tab.
2. In the User Authentication Providers section, select OpenID Connect.
3. Enter the following details of the Secure Print application as provided by the OpenID authentication provider:
   • Well-Known Endpoint
   • Client ID
   • Client Secret
4. Save the changes.

For information on how to authenticate with your OpenID Connect credentials, refer to the Register Secure Print using your OpenID Connect Credentials topic.