Introduction
Step 1: Single Sign-On with Microsoft Azure
Step 2: User Provisioning
Step 3: Assigning users or groups to the directprint.io Azure AD App.
Seamless Sign On
Introduction
directprint.io is integrated with Microsoft Azure to bring printer allocation methods; Azure Active Directory Group-based printer allocation.
To enable Active Directory-based allocation, IT admins must complete two simple integration steps:
- Enable directprint.io clients with Azure SSO (Single Sign-On), to allow zero-touch printer allocation for your users.
- Enable Azure Active Directory to directprint.io provisioning synchronization, allowing administrators to allocate printers to Azure AD Groups.
The following guide will walk you through the process of enabling SSO and Provisioning between directprint.io and Azure.
Step 1: Single Sign-On with Microsoft Azure
When an IT admin successfully completes the Single Sign-On with MS Azure directprint.io integration, their Azure AD managed users shall be able to sign in to the directprint.io client using their Microsoft AD credentials. This allows directprint.io to know which user & group they are, and ultimately allocate the required printers to them.
Prerequisites:
- An Azure AD subscription (Microsoft 365 includes the required subscription level) If you don't have a subscription, you can try directprint.io with a free Azure trial account.
- A licensed or 30-day free trial account with directprint.io.
Add directprint.io Cloud Print Administration to Azure
-
Log in to your Azure Portal
- On the left navigation pane, select the Azure Active Directory service.
- Navigate to Enterprise Applications and then select All Applications.
- To add a new application, select New application.
- In the Add from the gallery section, type directprint.io Cloud Print Administration in the search box.
- Select directprint.io Cloud Print Administration from the results panel and then add the app. Wait a few seconds while the app is added to your tenant.
Assign or create a test user
- In the Azure portal, on the directprint.io Cloud Print Administration overview page, find and select the Assign users and groups tile.
- In the top menu, click Add new user/group. Click the section where it states 'None Selected'. Find a user or group that you wish to test SSO with and click select and then assign to confirm your selection.
view larger image
Configure Azure AD SSO
- In the Azure portal, on the directprint.io Cloud Print Administration application overview page, find and select the Set up single sign-on tile.
- When presented with the option, find and select the SAML tile.
- When prompted, click Yes to save the fixed identifier and reply URLs that are pre-defined.
- Locate the App federation metadata URL from the SAML Signing Certificate configuration section. Click the copy to clipboard button.
- Sign in to directprint.io, in the left-side menu, navigate to, Azure AD - Azure Sync Status & settings. Paste the App Federation Metadata URL and click validate.
view larger image
- Next, complete the user provisioning steps.
Step 2: User Provisioning
Introduction
Azure AD to software as a service (SaaS) application provisioning refers to automatically creating user identities and roles in the cloud (SaaS) applications that users need access to. Common scenarios include provisioning an Azure AD user into applications like Dropbox, Salesforce, ServiceNow, and now directprint.io.
Once an IT admin has successfully completed the User Provisioning steps below, they will have the ability to allocate printers to their MS Azure AD users through the directprint.io admin platform.
Pre-requisites:
- An Azure AD subscription. If you don't have a subscription, you can get a free account.
- A licensed or 30-day free trial account with directprint.io.
- All steps outlined in Single Sign-On with Microsoft Azure have been completed.
Provision user accounts
- In the Azure portal, on the directprint.io Cloud Print Administration application overview page, find and select the Provision User Accounts tile.
- From the drop-down, select Automatic provisioning. You will be presented with two input fields; Tenant URL and Secret Token.
- Navigate to the directprint.io Azure AD - Azure Sync Status & settings to access the Provisioning URL (Tenant URL) and Secret Token. Copy and paste each of these items into the associated entry fields provided by Azure.
view larger image
- Once you have entered the credentials, hit the Test connection button. If the credentials are accepted you will be shown a success message in the top right-hand corner. Ensure you save the credentials by clicking the Save button and closing this screen.
view larger image
- To start provisioning hit the Start button. After a few minutes, hit the Refresh button to get the latest status of the provisioning cycle. If complete, the status will show 100% complete and outline the number of Users and Groups that have been synced.
view larger image
- To ensure that the synchronization has been successful with directprint.io, navigate back to the directprint.io Azure AD - Azure Sync Status & settings. and hit refresh. If successful, a timestamp along with the number of users and groups will be presented.
- Now that we have Azure AD users and groups provisioned on directprint.io, we can now allocate printers to groups using the Azure AD Group printer mapping screen.
If you need more information or would like to refer to the Microsoft documentation please see the directprint.io provisioning tutorial.
Step 3: Assigning users or groups to the directprint.io Azure AD App.
To ensure end users are able to successfully sign-on using the directprint.io app you must ensure that users or groups are assigned to the directprint.io Azure AD App.
- Navigate to the users and group section in the left-hand menu.
view larger image
- Click the '+ Add user/group' button then under the users and groups click 'none selected'. From the right-hand popover select the users or groups that you would like to add and then click select, followed by assign.
view larger image
- If successfully assigned, you should see a success notification and the users/groups you selected in a table.
view larger image
Printer Allocation for Azure AD groups
Introduction
With single sign-on and user provisioning now successfully configured, we are able to allocate printers to Azure AD groups and see the printers successfully allocated to our test user on the directprint.io client.
Printer allocation
- Navigate to the Azure AD Group printer mapping screen and click the Edit button on the group you would like to allocate printers to.
view larger image
- Assign an individual printer, a room, property, or a region's worth printers to the group
view larger image
- Hit save. The printers that you have allocated will automatically roll out to users who have performed SSO with Azure AD within 30 minutes.
Testing end-to-end
- Ensure that you have the directprint.io client for Windows or macOS installed, you can find the download links from the left-side menu under client downloads.
- Once installed, run the application. You will be presented with an empty printer list and two buttons, one for Google SSO and another for Microsoft SSO. Click Sign on with Mircosoft.
- Enter the sign-on code that was generated after successfully confirming your App Federation Metadata URL, see the screenshot below. You will be redirected to a Microsoft Sign In screen.
view larger image
Sign in with the credentials from the test user that you created or assigned during step 2 in the Assign or create a test user section above.
- If sign-in is successful, a success window will be presented and the Sign In with Google and Sign In with Microsoft buttons will disappear. You can further check that you have a user ID associated by clicking on settings and client info to see your userID.
- If you see an error message on the directprint.io app stating 'Unknown user or device (977)'. Then something has gone wrong with the user provisioning step.
- Assuming that the user you are logged in as is part of the Group that you assigned printers to, you should see a list of available printers in the 'Active Printer List'.
Other Notes
Seamless Sign On
directprint.io only allows silent sign-on with SIDs beginning with S-1-12-1 and not for example S-1-5-21. This is because the application is designed to exclusively recognize Azure AD (cloud-based) SIDs rather than on-premises Active Directory (AD) SIDs. Here’s a breakdown of why this limitation exists:
1. Azure AD vs. On-Premises AD SIDs:
- SIDs beginning with S-1-12-1 are Azure AD SIDs, which are specifically used for cloud-only or synchronized users managed directly within Azure Active Directory.
- SIDs starting with S-1-5-21 are traditional on-premises AD SIDs, used for users, groups, and objects managed by a local AD domain controller.
2. Cloud-Only Authentication Requirements:
- The directprint.io application relies on Azure AD Authentication Libraries or OAuth tokens that are generated and validated based on Azure AD’s user identities.
- Since Azure AD issues SIDs with S-1-12-1 for cloud-managed entities, the application is designed to look for these identifiers as a marker of a cloud-authenticated identity, ensuring it’s compliant with Azure’s authentication and authorization flows.
3. Security and Compliance:
- Many modern applications limit authentication to Azure AD identities (S-1-12-1) to support Conditional Access policies, Multi-Factor Authentication (MFA), and Identity Protection features native to Azure AD.
- By enforcing S-1-12-1 SIDs, the application can ensure that it operates in a purely cloud-authenticated context, which means it meets specific compliance and security requirements.
4. Hybrid Identity Considerations:
- For synchronized on-premises accounts that need to work with this client application, you might need to ensure that users have their Azure AD identity (S-1-12-1) recognized. This may involve hybrid identity configurations that fully utilize Azure AD identities for cloud-based authentication (e.g., through Password Hash Sync or Pass-through Authentication).
Enabling password hash sync to Azure AD may help these on-prem accounts function more seamlessly as cloud identities.