Installation privacyIDEA for 2FA at UCS management console

fk22 · April 3, 2019, 8:03am

Hey Forum,
I am struggling integrating privacyIDEA for 2FA at the UCS management console login. What I have sucessfully done so far:

installed privacyIDEA at the UCS master
logged in as Administrator@admin
create token for Administrator
used Google Authenticator to test the token: all good
created rule with “passthru” as in the netknights tutorial

The next step would have been to install privacyIDEA PAM to integrate 2FA into login screen, but there is no such app in the app store.
Has the installation been changed? Where can I find suitable documentation for it?

BR
fk

Zegorax · April 6, 2019, 8:46am

I’m having the same problem. PrivacyIDEA SAML is available only for UCS 4.3, therefore the app doesn’t appear on 4.4 installations. I don’t know what to do since there’s near 0 documentation online.

privacyidea · April 18, 2019, 6:27am

The problem is, the SAML IdP on UCS is rather outdated. It is no fun packaging privacyIDEA SAML for UCS, since we need to keep backward compatibility for an old version of simpleSAMLphp only due to UCS.
I would recommend to set up your SAML IdP on another machine.
Or use the PAM module from the source.

Zegorax · April 18, 2019, 6:48am

Thanks for your reply.

Is it possible to explain me step by step how to configure PrivacyIdea on UCS to force all users to set it up with OTP ? I’m really struggling following the documentation and having something that works.

Would it be possible to create a new package, “PrivacyIDEA SAML for UCS 4.4” ? So it is a separated package, but it will work on latest versions of UCS, and more importantly allowing users to use 2FA when logging in with SAML.

What do you think ?

fk22 · April 27, 2019, 9:12am

So, this basically means that privacyIDEA for UCS is nearly dead!? At least there is no real use in having it in the AppStore anymore when only the backend is functional, right?

privacyidea · April 27, 2019, 10:09am

The problem is that to my personal (Cornelius’) impression, univention itself never put much effort in to actively support 2FA at the UMC. So there is the “workaround” of doing SSO with 2FA to login to the UMC. In a real world scenario you would not run the SAML IdP on the Domain Controller, since the IdP usually would be exposed, but you do not want to expose your domain controller.
So the whole concept imho is broken.

You can still run privacyIDEA as a service on a UCS member server, which makes absolutely sense.
But as long as univention themselve do not actively push 2FA for their own systems, it is no fun for us to do so.

Steuwer · May 7, 2019, 10:19am

As I stumbled across this post some background information about the decisions made in UCS:

simplesamlphp version: We are using the Debian stable version. We prefer to do that with all packages in UCS to keep the compatibility with Debian stable, prefer from the joint work on security patches with the Debian team and meet the expectations both of users and developers. We use newer version for some components (like samba) in case it brings major improvements. For the currently connected SAML service provides no newer version of simplesamlphp is needed.
SAML IDP on domain controllers vs. other servers: In an intranet environment Domain Controller server instances are the main systems for all authentication services, for that reason for most UCS installations they are the “natural place” to install a SAML IDP. While integrating SAML in UCS we also discussed to implement the needed integration to host the IDP on other server roles, including memberservers without LDAP / Kerberos etc… We voted against it, as we saw no real improvement in the security over a well configured reverse proxy. In UCS a SAML authentication can be used to authorize users to access the UMC and LDAP on full administrative level, and a SAML IDP needs access to LDAP and/or kerberos as part of the service. So if one has control over the SAML IDP, he/she has control over the whole UCS domain, regardless of the other services hosted on the SAML IDP server instance.
UCS and two factor authentication: Since UCS 4.3, UCS web services are designed to work with SAML as primary authentication method. Any other method is a fallback, mainly to allow a proper configuration of DNS and SSL certificates to get SAML working. So integrating two factor authentication in SAML should be the main task the secure the access to the UCS management system - and makes even more sense in case the SAML IDP can be accessed from the internet.

Hope this gives some insights about the “why” the current implementation is as it is now.

Best Regards
Ingo (Univention Product Management)

eivindrkvandal · December 24, 2019, 10:49pm

Im sure that there is something I do not get… but, I installed he VM-ware installation of owncloud, get it running, and all is great! no problem to get the 2factor log-in to work etc. but, then I discover that my univention management console, with a lot of sensitive information is available also, online, with no other protection than username/password. and a lot more fuzz to activate any 2factor, compared to e.g owncloud. why is that so difficult? is there any easy guide how to do that? and last but not least, can I deactivate the management console form being published to the web somehow? thanks

tand · August 28, 2021, 1:25pm

There was a lot of time from last post. Is there a way to enable 2FA on Univention Portal Login page? Using version 4.4.