The main purpose of google cloud directory sync is to: (choose one option below)

The Azure AD provisioning service monitors the health of your configuration and places unhealthy apps in a "quarantine" state. If most or all of the calls made against the target system consistently fail because of an error, for example, invalid admin credentials, the provisioning job is marked as in quarantine. While in quarantine, the frequency of incremental cycles is gradually reduced to once per day. The provisioning job is removed from quarantine after all errors are fixed and the next sync cycle starts. If the provisioning job stays in quarantine for more than four weeks, the provisioning job is disabled (stops running). Learn more about applications provisioning in quarantine status within Azure AD.

Adobe’s service independently monitors sync health to verify when the error rate surpasses a certain threshold in a set amount of time. A minimum number of requests resulting in an error that meets the threshold will enact temporary quarantine, resulting in rejecting all calls and update requests from Azure AD for a time period, after which calls will be accepted again for sync retry. If error calls persist, the sync will be placed on temporary probation for an extended time period in quarantine. If Adobe initiates the quarantine, it may also lead to a subsequent quarantine with Azure due to the rejected calls, which will count toward error rates in Azure. Note that Adobe reserves the right to update the quarantine parameters based on ongoing data analytics. 

NOTE

Both Google Workspace and Google Cloud Identity use Google Cloud Directory to synchronize users and groups.

Environments with Google Cloud Directory as a user sync source are cost effective and quick to implement because they use Mobility Print and PaperCut NG/MF for end-to-end print requirements, including authentication, reporting, filtersFilters allow you to control attributes of the print settings by either forcing a particular attribute or denying a a print job that does not meet specific criteria. There are two types of print filters: conversions and restrictions., and restrictionsRestrictions are a type of print filter that ensures jobs meet certain criteria (denying those that don't). For example, you can restrict access to one or more printer, define a maximum number of pages allowed in a single job, or allow only duplex..

All you need to do is make sure users can access your WiFi. There's no need to set up or manage a domain (for example Active Directory) or deal with the complexities inherent in managing multiple printer drivers (OSs, multiple vendors, multiple models, etc.).

If you don’t want users to access your network, Google Cloud Directory still works with Web print, Email to print and Google Cloud print.

Examples of Google Cloud Directory environments

A pure Google Cloud Directory environment

Install PaperCut NG/MF in a pure, Google Workspace-only environment.

An existing directory is going to be replaced with Google Workspace

If your current environment uses an on-premises directory, for example Active Directory (AD), and you want to replace it completely with Google Cloud Directory, then you first need to migrate all users from your current directory into Google Workspace. If you prefer, you can do this in stages over a period of time and run a hybrid environment until the full migration is finished. Keep the original directory until you’ve completed and tested the entire new Google Cloud Directory setup.

An existing directory and new Google Cloud Directory are both going to be synced with PaperCut NG/MF

You can sync PaperCut NG/MF with two user directory sources, one being a traditional directory such as Active Directory and one being a new Google Cloud Directory. You can even sync directories from two Google Cloud Directories. You set up one directory as the primary sync source and one as the secondary sync source.

IMPORTANT

If the username for an internal user is the same as a Google Cloud Directory username (without the domain part), then PaperCut NG/MF will convert the existing internal user to a standard PaperCut NG/MF user and merge the data. If there are discrepancies in the data in the existing internal account and Google Cloud Directory, the Google Cloud Directory information will override the existing internal user information.

Set up at a glance

The high-level process to set up Google Cloud Directory authentication is as follows:

1. In Google, Set up your Google Workspace or Google Cloud Identity users.

2. If not already done, set up your printing solution.

3. Set up LDAP access and permissions for Google Workspace or Google Cloud Identity.

   NOTE

   Depending on the size of your organization, it can take up to 24 hours for Google Cloud Directory changes to apply.

4. Set up Google Workspace or Google Cloud Identity sync in PaperCut NG/MF:

   1. Set up the primary sync source.

   2. (Optional) Set up the secondary sync source

   3. Set up the Sync Options.

   4. Test your new print environment.

5. (Optional) Set up Google Single sign on

   • (Optional) Manage Google Single sign on for Chromebooks

   • (Optional) Set up Google Single sign on for Admin and User web interfaces.

Step 1: Set up your Google Workspace or Google Cloud Identity users

In Google, depending on your planned environment:

• add users into Google Workspace

• migrate users into Google Workspace

• create Cloud Identity user accounts.

Step 2: If not already done, set up your printing solution

If you haven't already set up a printing solution, select and set up the solution that best suits your environment:

• Mobility Print

• Native Print

Step 3: Set up LDAP access and permissions for Google Workspace or Google Cloud Identity

NOTE

Remember, this functionality is available for organizations using G Suite Education, G Suite Enterprise for Education, G Suite Enterprise, and Cloud Identity Premium.

IMPORTANT

Before you start, make sure you can log in to Google as a Super Admin.

1. Log in to admin.google.com using your Super Admin user login details. The Google Admin console is displayed.

2. Click the Apps tile. The Apps screen is displayed.

3. Click the LDAP tile. The LDAP screen is displayed.

4. Click ADD CLIENT.

5. Type a name for the LDAP client connection you’ll be configuring to use for PaperCut NG/MF (for example, "PaperCut MF"), and optionally type a description; then click CONTINUE. The Access permissions screen is displayed.

NOTE

This adds PaperCut NG/MF to the list of permitted LDAP clients. You can find more information about configuring access permissions from Google.

6. In the Verify user credentials section, select either:

   • Entire domain

   • Selected organizational units; then click Add and select the units from the list. (Use this to limit syncing to users in a subset of groups.)

7. In the Read user information section, select either

   • Entire domain

   • Selected organizational units; then either click Copy from Verify user credentials or click Add and select the units from the list. (Use this to limit syncing to users in a subset of groups.)

   • Depending on your organizational policies, tick all boxes for System attributes, Public custom attributes, and Private custom attributes as this will allow PaperCut to sync primary number and secondary number from custom fields of your choice stored under individual users as per your organization's schema on Google Cloud Directory. More details on this in (Optional) Add card/ID numbers..

8. In the Read group information section, click the switch to set it to On; then click ADD LDAP CLIENT. Google displays a confirmation message and information about downloading the certificate.

9. On the same screen, click Download certificate; then save the downloaded certificate (which is a PDF file) in a secure location.

10. Click CONTINUE TO CLIENT DETAILS. The Settings for screen is displayed.

NOTE

The service status, displayed at the top right of the screen, is initially set to OFF.

11. Click anywhere in the Service Status box. The Service Status screen is displayed.

12. Select On for everyone. The service status is updated for everyone.

13. Click SAVE.

NOTE

Depending on the size of your organization, it can take up to 24 hours for Google Cloud Directory changes to apply.

Step 4: Set up Google Workspace or Google Cloud Identity sync in PaperCut NG/MF

Set up the primary sync source

1. Log in to the PaperCut NG/MF Admin interface.

2. Select Options > User/Group Sync.

3. In the Sync Source area, in Primary sync source, select Google Cloud Directory.

   

4. If you haven’t already downloaded your LDAP certificate, follow the steps in Set up LDAP access and permissions for Google Workspace or Google Cloud Identity.

5. Type your Google Cloud Directory Domain name, for example, melbourneschoolzones.com.

6. Click Choose file and select the Google-generated certificate zip file that you downloaded earlier; then click Install Certificate. If installation is successful, the message ‘The certificate has been installed. It will expire on .’ is displayed.

7. Select which users to import.

   

   • Import all users.

   • Import users from selected groups. This option is useful if the domain contains groups of users, where certain groups contain the users who you want to allow to print:

     1. Click Select Groups.

     2. Select the groups you want to import. You can filter the list to find the groups you’re after.

        NOTE

        • The groups’ names are displayed.

        • In Google Admin, the members of groups are listed in Advanced Group Settings. PaperCut NG/MF syncs users whose names are listed as a link. If a name is listed as an email address or is in any other format, it is not synced.

        

        • Nested (sub) groups are not currently supported.

8. (Optional) Add card/ID numbers.

   Card and ID numbers are used as an alternative to usernames/passwords for authentication at software Release Stations, or at hardware terminals attached to photocopiers. The card/ID number can also be searched in the user quick-find in the User List page. For more information, see User card and ID numbers.

   In PaperCut NG/MF, you can associate one or two unique card/ID numbers with each user. These are known as the primary and secondary card/ID number. PaperCut NG/MF automatically generate these card/ID numbers for each user.

   NOTE

   Sys Admins can use the number to search for users on the User List page. For more information refer to User card and ID numbers.

   To add card/ID numbers:

   1. In Primary number, select Auto-generate random ID. The Length field is displayed.

   2. Type the number of digits you want the card/ID number to be.

      TIP

      • Short numbers are easy for users to remember and fast to key in, but are also easier for someone to guess.

      • Make the Length long enough to generate numbers for all of your users.

   3. If you require a secondary card/ID number for each user, repeat the above two steps for Secondary number.

      

   OR,

   1. Alternatively, as of PaperCut NG/MF 21.1, you can sync these card or ID numbers stored in Google Cloud Directory's user details. This is done by choosing Sync from AD/LDAP field option in step 5's drop down menu.

      

   2. The system will then allow you to input a field name to sync from. The field name must be identical to the name of the custom field created on Google Cloud Directory's user schema. This field must be accessible by the certificate you created and installed previously.

      

   TIP

   There are 2 types of values in Google Cloud Directory's fields when you add custom attribute fields to users. They can be either Whole numbers or Text. Choose carefully. This is managed on the Google Admin's dashboard by navigating through (menu on the left) Directory > Users > (top right) More > Manage custom attributes.

9. Scroll down and click Test Settings.(It is gray but you can still click on it.) PaperCut NG/MF displays progress and the results in the Testing sync settings popup.

   

10. Review the results to make sure all the expected users are there, and then click Close.

11. Click Apply.

12. If you:

    • have a secondary sync source you need to set up, continue below.

    • do not have a secondary sync source, go to Set up the Sync Options.

(Optional) Set up the secondary sync source

How usernames are handled when syncing from two sources

A secondary sync source allows you to import users and groups from a second independent external directory source into PaperCut NG/MF.

PaperCut NG/MF treats Google Cloud Directory usernames as globally unique—if the same username exists in both the primary and secondary sync sources, it generates only a single user. When PaperCut NG/MF merges the user’s details from both sync sources, it prioritizes the primary sync source details, and then adds any additional details that are in the secondary source.

The priority that PaperCut NG/MF enters details into the Card/Identity Numbers and Other Details fields for the Primary and Secondary fields is:

• Priority 1—The primary sync source details.

• Priority 2—The secondary sync source details.

• Priority 3—The PaperCut NG/MF existing details in the Users > Other Details section.

When you sync, the source details always overwrite what’s already inPaperCut NG/MF. PaperCut NG/MF will retain the details in the fields that are not changed in the sync source. If at a later time you stop using the primary or secondary sync source, or if a Google Workspace or Google Cloud Identity field becomes blank, PaperCut NG/MF will still retain the details in the fields.

Set up the secondary sync source

1. Set up a second LDAP connection and generate a second certificate for the second sync source. Refer to Set up LDAP access and permissions for Google Workspace or Google Cloud Identity.

2. On the User/Group Sync page, in the Secondary Sync Source (Advanced) area, select the Enable secondary sync source check box.

3. If the secondary sync source is a second Google Cloud Directory, go to the next step to complete the secondary sync source details.

   For all other directory sources, refer to:

   • Synchronize user and group details with Active Directory

   • Synchronize user and group details with LDAP

   • Overview of synchronizing user and group details with Azure AD

   • Synchronize user and group details with standard Azure AD

4. Type your Google Workspace or Google Cloud Identity Domain name, for example, melbourneschoolzones.com.

5. Click Choose file and select the LDAP certificate zip file that you downloaded earlier; then click Install certificate.

   If installation is successful, the message ‘The certificate has been installed. It will expire on .’ is displayed.

6. Select which users to import.

   

   • Import all users.

   • Import users from selected groups. This option is useful if the domain contains groups of users, where certain groups contain the users who you want to allow to print:

     1. Click Select Groups.

     2. Select the groups you want to import. You can filter the list to find the groups you’re after.

     NOTE

     • The groups’ names are displayed.

     • In Google Admin, the members of groups are listed in Advanced Group Settings. PaperCut NG/MF syncs users whose names are listed as a link. If a name is listed as an email address or is in any other format, it is not synced.

     • Nested (sub) groups are not currently supported.

7. (Optional) Add card/ID numbers.

   Card and ID numbers are used as an alternative to usernames/passwords for authentication at software Release Stations, or at hardware terminals attached to photocopiers. The card/ID number can also be searched in the user quick-find in the User List page. See User card and ID numbers for more information.

   In PaperCut NG/MF, you can associate one or two unique card/ID numbers with each user. These are known as the primary and secondary card/ID number. You can automatically generate these card/ID numbers for each user.

   To add card/ID numbers:

   1. In Primary number, select Auto-generate random ID. The Length field is displayed.

   2. Type the number of digits you want the card/ID number to be.

   TIP

   • Short numbers are easy for users to remember and fast to key in, but are also easier for someone to guess.

   • Make the Length long enough to generate numbers for all of your users.

   3. If you require a secondary card/ID number for each user, repeat the previous two steps for Secondary number.

   

OR,

1. Alternatively, as of PaperCut NG/MF 21.1, you can sync these card or ID numbers stored in Google Cloud Directory's user details. This is done by choosing Sync from AD/LDAP field option in step 5's drop down menu.

   

2. The system will then allow you to input a field name to sync from. The field name must be identical to the name of the custom field created on Google Cloud Directory's user schema. This field must be accessible by the certificate you created and installed previously.

TIP

There are 2 types of values in Google Cloud Directory's fields when you add custom attribute fields to users. They can be either Whole numbers or Text. Choose carefully. This is managed on the Google Admin's dashboard by navigating through (menu on the left) Directory > Users > (top right) More > Manage custom attributes.

NOTE

Sys Admins can use the number to search for users on the User List page. For more information refer to User card and ID numbers.

Scroll down and click Test Settings. PaperCut NG/MF displays the progress of the test and the results in the Testing sync settings popup.

Set up the Sync Options

Whereas the sync source(s) you specified above determine where PaperCut NG/MF imports users from, the Sync Options section lets you make choices about what happens during the sync itself.

The options you select in this section:

• affect only users added via the synchronization source

• do not delete users in the PaperCut NG/MF database during the overnight automatic synchronizing

• do not delete users added via Guest and anonymous user management. To delete users that do not exist in the Sync source, you must manually synchronize (click Synchronize Now).

1. In the Sync Options area, select what’s appropriate for your environment:

   • Update users' full-name, email, department and office when synchronizing

     If a user's details in PaperCut NG/MF do not match those in the synchronization source, update the details in PaperCut NG/MF with the details from the sync source.

   • Import new users and update details overnight

     Synchronization automatically occurs overnight at approximately 12:55am. PaperCut NG/MF imports all new and changed user details. No users are deleted during this sync.

2. Click Test Settings.

   A Testing sync settings popup is displayed, the test runs, and the details of users and user groups that will be modified (updated, added, or deleted) when the actual sync operation runs are displayed. By default a maximum of 100 users are displayed.

   TIP

   You can configure the maximum number of deletion candidates that are displayed in the Testing sync settings popup. Use the config keyA config key stores information about a specific advanced setting in PaperCut. Config keys are editable by an administrator in the Config Editor. user-source.test-sync.max-pending-deletion-entries-displayed.

   For information about setting config keys, see Using the Advanced Config Editor.

3. Confirm that the number of users being added and, optionally, being deleted, matches your expectations.

4. Click Apply.

5. Click Synchronise Now. PaperCut NG/MF syncs with Google Cloud Directory. You can view the users in the User List.

6. After the sync, in Users > User List, select a username. The Details screen is displayed.

7. In the Other Details section, check and confirm the Card/Identity Numbers fields show the correct details.

Test your new print environment

Test the end-to-end printing experience on all interfaces to make sure it matches what you intended.

TIP

Work with real users and get their feedback on their experience.

If you are not going to set up Google Single sign on, then that’s it!

Step 5: (Optional) Set up Google Single sign on

(Optional) Manage Google Single sign on for Chromebooks

By default there will be a Sign in with Google button on Chromebooks so users do not have to re-enter their credentials to log in to PaperCut NG/MF.

If in your environment there are user accounts that do not have Gmail email addresses or Gmail accounts, you might want to consider turning off Single sign on. If you don’t, these users might click the Sign in with Google button and not be logged in because their account won’t be registered in PaperCut NG/MF.

To turn off Single sign on for Chromebooks:

1. Select Options > Mobile/BYOD.

2. In the Mobility print section, set up Mobility Print.

3. Click Apply.

(Optional) Set up Google Single sign on for Admin and User web interfaces

Google Workspace users can always log in to Chromebooks or PaperCut NG/MF Admin or User web interfaces by typing their Google credentials in the Username and Password fields.

However, if you set up Google Single sign on, users who have already logged in to their Chromebook or Google account in a browser will not need to re-enter their credentials to log in toPaperCut NG/MF. The Username and Password fields will still show on the login screen, but there will also be a Sign in with Google button for users to click instead.

Create the client secret JSON file in Google Workspace

1. Ensure your PaperCut NG/MF system environment is ready before you start to set up users to login to PaperCut NG/MF using their Google credentials.

   1. Ensure your organization owns a top-level, public fully qualified domain name (FQDN), for example:

      • schoolname.region.edu

      • campusname.school.region.edu

   2. We highly recommend you use a secure browser connection, so ensure that:

      • user and admin access to the system is restricted to be only via SSLSecure Sockets Layer (SSL) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. The protocol uses a third party, a Certificate Authority (CA), to identify one end or both end of the transactions. To be able to create an SSL connection a web server requires an SSL certificate. When you choose to activate SSL on your web server you will be prompted to complete a number of questions about the identity of your website and your company. Your web server then creates two cryptographic keys - a Private Key and a Public Key.

      • HSTSHTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. is turned on.

      Refer to Forcing use of HTTPS/SSL only.

2. Log in to the Google Workspace Developer’s API console. The Google APIs Dashboard screen is displayed.

3. In the title bar, next to the Google APIs heading, click the dropdown list showing a project name. The Select from popup is displayed.

   

4. Do one of the following:

   • If a project is already set up for synchronization withPaperCut NG/MF, click the project’s name. The APIApplication Programming Interface (API) is a set of routines, protocols, and tools for building software and applications. An API expresses a software component in terms of its operations, inputs, outputs, and underlying types, defining functionalities that are independent of their respective implementations, which allows definitions and implementations to vary without compromising the interface. Dashboard is displayed with the project name in the title bar. Go to the next step.

   • If a project is not set up yet, create a new project:

     1. At the top right of the popup, click NEW PROJECT. The New Project screen is displayed.

     2. In the Project name field, type a name that identifies the project you’ll use for PaperCut NG/MF, for example, PaperCut NG/MF Authorise.

     3. Click Create. The Credentials screen is displayed.

     4. In the title bar, next to the Google APIs heading, click the project name drop-down. The Select from popup is displayed.

     5. Click the new project’s name. The Google APIs main screen is displayed with the project name in the title bar, and the APIs Credentials popup is displayed.

        

5. Select the OAuth consent screen tab. The OAuth consent screen is displayed.

   

6. Type the details you want users to see when users log in to PaperCut NG/MF Admin or the User Web interface.

   NOTE

   If the PaperCut NG/MF Application Server isn't available on the internet, the Homepage URL will fail to validate on the OAuth consent screen and the message "Request contains an invalid argument" is displayed.

7. Click Save. The Credentials screen is displayed.

8. Click Create credentials; then select OAuth client ID.

   

   The Create OAuth client ID screen is displayed.

   

9. Select Web application. Additional fields are displayed.

   

10. In the Name field, type the name for your OAuth Client ID.

    NOTE

    This is the name that PaperCut NG/MF will use to identify itself to Google when authorizing/authenticating users. A good example here is PaperCut MF OAuth Client ID.

11. In the Authorised redirect URIs field, type the full URI of your PaperCut NG/MF Application Server, for example:

    https://papercut.schoolname.region.edu:9192/api/oauth2callback

    NOTE

    Unlike the Authorised JavaScript origins URI, this field requires the full URI. Make sure you include the trailing path.

12. Click Create. The OAuth client popup displays your client ID and client secret. You will use these credentials when you set up the sync source in PaperCut NG/MF.

    

13. Click OK. The Credentials screen is displayed. No need to save the credentials from here because you’ll download them in a few steps.

    

14. Click

    
    to download the credentials as a JSON file.

    NOTE

    The file is called client_secret_.JSON. This is the client secret JSON file you need to be able to authorize PaperCut NG/MF to sync with Google.

15. Close the browser window.

Set up Google Single sign on (Sign in with Google) in PaperCut NG/MF

This part of the interface is for setting up Sign in with Google on the PaperCut NG/MF Admin web interface and User Web interface. You set up Single sign on for Mobility Print via the link at the bottom of this section.

1. Sign in to PaperCut NG/MF.

   NOTE

   Ensure the URI for the Admin interface you log in to is exactly the same as the URI specified you entered when setting up Google Workspace (on the Create OAuth client ID screen, in the Authorized JavaScript origins field).

   Which two of the following are considered authentication best practices?

   Below are the six best practices to secure the authentication process..

   Prioritize passwordless authentication. ... .

   Implement federated login and single sign-on (SSO) ... .

   Harden authentication functionality. ... .

   Protect against automated attacks. ... .

   Harden password-based authentication. ... .

   Do not reinvent authentication methods..

   Which one of the following statements is true when discussing the SSL capabilities of Google Cloud Load Balancer?

   Which ONE of the following statements is TRUE when discussing the SSL capabilities of the Google Cloud Load Balancer? - The Google-managed profile, COMPATIBLE, allows clients which support out-of-date SSL features.

   What is Google Cloud's principle for granting access to users select the correct answer?

   IAM lets you grant granular access to specific Google Cloud resources and helps prevent access to other resources. IAM lets you adopt the security principle of least privilege, which states that nobody should have more permissions than they actually need.

   What is Active Directory in Google?

   Active Directory treats users as resources, so user management and authentication are tied to domains. In contrast, Google Cloud doesn't manage users in an organization, except for service accounts. Instead, Google Cloud relies on Cloud Identity or Google Workspace to manage users.