PrivacyIdea with UCS v5

I am trying to get PrivacyIdea working with UCS v5. I have it working in UCS v4.

I have the PrivacyIDEA server up and I can validate the PIN/TOKEN in the interface for the UCS user.

But it seems UCS is not using the HOTP PIN/TOKEN, the normal password from UCS works.

I have the ucr entries set:
ucr set privacyidea/saml/enable=True
ucr set privacyidea/saml/url=
ucr set privacyidea/saml/verifyhost=False
ucr set privacyidea/saml/verifypeer=False

I don’t see the place to modify the policies for this anymore. Before it showed up under the users in v4. Has this changed to enable OTP.

Is there a way to enable just the PIN and OTP for some users?

Thanks in advance!

Hello @dfwtx,

first, I have to make some assumptions/ask questions:

  • you have the privacyIDEA server installed on the same machine as your DC primary (the hostname sounds like this). I recommend putting the privacyIDEA server on a dedicated host
  • which version does your privacyIDEA server have?
  • which version does the privacyIDEA SAML app has? Actual is 2.1.2
  • are privacyidea/saml/enable and pricayidea/saml/realm set to the right values?

With this, we can investigate further.

Thanks for the reply Friedrich.

  • I have it running on a dedicated host.
  • PrivacyIDEA version 2.23.4
  • SAML app is 2.1.2 latest from store on UCS v5

ucr set privacyidea/saml/url=https://ip-of-privacyIDEA ( i don’t have on the same box)
ucr set privacyidea/saml/enable=authsource
ucr set privacyidea/saml/realm=USS
ucr set privacyidea/saml/verifypeer=False
ucr set privacyidea/saml/verifyhost=False

Where does it log failures or issues for the saml attempts?
Does the ucr set options require a reboot to apply? I did try a reboot but still didn’t work.

In privacyidea audit I see this it do GET token and says ok for sig_check and missing_line

Hi @dfwtx ,

thanks for the infos, general setup sounds good.

For further investigation, I recommend a deeper look in the SAML logs:

ucr set saml/idp/log/level=DEBUG \
systemctl restart univention-saml.service
tail -f /var/log/syslog
tail -f /var/log/simplesamlphp/*
  • set this back asap to avoid logspam (depending on no. of logins, log rotation)

More info about the details of the auth source filter can be found here: privacyidea-ucs-saml/ at master · NetKnights-GmbH/privacyidea-ucs-saml · GitHub

Edit: There was an important update for the privacyIDEA app:

I don’t see any logs being created in /var/log/simplesamlphp/*

I am upgrading to 3.7.1 and will see if that resolves the issue.

Ok, upgraded to 3.7.1. I enabled debug again just to make sure. I still don’t see any logs in simplesamlphp directory. It still is not working for windows 10 user logging in.

UCS acts like it is not using the authsource. The variables are defined. Why is it not creating any log files? This is a new install not an upgrade. Any ideas where to check? I can login using the password from UCS, but not the PIN+OTP defined in PrivacyIDEA. The users show up in PrivacyIDEA and I can test the token there and it works.