simpleSAMLphp Plugin - privacyidea Authentication System

You can install the plugin for simpleSAMLphp on Ubuntu 14.04 LTS (seeSimpleSAMLphp) or on any other distribu-tion using the source files from¹.

Follow the simpleSAMLphp instructions to configure your authsources.php. A usual configuration will look like this:

'example-privacyidea' => array(

'privacyidea:privacyidea',

* The name of the privacyidea server and the protocol

* A port can be added by a colon

* Required.

'privacyideaserver' => 'https://your.server.com',

* Check if the hostname matches the name in the certificate

* Optional.

'sslverifyhost' => False,

* Check if the certificate is valid, signed by a trusted CA

* Optional.

'sslverifypeer' => False,

5https://netknights.it/en/nps-2012-for-two-factor-authentication-with-privacyidea/

* The realm where the user is located in.

* Optional.

'realm' => '',

* This is the translation from privacyIDEA attribute names to

* SAML attribute names.

'attributemap' => array('username' => 'samlLoginName', 'surname' => 'surName',

You can install the privacyIDEA extension from the TYPO3 Extension Repository. The privacyIDEA extension is easily configured.

privacyIDEA Server URL

This is the URL of your privacyIDEA installation. You do not need to add the path validate/check. Thus the URL for a common installation would be https://yourServer/.

Check certificate

Whether the validity of the SSL certificate should be checked or not.

Warning: If the SSL certificate is not checked, the authentication request could be modified and the answer to the request can be modified, easily granting access to an attacker.

Enable privacyIDEA for backend users

If checked, a user trying to authenticate at the backend, will need to authenticate against privacyIDEA.

Enable privacyIDEA for frontend users

If checked, a user trying to authenticate at the frontend, will need to authenticate against privacyIDEA.

Pass to other authentication module

If the authentication at privacyIDEA fails, the credential the user entered will be verified against the next authentication module.

This can come in handy, if you are setting up the system and if you want to avoid locking yourself out.

Anyway, in a productive environment you probably want to uncheck this feature.

OTRS

There are two plugins for OTRS. For OTRS version 4.0 and higher use privacyIDEA-4_0.pm.

This perl module needs to be installed to the directory Kernel/System/Auth.

On Ubuntu 14.04 LTS you can also install the module using the PPA repository and installing:

apt-get install privacyidea-otrs

To activate the OTP authentication you need to add the following to Kernel/Config.pm:

$Self->{'AuthModule'} = 'Kernel::System::Auth::privacyIDEA';

$Self->{'AuthModule::privacyIDEA::URL'} = \

"https://localhost/validate/check";

$Self->{'AuthModule::privacyIDEA::disableSSLCheck'} = "yes";

Note: As mentioned earlier you should only disable the checking of the SSL certificate if you are in a test environment.

For productive use you should never disable the SSL certificate checking.

Note: This plugin requires, that you also add the path validate/check to the URL.

Apache2

The Apache plugin uses mod_wsgi and redis to provide a basic authentication on Apache2 side and validating the credentials against privacyIDEA.

On Ubuntu 14.04 LTS you can easily install the module from the PPA repository by issuing:

apt-get install privacyidea-apache-client

To activate the OTP authentication on a “Location” or “Directory” you need to configure Apache2 like this:

AuthType Basic

AuthName "Protected Area"

AuthBasicProvider wsgi

WSGIAuthUserScript /usr/share/pyshared/privacyidea_apache.py Require valid-user

</Directory>

Note: Basic Authentication sends the base64 encoded password on each request. So the browser will send the same one time password with each reqeust. Thus the authentication module needs to cache the password as the successful authentication. Redis is used for caching the password.

NGINX

The NGINX plugin uses the internal scripting language lua of the NGINX webserver and redis as caching backend to provide basic authentication against privacyIDEA.

On Ubuntu 14.04 LTS or Debian Jessi 8 you can easyly install the module by installing the following packages:

nginx-extras lua-nginx-redis lua-cjson redis-server You can retrieve the nginx plugin here:⁴

To activate the OTP authentication on a “Location” you need to include the lua script that basically verifies the given credentials against the caching backend. New authentications will be sent to a different (internal) location via subrequest which points to the privacyIDEA authentication backend (via proxy_pass).

For the basic configuration you need to include the following lines to your location block location / { # additional plugin configuration goes here # access_by_lua_file ‘privacyidea.lua’;

} location /privacyidea-validate-check {

internal; proxy_passhttps://privacyidea/validate/check;

}

You can customize the authentication plugin by setting some of the following variables in the secured location block:

# redis host:port

# set $privacyidea_redis_host "127.0.0.1";

set $privacyidea_redis_post 6379;

# how long are accepted authentication allowed to be cached

# if expired, the user has to reauthenticate set $privacyidea_ttl 900;

# privacyIDEA realm. leave empty == default set $privacyidea_realm 'somerealm'; # (optional)

# pointer to the internal validation proxy pass set $privacyidea_uri "/privacyidea-validate-check";

# the http realm presented to the user

set $privacyidea_http_realm "Secure zone (use PIN + OTP)";

Warning: As redis per default is accessible by every user on the machine, you need to use this plugin with caution! Every user on the machine can access the redis database to read the passwords of the users. The cached credentials are stored as SHA1_HMAC hash. If you prefer a stronger hashing method feel free to extend the given password_hash/verify functions using additional lua libraries (for example by using lua-resty-string).

4https://github.com/dhoffend/lua-nginx-privacyidea

ownCloud

The ownCloud plugin is a ownCloud user backend. The directory user_privacyidea needs to be copied to your owncloud apps directory.

Fig. 1.62: Activating the ownCloud plugin

You can then activate the privacyIDEA ownCloud plugin by checking Use privacyIDEA to authenticate the users. All users now need to be known to privacyIDEA and need to authenticate using the second factor enrolled in privacyIDEA - be it an OTP token, Google Authenticator or SMS/Smartphone.

Checking Also allow users to authenticate with their normal passwords. lets the user choose if he wants to authenticate with the OTP token or with his original password from the original user backend.

Note: At the moment using a desktop client with a one time password is not supported.

ownCloud 9.1 and Nextcloud 10 come with a new two factor framework. The new privacyIDEA ownCloud App allows you to add a second factor, that is centrally managed by privacyIDEA to the ownCloud or Nextcloud installation.

The ownCloud privacyIDEA App is available here⁷.

The App requires a subscription file to work for more than ten users. You can get the subscription file at NetKnights⁸.

Django

You can add two factor authentication with privacyIDEA to Django using this Django plugin. See django.

You can simple add PrivacyIDEA class to AUTHENTICATION_BACKENDS settings of Django.

OpenVPN

Read more about how to use OpenVPN with privacyidea at openvpn.

7https://apps.owncloud.com/content/show.php/privacyIDEA+ownCloud+App?content=174779

8https://netknights.it/en/produkte/privacyidea-owncloud-app/

Windows

Credential Provider

The privacyIDEA Credential Provider adds two factor authentication to the Windows desktop or Terminal server. See http://privacyidea-credential-provider.readthedocs.io

Provider Class

There is a dot Net provider class, which you can use to integrate privacyIDEA authentication into other products and worflows. Seehttps://github.com/sbidy/privacyIDEA_dotnetProvider

In document privacyidea Authentication System (Page 153-158)