Authproc filter in simpleSAMLphp

Hi,

I’m quite new to privacyIDEA, so please bear with me :slight_smile:

We are using the simpleSAMLphp privacyIDEA module much like described in the blog post here:
https://www.privacyidea.org/privacyidea-as-authproc-filter-in-simplesamlphp/

It works smooth and as expected. In the module documentation (https://github.com/privacyidea/simplesamlphp-module-privacyidea/blob/master/docs/privacyidea.md
there are a couple of config parameters I don’t really understand how to use:

Blockquote /**
* Other authproc filters can disable 2FA if you want to.
* If privacyIDEA should listen to the setting, you have to enter the state’s path and key.
* The value of this key will be set by a previous auth proc filger.
* privacyIDEA will only be disabled, if the value of the key is set to false,
* in any other situation (e.g. the key is not set or does not exist), privacyIDEA will be enabled.
*/
‘enabledPath’ => ‘’,
‘enabledKey’ => ‘’,

Are there any examples or pointers on how to use enabledPath/enabledKey? I think this will provide functionality I need, but I am a bit stuck on how to.

I do apologise if this is a stupid question and it should be obvious, but to me it isn’t :slight_smile:

Many thanks
Bjørn

Hey there
I do not think, that you need it, but I try to explain.

If you would have a module for simpleSAMLphp, which wants to turn off other modules, it would be necessary. The Module might set in the state something like “moduleState/enable2FA=true”

Then the path would be moduleState and the key disable2FA.

Leave it blank as it is, to ignore it

Hope it helps
Micha

1 Like

Hi,

thanks for your kind reply. I will go back to my config and figure out what I want to achieve and see if I can find a solution. I might post another question if I’m stuck! :slight_smile:

BR
Bjørn

Can this be done with simplesamlphp’s php core:PHP capabilities?

Something like: $state[“skip_pi”] = array(“key” => “FALSE”,);

and

    'enabledPath'       => 'skip_pi',
     'enabledKey'        => 'key',

Hey
I think you should rename it.
In privacyIDEA you have the key ‘enabled’, but you named it ‘skip’, which is the opposite…
So you say ‘I dont want to skip it’, thats why you disabled it :smiley:

The following should work…

$state["use_pi"] = array("key" => True);

    'enabledPath'       => 'use_pi',
     'enabledKey'        => 'key',

I renamed it but it doesn’t really seem to make a difference. Setting it to true or false has no effect.

I’m thinking that you can’t set this with another auth_proc filter? I’ve double checked that use_pi existed at the right time and tried both setting it to true and false with no effect.

  10 => array(
  'class' => 'core:PHP',
  'code' => '
      $state["use_pi"] = array("key" => False);
  ',
),
20 => array(
  'class'             => 'privacyidea:serverconfig',
  'privacyideaserver' => 'https://testing.com',
  'realm'             => 'my realm',
  'uidKey'            => 'name',
  'sslverifyhost'     => false,
  'sslverifypeer'     => false,
  'serviceAccount'  => 'service',
  'servicePass'     => 'service',
/**
*  Other authproc filters can disable 2FA if you want to.
*  If privacyIDEA should listen to the setting, you have to enter the state's path and key.
*  The value of this key will be set by a previous auth proc filter.
*  privacyIDEA will only be disabled, if the value of the key is set to false,
*  in any other situation (e.g. the key is not set or does not exist), privacyIDEA will be enabled.
*/
  'enabledPath'       => 'use_pi',
  'enabledKey'        => 'key',
),

So did you guys resolve it ? I also want to do that. When 2FA of users “enable” so users can enroll their OTP