Hello everybody,
I just managed to setup a basic working PrivacyIDEA with simpleSAMLphp and a LDAP backend for securing an instance of Nextcloud in the first place (following your tutorial " How to use Nextcloud with privacyIDEA", method 2). Now I would like to force some users to authenticate with two factors and some may be allowed to login just with their password. So is it possible to
a) have a group in LDAP and all the members must use 2FA but all others don’t need to
and
b) have a group in LDAP and all members don’t need to use 2FA but the whole rest of users must?
Could you give me some pointers in which direction I should investigate? Thanks!
By the way, PrivacyIDEA is an awesome piece of software, I’m just now delighted to have found it! 
1 Like
You can not define a user group that does not need to do 2FA and another that does need it.
privacyIDEA works this way, that it authenticates the users based on the tokens the user has assigned. You could however assign tokens like spass or password to a user to achieve 1FA.
But the more common way would be to define a passthru policy.
https://privacyidea.readthedocs.io/en/latest/policies/authentication.html#passthru
This means, if a user has no token assigned he can authenticate with his password from the user store. An LDAP user could thus authenticate against privacyIDEA with his LDAP password.
If you set otppin=usertores (see https://privacyidea.readthedocs.io/en/latest/policies/authentication.html#otppin) other users, who have a token assigned, would need to authenticate with LDAP password + OTP..
Note, that you can assign policies either to users from resolvers or also only to users with certain attributes (like group membership)
https://privacyidea.readthedocs.io/en/latest/policies/conditions.html#userinfo