Connecting to User db via SQL Resolver. However, passwords are pbkdf2-encoded (as this is a django project) and can thus not be read by privacyidea (PI). Any suggestion to solve this?
My approach would be to create a new user in the PI-Database so that those credentials could be used for further PI-REST-API requests…
For what do you need the passwords of the users?
For the /auth endpoint to issue a token for being able to use the /token/init endpoint…
Do you only want one user to enroll tokens? Like as an admin or service account?
Or do you want to allow all users (humans) to enroll their tokens themselves?
The question of enrolling tokens can be very complex, since privacyIDEA is very flexible and there are many ways to do so.
In case you are German speaking: 007 Rollout-Konzepte für einen zweiten Faktor - LOGIN Success | Podcast on Spotify
Thanks for the answer, very enlightening. As I understood your podcast correctly, just using the self-signed-in user wouldn’t add any security value to the authentication process as it would be as safe as the password itself.
Maybe I will try to get it to work with a service-account that can only be triggered with a institution-wide additional password…
If an attacker already has the users password you could argue this way.
If you however can afterwards somehow ensure, that the users password was not compromised, you would have a higher security level.
So users are not located anywhere else?
All users can log into the system from outside. I will probably only enable users from higher hierarchy to roll out tokens. I still have the problem that this higher hierarchy user from my django db (because PI server can’t resolve pbkdf2 passwords) won’t have access to PI system unless I let him create another PI account. Am I mistaken?
Are you managing the users in the django DB originially?
yes. I am currently using oauth-toolkit to issue access tokens and wanted to add 2fa…