Installation privacyIDEA for 2FA at UCS management console

privacyidea

#1

Hey Forum,
I am struggling integrating privacyIDEA for 2FA at the UCS management console login. What I have sucessfully done so far:

  1. installed privacyIDEA at the UCS master
  2. logged in as Administrator@admin
  3. create token for Administrator
  4. used Google Authenticator to test the token: all good
  5. created rule with “passthru” as in the netknights tutorial

The next step would have been to install privacyIDEA PAM to integrate 2FA into login screen, but there is no such app in the app store.
Has the installation been changed? Where can I find suitable documentation for it?

BR
fk


#2

I’m having the same problem. PrivacyIDEA SAML is available only for UCS 4.3, therefore the app doesn’t appear on 4.4 installations. I don’t know what to do since there’s near 0 documentation online.


#3

The problem is, the SAML IdP on UCS is rather outdated. It is no fun packaging privacyIDEA SAML for UCS, since we need to keep backward compatibility for an old version of simpleSAMLphp only due to UCS.
I would recommend to set up your SAML IdP on another machine.
Or use the PAM module from the source.


#4

Thanks for your reply.

Is it possible to explain me step by step how to configure PrivacyIdea on UCS to force all users to set it up with OTP ? I’m really struggling following the documentation and having something that works.

Would it be possible to create a new package, “PrivacyIDEA SAML for UCS 4.4” ? So it is a separated package, but it will work on latest versions of UCS, and more importantly allowing users to use 2FA when logging in with SAML.

What do you think ?


#5

So, this basically means that privacyIDEA for UCS is nearly dead!? At least there is no real use in having it in the AppStore anymore when only the backend is functional, right?


#6

The problem is that to my personal (Cornelius’) impression, univention itself never put much effort in to actively support 2FA at the UMC. So there is the “workaround” of doing SSO with 2FA to login to the UMC. In a real world scenario you would not run the SAML IdP on the Domain Controller, since the IdP usually would be exposed, but you do not want to expose your domain controller.
So the whole concept imho is broken.

You can still run privacyIDEA as a service on a UCS member server, which makes absolutely sense.
But as long as univention themselve do not actively push 2FA for their own systems, it is no fun for us to do so.


#7

As I stumbled across this post some background information about the decisions made in UCS:

  1. simplesamlphp version: We are using the Debian stable version. We prefer to do that with all packages in UCS to keep the compatibility with Debian stable, prefer from the joint work on security patches with the Debian team and meet the expectations both of users and developers. We use newer version for some components (like samba) in case it brings major improvements. For the currently connected SAML service provides no newer version of simplesamlphp is needed.

  2. SAML IDP on domain controllers vs. other servers: In an intranet environment Domain Controller server instances are the main systems for all authentication services, for that reason for most UCS installations they are the “natural place” to install a SAML IDP. While integrating SAML in UCS we also discussed to implement the needed integration to host the IDP on other server roles, including memberservers without LDAP / Kerberos etc… We voted against it, as we saw no real improvement in the security over a well configured reverse proxy. In UCS a SAML authentication can be used to authorize users to access the UMC and LDAP on full administrative level, and a SAML IDP needs access to LDAP and/or kerberos as part of the service. So if one has control over the SAML IDP, he/she has control over the whole UCS domain, regardless of the other services hosted on the SAML IDP server instance.

  3. UCS and two factor authentication: Since UCS 4.3, UCS web services are designed to work with SAML as primary authentication method. Any other method is a fallback, mainly to allow a proper configuration of DNS and SSL certificates to get SAML working. So integrating two factor authentication in SAML should be the main task the secure the access to the UCS management system - and makes even more sense in case the SAML IDP can be accessed from the internet.

Hope this gives some insights about the “why” the current implementation is as it is now.

Best Regards
Ingo (Univention Product Management)