Authentication providers
Introduction
To log in to Dispatcher Paragon Cloud Web UI, submit print jobs, release print jobs on Dispatcher Paragon Cloud terminals, use the Mobile app, etc, the users must be authenticated. Use the Authentication providers tab to configure how the users will be authenticated.
Dispatcher Paragon Cloud supports two main authentication types:
- Local user authentication
- Authentication to external directory via
- OIDC
- Service account (Service access)
- Client-side authentication
Local user authentication
This is the simplest authentication type where the users are created and managed manually in the Dispatcher Paragon Cloud server, under the built-in Local authentication provider. By default, there are few users predefined for each created account, including the admin user.
We recommend keeping the local admin user as a fallback login in the case of failure of other authentication methods, such as provider misconfiguration, access token expiration, network issues, or a service disruption on the part of your external authentication provider.
Authentication based on OpenID Connect (OIDC)
This type of authentication enables connecting to an external authentication provider through OIDC. Dispatcher Paragon Cloud supports the following authentication providers for OIDC:
- Microsoft Entra ID
- Okta
We recommend OIDC as the most secure authentication method, ideal for both Web UI and client workstations. It enhances security by redirecting users to the authentication provider's login page, ensuring that credentials are only entered at the provider's site. Furthermore, it supports multi-factor authentication (MFA) and eliminates the need for repeated credentials entries.
OIDC authentication doesn't allow synchronization of card IDs and PINs. If you have this information stored in your authentication provider (instead of directly in Dispatcher Paragon Cloud), you may also want to configure service access for the same provider to allow users to log in at the MFD terminal using their company cards and PINs.
Logging in using the OIDC authentication method
When an authentication provider is configured with the OIDC authentication method, users can log in via such authentication provider in two ways:
- Entering a username matching the authentication provider.
- Clicking Login via <Provider Name> on the login page.
When a user enters a username that matches the authentication provider with enabled OIDC authentication, they are redirected to the provider's login page, where they authenticate and then are redirected back to Dispatcher Paragon Cloud.
When the user clicks Login via <Provider Name>, they are also redirected to the provider's login page.
When configuring the authentication, you will be able to choose whether to show the provider-branded Login via <Provider Name> button on the login page.
User details are synchronized during every user login (either via Dispatcher Paragon Cloud Web UI, Dispatcher Paragon Cloud Client, MFD terminal, or the Mobile app), except for the user logging in within the lifespan of the existing OIDC Access Token (usually 60 minutes after the first login).
Authentication based on the service access
This authentication method requires you to create a service account in your external authentication provider. This account must have permission to search and retrieve users. Dispatcher Paragon Cloud supports the following authentication providers for service access type:
- Microsoft Entra ID
- LDAP (including Active Directory)
- Okta
If you choose this authentication method, you must enter the service account details (e.g., username and password) in the authentication provider settings in Dispatcher Paragon Cloud. Users can authenticate against the Dispatcher Paragon Cloud server using all available login types: username/password, card ID, and PIN.
We do not recommend using the service access authentication method for authentication providers that support OIDC. Set up OIDC for user login to Dispatcher Paragon Cloud Web UI and Dispatcher Paragon Cloud Client, and if you need users to log in via company cards or PINs stored in your authentication provider, set up the service access authentication in conjunction with OIDC.
Microsoft Entra ID and LDAP do not support multi-factor authentication (MFA). Also, the Okta MFA support is very limited when using service access authentication only. In these cases, we strongly recommend using OIDC authentication.
Client-side authentication
This type of authentication requires Dispatcher Paragon Cloud Client software, which uses interactive browser-based authentication provided by the external authentication provider. You don't need to create service access. MFA is fully supported.
The limitation of this authentication type is that users cannot log in at Dispatcher Paragon Cloud terminals via username and password, card IDs, and PINs stored in the authentication provider. Only local card ID and PIN logins are supported. However, users can log in via the one-time passwords (OTPs) functionality. This is useful, for example, for local card registration. You can generate OTPs manually in the Web UI or automatically by setting up triggers. See the section on My profile for more information.
Authentication configuration
The following authentication provider types are available:
- Local – Local authentication provider. It will authenticate users against the internal user database in Dispatcher Paragon Cloud.
- LDAP – LDAP authentication provider enables authentication using LDAP/LDAPS against Active Directory, Novell eDirectory, and IBM Domino.
- Microsoft Entra ID – Microsoft Entra authentication enables authentication against Microsoft Entra ID. See Microsoft Entra authentication.
- OKTA – OKTA authentication enables integration with the OKTA authentication service. See OKTA Authentication.
- Client – Client authentication is a special type of authentication performed by the Dispatcher Paragon Cloud Client on the client side. See Client authentication.
- External – Dispatcher Paragon Cloud supports external authentication providers where external authentication service such as External Card Repository is used to identify users from different authentication providers.
A newly created vendor or customer accounts always have the Local Authentication Provider added by default. It cannot be removed.
There is no limit to the number of authentication providers you can add.
You can define a priority number for every provider (a higher number means higher priority), which is used for every logical operation where the order of providers matters.
See additional instructions for configuring specific authentication providers:
- LDAP authentication
- Microsoft Entra ID authentication
- OKTA authentication
- Client authentication
- External authentication