PrivacyIdea with UCS v5

#1

I am trying to get PrivacyIdea working with UCS v5. I have it working in UCS v4.

I have the PrivacyIDEA server up and I can validate the PIN/TOKEN in the interface for the UCS user.

But it seems UCS is not using the HOTP PIN/TOKEN, the normal password from UCS works.

I have the ucr entries set:
ucr set privacyidea/saml/enable=True
ucr set privacyidea/saml/url=https://your.domain.controller.net/privacyidea
ucr set privacyidea/saml/verifyhost=False
ucr set privacyidea/saml/verifypeer=False

I don’t see the place to modify the policies for this anymore. Before it showed up under the users in v4. Has this changed to enable OTP.

Is there a way to enable just the PIN and OTP for some users?

Thanks in advance!

#2

Hello @dfwtx,

first, I have to make some assumptions/ask questions:

  • you have the privacyIDEA server installed on the same machine as your DC primary (the hostname sounds like this). I recommend putting the privacyIDEA server on a dedicated host
  • which version does your privacyIDEA server have?
  • which version does the privacyIDEA SAML app has? Actual is 2.1.2
  • are privacyidea/saml/enable and pricayidea/saml/realm set to the right values?

With this, we can investigate further.

#3

Thanks for the reply Friedrich.

  • I have it running on a dedicated host.
  • PrivacyIDEA version 2.23.4
  • SAML app is 2.1.2 latest from store on UCS v5

ucr set privacyidea/saml/url=https://ip-of-privacyIDEA ( i don’t have on the same box)
ucr set privacyidea/saml/enable=authsource
ucr set privacyidea/saml/realm=USS
ucr set privacyidea/saml/verifypeer=False
ucr set privacyidea/saml/verifyhost=False

Where does it log failures or issues for the saml attempts?
Does the ucr set options require a reboot to apply? I did try a reboot but still didn’t work.

In privacyidea audit I see this it do GET token and says ok for sig_check and missing_line

#4

Hi @dfwtx ,

thanks for the infos, general setup sounds good.

For further investigation, I recommend a deeper look in the SAML logs:

ucr set saml/idp/log/level=DEBUG \
   saml/idp/log/level=TRUE
systemctl restart univention-saml.service
tail -f /var/log/syslog
tail -f /var/log/simplesamlphp/*
  • set this back asap to avoid logspam (depending on no. of logins, log rotation)

More info about the details of the auth source filter can be found here: privacyidea-ucs-saml/privacyidea.md at master · NetKnights-GmbH/privacyidea-ucs-saml · GitHub

#5

Edit: There was an important update for the privacyIDEA app:

#6

I don’t see any logs being created in /var/log/simplesamlphp/*

I am upgrading to 3.7.1 and will see if that resolves the issue.

#7

Ok, upgraded to 3.7.1. I enabled debug again just to make sure. I still don’t see any logs in simplesamlphp directory. It still is not working for windows 10 user logging in.

#8

UCS acts like it is not using the authsource. The variables are defined. Why is it not creating any log files? This is a new install not an upgrade. Any ideas where to check? I can login using the password from UCS, but not the PIN+OTP defined in PrivacyIDEA. The users show up in PrivacyIDEA and I can test the token there and it works.