Configuring SimpleSAMLphp to authenticate against privacyIDEA

Hi,
I am using privacyIDEA 3.8.1 (installed with the ubuntu 22.04.2 package) with simpleSAMLphp 1.19.7
I have tried to configure simpleSAMLphp to authenticate against privacyIDEA to then connect simpleSAMLphp to Nextcloud following this guide How to use Nextcloud with privacyIDEA – privacyID3A. I have noticed that the configuration suggested is a bit out of date, so I used the documentation from the git site instead. So, these are my config changes hope that there are useful:
in /config/authsources.php
‘****-privacyidea’ => array(
‘privacyidea:PrivacyideaAuthSource’,
‘privacyideaServerURL’ => ‘https://192.168.1.99’,
‘sslVerifyHost’ => ‘false’,
‘sslVerifyPeer’ => ‘false’,
‘authenticationFlow’ => ‘sendPassword’,
‘attributemap’ => array(
‘username’ => ‘samlLoginName’,
‘surname’ => ‘surName’,
‘givenname’ => ‘givenName’,
‘email’ => ‘emailAddress’,
‘phone’ => ‘telePhone’,
‘mobile’ => ‘mobilePhone’
),
‘preferredTokenType’ => ‘otp’,
),
and I have added a policy with the scope: authentication,
the action: otppin userstore,
the condition is set to only match a test user.

Now to the Problem:
When I try to test the authentication in simpleSAML using the “Test authentication sources” → *****-privacyidea using the website of simpleSAML.
It asks me for the username and the password I need to give the password and the otp token or it won’t be accepted (error wrong otp pin) after that it asks for OTP again and it won’t accept the otp. (Error: wrong otp pin)
logs of the login:
[2023-06-10 20:51:27,388][35306][139856136963648][INFO][privacyidea.lib.user:262] user ‘user’ found in resolver ‘ldapresolver’
[2023-06-10 20:51:27,389][35306][139856136963648][INFO][privacyidea.lib.user:264] userid resolved to ‘7877e7a0-e842-4bf3-9da3-7902a4a37ddf’
[2023-06-10 20:51:27,538][35306][139856136963648][INFO][privacyidea.lib.user:432] User ‘user’ from realm ‘defrealm’ tries to authenticate
[2023-06-10 20:51:33,434][35306][139856153749056][INFO][privacyidea.lib.resolvers.LDAPIdResolver:333] Setting system wide POOLING_LOOP_TIMEOUT to 10.
[2023-06-10 20:51:33,438][35306][139856153749056][INFO][privacyidea.lib.user:262] user ‘user’ found in resolver ‘ldap’
[2023-06-10 20:51:33,438][35306][139856153749056][INFO][privacyidea.lib.user:264] userid resolved to ‘7877e7a0-e842-4bf3-9da3-7902a4a37ddf’
[2023-06-10 20:51:33,584][35306][139856153749056][INFO][privacyidea.lib.user:432] User ‘user’ from realm ‘defrealm’ tries to authenticate
[2023-06-10 20:51:33,669][35306][139856153749056][WARNING][privacyidea.lib.resolvers.LDAPIdResolver:395] failed to check password for ‘7877e7a0-e842-4bf3-9da3-7902a4a37ddf’/‘CN=user user,OU=Benutzer,OU=company,DC=work,DC=user,DC=de’: LDAPPasswordIsMandatoryError(‘password is mandatory in simple bind’)
[2023-06-10 20:51:33,671][35306][139856153749056][INFO][privacyidea.lib.user:444] user User(login=‘user’, realm=‘defrealm’, resolver=‘user.work’) failed to authenticate.

The Idea is that I can use the user pw and a Yubikey otp to login.
I hope you can help me I guess it is an error in the config or the policy, but I couldn’t find anything on my own thank you in advance.

Hi and welcome Elyo,

Have you already looked/checked at this post?
I think you need to set some policies.

br

Julio

Thank you so much it works! I tried to look for similar posts but that one i must have missed.