PrivacyIdea with UCS v5

dfwtx · May 12, 2022, 6:39pm

I am trying to get PrivacyIdea working with UCS v5. I have it working in UCS v4.

I have the PrivacyIDEA server up and I can validate the PIN/TOKEN in the interface for the UCS user.

But it seems UCS is not using the HOTP PIN/TOKEN, the normal password from UCS works.

I have the ucr entries set:
ucr set privacyidea/saml/enable=True
ucr set privacyidea/saml/url=https://your.domain.controller.net/privacyidea
ucr set privacyidea/saml/verifyhost=False
ucr set privacyidea/saml/verifypeer=False

I don’t see the place to modify the policies for this anymore. Before it showed up under the users in v4. Has this changed to enable OTP.

Is there a way to enable just the PIN and OTP for some users?

Thanks in advance!

friedrich · May 13, 2022, 7:04am

Hello @dfwtx,

first, I have to make some assumptions/ask questions:

you have the privacyIDEA server installed on the same machine as your DC primary (the hostname sounds like this). I recommend putting the privacyIDEA server on a dedicated host
which version does your privacyIDEA server have?
which version does the privacyIDEA SAML app has? Actual is 2.1.2
are privacyidea/saml/enable and pricayidea/saml/realm set to the right values?

With this, we can investigate further.

dfwtx · May 13, 2022, 2:13pm

Thanks for the reply Friedrich.

I have it running on a dedicated host.
PrivacyIDEA version 2.23.4
SAML app is 2.1.2 latest from store on UCS v5

ucr set privacyidea/saml/url=https://ip-of-privacyIDEA ( i don’t have on the same box)
ucr set privacyidea/saml/enable=authsource
ucr set privacyidea/saml/realm=USS
ucr set privacyidea/saml/verifypeer=False
ucr set privacyidea/saml/verifyhost=False

Where does it log failures or issues for the saml attempts?
Does the ucr set options require a reboot to apply? I did try a reboot but still didn’t work.

In privacyidea audit I see this it do GET token and says ok for sig_check and missing_line

friedrich · May 13, 2022, 3:14pm

Hi @dfwtx ,

thanks for the infos, general setup sounds good.

For further investigation, I recommend a deeper look in the SAML logs:

ucr set saml/idp/log/level=DEBUG \
   saml/idp/log/level=TRUE
systemctl restart univention-saml.service
tail -f /var/log/syslog
tail -f /var/log/simplesamlphp/*

set this back asap to avoid logspam (depending on no. of logins, log rotation)

More info about the details of the auth source filter can be found here: privacyidea-ucs-saml/privacyidea.md at master · NetKnights-GmbH/privacyidea-ucs-saml · GitHub

friedrich · May 13, 2022, 3:20pm

Edit: There was an important update for the privacyIDEA app:

github.com

privacyidea/privacyidea/blob/v3.7.1/Changelog

Version 3.7.1, 2022-05-11

  Fixes:
  * Fix WebUI login with HOTP/TOTP challenge-response token (#3038)
  * Improve error handling for "/ttype" endpoint (#3090)
  * Removed redundant "user" option from offline token assignment (#3077)
  * Fix creation of download-links for certificates due to HTML sanitizer (#3088)
  * Fix policy descriptions containing HTML-like tags (#3118)
  * Add documentation for the CustomUserAttributeHandler (#3075)
  * Send Push message as notification and data to FireBase (#3117)
  * Fix translation issue in PSKC-import (#3126)
  * Add App-PIN policy for Push token (#3116)

Version 3.7, 2022-03-31

  Features:
  * Allow Offline Token without assigning to a specific IP address (#2926)
  * The enrollment of HOTP, TOTP, SMS and Email Tokens can be verified
    by entering a valid OTP value after the enrollment. (#2441)
  * Security: Add security module to decrypt encryption keys using HSM (#3003)

This file has been truncated. show original

dfwtx · May 13, 2022, 3:39pm

I don’t see any logs being created in /var/log/simplesamlphp/*

I am upgrading to 3.7.1 and will see if that resolves the issue.

dfwtx · May 13, 2022, 3:47pm

Ok, upgraded to 3.7.1. I enabled debug again just to make sure. I still don’t see any logs in simplesamlphp directory. It still is not working for windows 10 user logging in.

dfwtx · May 17, 2022, 2:55pm

UCS acts like it is not using the authsource. The variables are defined. Why is it not creating any log files? This is a new install not an upgrade. Any ideas where to check? I can login using the password from UCS, but not the PIN+OTP defined in PrivacyIDEA. The users show up in PrivacyIDEA and I can test the token there and it works.

dfwtx · June 1, 2022, 6:33am

Any update on this? Any ideas why it doesn/t work as the authsource?

Has anyone been able to get PrivacyIDEA working as an authsource for UCS v5?

friedrich · June 3, 2022, 9:10am

Hi @dfwtx there are updates, indeed! (+ sorry for the late reply)

Logs: /var/log/simplesamlphp/* stays empty, but syslog should tell you everything
Regarding the authsource: there was a bug in the privacyIDEA SAML plugin! Just got fixed upstream: enabledKey & enabledPath missing in 97saml20-idp-hosted.php · Issue #21 · NetKnights-GmbH/privacyidea-ucs-saml · GitHub

So please get the new update for the privacyIDEA app (I expect it next week) and make sure to have the variables privacyidea/saml/enabledPath and privacyidea/saml/enabledKey set

Regarding:

I don’t see the place to modify the policies for this anymore. Before it showed up under the users in v4. Has this changed to enable OTP.

Is there a way to enable just the PIN and OTP for some users?

This has to be done on the PrivacyIDEA side: 7. Policies — privacyIDEA 3.10dev1 documentation

dfwtx · June 3, 2022, 1:50pm

That is good news.
I see this. What should the enablePath value be? It seems enableKey should default to enabled if not set.
/**
* Other authproc filters can disable 2FA if you want to.
* If privacyIDEA should listen to the setting, you have to enter the state’s path and key.
* The value of this key will be set by a previous auth proc filter.
* privacyIDEA will only be disabled, if the value of the key is set to false,
* in any other situation (e.g. the key is not set or does not exist), privacyIDEA will be enabled.
*/
‘enabledPath’ => ‘’,
‘enabledKey’ => ‘’,

Thanks again for your help.

friedrich · June 7, 2022, 7:45am

Per standard, the values are set like this:

ucr set privacyidea/saml/enabledpath="privacyIDEA" (should match privacyidea/saml/setpath)
ucr set privacyidea/saml/enabledkey="enabled" (as you mentioned, with this you can turn the 2fa query on/off)

Furthermore, it could be necessary to do the following after changing these values:

ucr commit /etc/simplesamlphp/metadata/saml20-idp-hosted.php

Then you should have enabledKey and enabledPath set properly in this file.

dfwtx · June 8, 2022, 6:34pm

I updated and tested. I only saw an update to the simplesaml code not PrivacyIdea. Has the patch been pushed yet?

I tested and it still didn’t work for me. But I am not sure what the path should be for: privacyidea/saml/setpath?
Where do I find the correct path?

Here are my current settings:
ucr dump | grep privacyidea
appcenter/apps/privacyidea-saml/status: installed
appcenter/apps/privacyidea-saml/ucs: 5.0
appcenter/apps/privacyidea-saml/version: 2.1.2
appcenter/prudence/docker/privacyidea-saml: yes
privacyidea/saml/enable: authsource
privacyidea/saml/enabledkey: enabled
privacyidea/saml/enabledpath: privacyIDEA
privacyidea/saml/realm: domain
privacyidea/saml/uidkey: uid
privacyidea/saml/url: https://10.0.0.2/
privacyidea/saml/verifyhost: False
privacyidea/saml/verifypeer: False
repository/online/component/privacyidea-saml_20220323150857/description: privacyIDEA SAML
repository/online/component/privacyidea-saml_20220323150857/localmirror: false
repository/online/component/privacyidea-saml_20220323150857/server: https://appcenter.software-univention.de
repository/online/component/privacyidea-saml_20220323150857/version: current
repository/online/component/privacyidea-saml_20220323150857: enabled

friedrich · June 15, 2022, 3:35pm

Afaik, there is still no new release, yet. Please ask the NetKnights when the new release is planned: Kontakt - NetKnights - IT-Sicherheit ~ Zwei-Faktor-Authentisierung ~ Verschlüsselung

Regarding simpleSAML-Code: yes, this should be right, because the privacyIDEA login module integrates into the simplesamlphp code.

The variable privacyidea/saml/setpath is only needed if you use the authProc filter, then it should be set to privacyIDEA. But as you use authSource it’s not necessary.

Do you see any valuable information in the logs?

friedrich · June 15, 2022, 3:36pm

Related link: PrivacyIDEA with UCS v5 - Question - privacyIDEA community

Discussion should go on there to avoid cross-posting.
(would have been nice to mention this earlier)