I am trying to get PrivacyIdea working with UCS v5. I have it working in UCS v4.
I have the PrivacyIDEA server up and I can validate the PIN/TOKEN in the interface for the UCS user.
But it seems UCS is not using the HOTP PIN/TOKEN, the normal password from UCS works.
I have the ucr entries set:
ucr set privacyidea/saml/enable=True
ucr set privacyidea/saml/url=https://your.domain.controller.net/privacyidea
ucr set privacyidea/saml/verifyhost=False
ucr set privacyidea/saml/verifypeer=False
I don’t see the place to modify the policies for this anymore. Before it showed up under the users in v4. Has this changed to enable OTP.
Is there a way to enable just the PIN and OTP for some users?
first, I have to make some assumptions/ask questions:
you have the privacyIDEA server installed on the same machine as your DC primary (the hostname sounds like this). I recommend putting the privacyIDEA server on a dedicated host
which version does your privacyIDEA server have?
which version does the privacyIDEA SAML app has? Actual is 2.1.2
are privacyidea/saml/enable and pricayidea/saml/realm set to the right values?
ucr set privacyidea/saml/url=https://ip-of-privacyIDEA ( i don’t have on the same box)
ucr set privacyidea/saml/enable=authsource
ucr set privacyidea/saml/realm=USS
ucr set privacyidea/saml/verifypeer=False
ucr set privacyidea/saml/verifyhost=False
Where does it log failures or issues for the saml attempts?
Does the ucr set options require a reboot to apply? I did try a reboot but still didn’t work.
In privacyidea audit I see this it do GET token and says ok for sig_check and missing_line
Ok, upgraded to 3.7.1. I enabled debug again just to make sure. I still don’t see any logs in simplesamlphp directory. It still is not working for windows 10 user logging in.
UCS acts like it is not using the authsource. The variables are defined. Why is it not creating any log files? This is a new install not an upgrade. Any ideas where to check? I can login using the password from UCS, but not the PIN+OTP defined in PrivacyIDEA. The users show up in PrivacyIDEA and I can test the token there and it works.
So please get the new update for the privacyIDEA app (I expect it next week) and make sure to have the variables privacyidea/saml/enabledPath and privacyidea/saml/enabledKey set
Regarding:
I don’t see the place to modify the policies for this anymore. Before it showed up under the users in v4. Has this changed to enable OTP.
Is there a way to enable just the PIN and OTP for some users?
That is good news.
I see this. What should the enablePath value be? It seems enableKey should default to enabled if not set.
/**
* Other authproc filters can disable 2FA if you want to.
* If privacyIDEA should listen to the setting, you have to enter the state’s path and key.
* The value of this key will be set by a previous auth proc filter.
* privacyIDEA will only be disabled, if the value of the key is set to false,
* in any other situation (e.g. the key is not set or does not exist), privacyIDEA will be enabled.
*/
‘enabledPath’ => ‘’,
‘enabledKey’ => ‘’,
Regarding simpleSAML-Code: yes, this should be right, because the privacyIDEA login module integrates into the simplesamlphp code.
The variable privacyidea/saml/setpath is only needed if you use the authProc filter, then it should be set to privacyIDEA. But as you use authSource it’s not necessary.