How-to guide HP Secure Print and OpenID Connect HP Secure Print1
Overview Every print user must first register to HP Secure Print before they can print documents. Registration is required to establish the identity of users who submit a print job. The Print Scout component of Secure Print is responsible for facilitating user registration. Secure Print supports three authentication providers for user registration:
• Email Authentication – Print users register their email addresses with a PIN code from the HP Setup Guide. • Active Directory – This option is suitable for organizations that use Windows® Active Directory (AD) for managing users. The Print Scout uses the user’s workstation ID to establish the identity of the user. This option does not require user registration. • OpenID Connect – This option uses token-based OpenID Connect technology to verify print user identity. This option is suitable for organizations with an existing supported OpenID Connect Identity Provider (e.g., Microsoft® Azure AD, Google™) and has well-governed and well-known badges for user access and identity.
This document covers how to set up OpenID Connect as an authentication provider for HP Secure Print.
What is OpenID Connect? The OpenID Foundation defines OpenID Connect (OIDC) as a simple identity layer built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the end user based on the authentication performed by an identity provider, as well as to obtain basic profile information about the end user. You can get more information about OpenID Connect from this website: https://openid.net/connect/.
Benefits of OpenID Connect for HP Secure Print • Integrates with well-known identity providers like Microsoft Azure AD, Google, etc. • Eliminates the responsibility of storing and managing user credentials. • Separates the user’s print identity from the workstation’s login identity. It does not matter what the user logs in as.
How OpenID works with HP Secure Print
Install Print Scout on users’ workstations Print Scout must be installed on users’ workstations. The Print Scout installs the HP Secure Print Setup Guide, which enables user registration. During user registration, the Print Scout will obtain the user’s email address from the returned identity token. That email address then becomes the user’s identity for printing. HP Secure Print supports Print Scout installation on Windows, macOS, and Linux®. Refer to the HP Secure Print documentation for the list of supported versions. NOTE: Linux Print Scout does not install the HP Secure Print Setup Guide. User registration starts by submitting a print job to the default Secure Printer that the Print Scout installs.
How-to guide | HP Secure Print and OpenID Connect
User registration workflow 1. The user starts the registration process:
• On a Windows or Mac workstation, the user launches the HP Secure Print Setup Guide. • On a Linux machine, the user starts registration by sending a print job to the default Secure Printer. 2. On the screen that displays, the user clicks the Login to continue link.
3. The link redirects the authentication request to the organization’s identity provider. The user is prompted for their email address and password. NOTE: The screen that the user sees depends on the organization’s identity provider. The following example shows the Azure AD login screens:
4. When authentication is successful, the user sees the message: Authenticated successfully. 5. Once logged in, the user can submit subsequent print jobs without having to provide credentials again.
Release documents from a secure printer Users authenticate themselves at the HP printer control panel by swiping their access badge (proximity card). Users’ card IDs are associated with their OpenID email accounts. HP Secure Print provides the facility to import users’ email addresses and card IDs into Secure Print.
1. A user walks up to a secure printer. 2. The user swipes their proximity card (associated with their OpenID email address). 3. Once authenticated, users can select the documents they want to release.
NOTE: HP Secure Print does not yet support card registration for OpenID. Refer to the Secure Print documentation for information on how to import users’ email addresses and their associated proximity cards.
2 How-to guide | HP Secure Print and OpenID Connect
User registration technical details This section explains what goes on behind the scenes with OpenID user registration.
1. The user begins registration:
• Windows and Mac: User launches the HP Secure Print Setup Guide. • Linux: User sends a print job to the default Secure Printer, which takes them to the login dialog box. 2. The user clicks the Login to continue link. The link redirects the authentication request to the identity provider (e.g., Azure AD), including the following parameters: client ID, client secret, scope, redirect URI, response type, and so on.
3. The identity provider returns the authentication page. 4. The Print Scout displays the authentication page to the user. The authentication page prompts the user for OIDC credentials.
5. The user enters their credentials. The identity provider gets redirected to the Secure Print Identity Service to complete the authentication process. The Secure Print Identity Service, in turn, redirects back to the Print Scout.
6. Upon successful authentication, the identity provider responds with an authorization code. 7. Using the authorization code obtained from the identity provider, the Secure Print Identity Service sends a request to exchange the authorization code for an access token. 8. The identity provider returns access token, ID token (with user information), and refresh token. Secure Print stores these tokens.
The Print Scout now has access to user information (e.g., email address) from the ID token. The email address becomes the user’s identity for printing at the printer.
3 How-to guide | HP Secure Print and OpenID Connect
Secure Print OpenID specifications
Authorization Flows Authorization flow defines how an application receives tokens. OpenID Connect supports the following flows (also called grant types) for authentication:
• Authorization Code • Implicit • Hybrid
The Secure Print Identity Service uses the “Authorization Code Flow” by default. When the Print Scout sends an authentication request to the identity provider, the identity provider returns a short-lived authorization code to the Secure Print Identity Service. This authorization code is used by the Secure Print Identity Service to get access token, refresh token, and identity token. NOTE: Implicit Flow is not supported.
Scope HP Secure Print’s Identity Service redirects the user to the identity provider with the following scopes by default. Scope Description Claims supported openid Required. This indicates that the Print Scout intends to use the OpenID N/A protocol to verify a user’s identity.
email Required. This scope returns the email claim, which contains the user’s email email address. This email address is used to identify the user at the secure printer when releasing print jobs.
profile Optional. This can be used to personalize Secure Print. For example, you N/A can request the user’s name to show in the printer.
NOTES:
• Secure Print uses the standard scopes and claims as defined in Oauth 2.0. If your identity provider uses customized scopes (e.g., your system expects mail instead of the standard email scope), contact the Operations team. • Offline_access is not part of the scope list.
OpenID Connect configuration You’ll need to register Secure Print as an application to your OpenID identity provider and gather the following information:
• Well-Known Endpoint • Client ID • Client Secret
Well-Known Endpoint HP Secure Print uses Well-Known Endpoint (also called “discovery document”) to retrieve metadata about your identity provider. This is used to configure user authentication sessions automatically. It returns information like the issuer name, key material, supported scopes, token endpoint URL, and so on. See the OpenID specification document (https://openid.net/specs/openid-connect-discovery-1_0.html) for more details.
The Well-Known Endpoint includes 2 URLs: token_endpoint and jwks_uri. NOTE: All URLs contained with the discovery metadata need to be publicly accessible. OpenID providers publish their metadata at a well-known URL. Here are some examples:
• https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration • https://accounts.google.com/.well-known/openid-configuration
4 How-to guide | HP Secure Print and OpenID Connect
Client ID Client ID also called “Application ID” is a unique identifier assigned to your Print Scout by your identity provider.
Client Secret Client Secret also called “Application Password” is the secret key that the Print Scout uses to prove its identity when requesting a token.
Redirect URI Redirect URI (also referred to as “reply URL” or “callback URL”) defines the URI where the IdP sends responses to authentication requests. The redirect URI looks something like this:
https://
Configure Secure Print with OpenID Connect You must first register an application for HP Secure Print on your OpenID identity provider (e.g., Google, Azure Active Directory). The process of registering an application may vary. Secure Print needs the following details from the identity provider:
• Client ID • Client Secret • Well-known Endpoint
You’ll also need to make sure that redirect URIs are added to the OpenID identity providers’ “Authorized redirect URIs” list.
Register Secure Print as an application in Microsoft Azure AD Within the Azure AD tenant, you need to register the Secure Print application. The registration is a record of security details for the application in Azure AD. A registration ensures that Azure AD can identify the application and the user. In this procedure, it is assumed that you already have an Azure account with an active Azure AD tenant. Follow these steps to create an application registration within Azure AD for use with HP Secure Print:
1. On the Azure Active Directory page, under Manage, select App registrations.
5 How-to guide | HP Secure Print and OpenID Connect
2. In the App registrations pane, click the + New registration button.
3. In the Register and application window, in the Name field, enter a name that uniquely identifies the application (e.g., HP Secure Print).
4. Under Supported account types, select the option that best defines the users who will be allowed access. Typically, this will be the single directory tenant.
5. Click the Register button to complete registration. 6. Under Manage, select Authentication. 7. Click the Add a platform button.
6 How-to guide | HP Secure Print and OpenID Connect
8. Select Web from the platforms listed on the right.
9. Complete the Configure Web page as follows: a. In the Redirect URIs field, enter the appropriate Redirect URI, as provided in the screen capture below:
Redirect URI for HP Insights in the US: https://api.insights.hpondemand.com/login/connect/external/signin-openidconnect Redirect URI for HP Insights in the EU: https://api-eu.insights.hpondemand.com/login/connect/external/signin-openidconnect
b. Click the box next to ID tokens to enable the ID token grant. c. Click the Configure button at the bottom of the page. 10. Complete the client secret information: 7 How-to guide | HP Secure Print and OpenID Connect
a. Under Manage in the left pane, select Certificates & secrets.
b. Click the New client secret button. c. On the Add a client secret page, in the Description field, add a name that identifies the client (e.g., HP Secure Print).
d. Under Expires, select the Never option. e. Click the Add button to complete it. f. Copy the Value of the client secret; it will be used later in this procedure.
8 How-to guide | HP Secure Print and OpenID Connect
11. Click Overview in the left pane and copy the Application Client ID. This value will be used later in this procedure.
12. On the Overview page, click the Endpoints button at the top of the page. 13. Copy the value of the OpenID Connect metadata document URL. The value will be used later in this procedure.
Add the client-specific OpenID Connect settings to HP Secure Print After you register the HP Secure Print application to your OpenID provider, you can now add the client-specific Open ID Connect settings into HP Secure Print. Follow these steps to add the required settings:
1. Log in to the HP Insights web portal. 2. Navigate to the Secure > Settings tab. 3. In the User Authentication Providers section, select OpenID Connect.
4. Enter the Well-Known Endpoint. This is the OpenID Connect metadata document URL that you copied in step 13 of the last procedure.
5. Enter the Client ID. This is the application (client) ID that you copied in step 11 of the last procedure. 6. Enter the Client Secret. This is the Client Secret that you copied in step 10(f) of the last procedure. 7. Save your changes.
9 How-to guide | HP Secure Print and OpenID Connect
1 HP Secure Print works with most network-connected printers and MFPs. On-device authentication requires HP FutureSmart firmware 4.8 or newer. Supported card readers include X3D03A (HP USB Universal Card Reader) and Y7C05A (HP HIP2 Keystroke Reader). Internet connection required for some functionality. For more information, see hp.com/go/secureprint.
Sign up for updates hp.com/go/getupdated Share with colleagues
© Copyright 2020-2021 HP Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Google is a trademark of Google, Inc. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Microsoft and Windows are U.S. registered trademarks of the Microsoft group of companies. 4AA7-7552ENW, May 2021, Rev. 1