Authentication form is keep occuring even after the user is successfully authenticated

YassineFadhlaoui · April 14, 2022, 8:20am

Hi all;
I am new to PrivacyIdea. Our environment has the following characteristics:

Privacy idea version: 3.7 (installed with pip)
privacy idea simple saml php plugin: 2.1 (installed with composer)
privacy idea is configured as an authsource for simplesamlphp:

 'privacyidea' => array(
      'privacyidea:PrivacyideaAuthSource',
      'privacyideaServerURL' => 'https://privacyidea.internal',
      'sslverifyhost' => True,
      'sslverifypeer' => True,
      'realm' => '',
      'SSO' => 'true',
      'otpFieldHint' => 'OTP',
      'passFieldHint' => 'PIN',
      'attributemap' => array(
          'username' => 'uid',
          'email' => 'mail',
          'surname' => null,
          'givenname' => null,
          'phone' => null,
          'mobile' => null,  
		  ),
      'doTriggerChallenge' => 'false',
      'doSendPassword' => 'true',
      'preferredTokenType' => '',
      'concatenationmap' => array(
          'givenname,surname' => 'fullName',
      ),
      'detailmap' => array(
          'message' => 'message',
          'type' => 'otpType',
          'serial' => 'otpSerial',
          'otplen' => 'otpLength'
      ),
    ),
)

access to web service S is allowed when the saml authentication is done successfully for user X.

Problem description:
I enrolled an OTP token to privacy idea successfully for user X. The problem occurs when I try to authenticate through the simplesaml web UI. In fact, I input the user identifier and the PIN+OTP in the PIN field. In the logs of simplesamlphp I can clearly read that the User authenticated successfully!.
Here is an excerpt from the logs:

privacyIDEA-PHP-Client: /validate/check returned {
    "detail": {
        "message": "matching 1 tokens",
        "otplen": 6,
        "serial": "SERIAL-REMOVED",
        "threadid": 139806027273984,
        "type": "hotp"
    },
    "id": 2,
    "jsonrpc": "2.0",
    "result": {
        "authentication": "ACCEPT",
        "status": true,
        "value": true
    },
    "time": 1649920666.5231423,
    "version": "privacyIDEA 3.7",
    "versionnumber": "3.7",
    "signature":

I expect that there will be a redirect to web service S. What happens actually is a second from coming from simplesamlphp occurs again asking for the OTP.

Even if we input the PIN+OTP again into that field, we again see in the logs User authenticated successfully! but again the form occurs again asking for the OTP.

Any help is appreciated !

lukasmatusiewicz · April 19, 2022, 10:58am

Hi,

I suppose that your problem occurs because if you are using simplesaml as an authsource, it needs a little more info about the user. You can send it by adding a new policy in privacyIDEA.

Please try to add a policy from scope: “authorization”, and in “Action” check:
setting actions → add_resolver_in_response
setting actions → add_user_in_response
and eventually:
miscellaneous → application_tokentype

I hope it will help!

YassineFadhlaoui · June 10, 2022, 1:55pm

Thanks a lot for your answer that worked.