Could not resolve 'privacyidea:serverconfig'

egonzalez · November 16, 2020, 1:42pm

Hi everybody!
I am trying to connect privacyIdea with simplesamlphp via simplesamlphp-module-privacyidea
I installed it in a virtual machine together: simplesamlphp + privacyidea with the ethernet adaptor in bridged mode ( In this way, I have a functional IP ).
Previously, simplesamlphp is working alone, but at the moment that I configured the plugin it crashes.
I am setting it via the saml20-sp-remote.php, via authproc:

'authproc' => array(
    20 => array(
        'class'             => 'privacyidea:serverconfig',
        'privacyideaserver' => 'https://IP.IS.HERE',   
        'realm'             => 'prueba',
        'uidKey'        => array('uid', 'userName', 'uName'),
        'sslverifyhost'     => false,
        'sslverifypeer'     => false,
        'serviceAccount'    => 'root',
        'servicePass'       => 'root',
   ),
 25 => array(
        'class'             => 'privacyidea:privacyidea',
),
),
);

I enrolled a HOTP token to my user in privacyidea admin Web-UI, and I am using a LDAP as userresolver.
LDAP is working well in tests and getting information about my user.

At the moment that I try to autenticate versus simplesaml, I get this error:

SimpleSAML\Error\Error: UNHANDLEDEXCEPTION

Backtrace:
1 www/_include.php:17 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: Exception: Could not resolve 'privacyidea:serverconfig': no class named 'SimpleSAML\Module\privacyidea\Auth\Process\serverconfig' or 'sspmod_privacyidea_Auth_Process_serverconfig'.
Backtrace:
12 lib/SimpleSAML/Module.php:443 (SimpleSAML\Module::resolveClass)
11 lib/SimpleSAML/Auth/ProcessingChain.php:165 (SimpleSAML\Auth\ProcessingChain::parseFilter)
10 lib/SimpleSAML/Auth/ProcessingChain.php:139 (SimpleSAML\Auth\ProcessingChain::parseFilterList)
9 lib/SimpleSAML/Auth/ProcessingChain.php:78 (SimpleSAML\Auth\ProcessingChain::__construct)
8 lib/SimpleSAML/IdP.php:329 (SimpleSAML\IdP::postAuth)
7 [builtin] (call_user_func)
6 lib/SimpleSAML/Auth/Source.php:246 (SimpleSAML\Auth\Source::loginCompleted)
5 [builtin] (call_user_func)
4 lib/SimpleSAML/Auth/Source.php:159 (SimpleSAML\Auth\Source::completeAuth)
3 modules/core/lib/Auth/UserPassBase.php:329 (SimpleSAML\Module\core\Auth\UserPassBase::handleLogin)
2 modules/core/www/loginuserpass.php:84 (require)
1 lib/SimpleSAML/Module.php:260 (SimpleSAML\Module::process)
0 www/module.php:10 (N/A)

I installed the plugin with composer.
php composer.phar require privacyidea/simplesamlphp-module-privacyidea:v1.6

I am using last version of privacyIdea and PHP 7.2.24-0ubuntu0.18.04.7 in a ubuntu 18.04.

Thanks

egonzalez · November 17, 2020, 11:09am

I removed simplesamlphp-module-privacyidea via composer and reinstalled without setting version.
It has installed 1.8 version of this plugin.

I got the second factor asking for password. (I think that I need to put my ldap password + otp from google autenticator ).

I get this message:

SimpleSAML\Error\BadRequest: BADREQUEST(‘%REASON%’ => ‘privacyIDEA: Valid JSON response, but some internal error occured in PI server’)

Backtrace:
3 modules/privacyidea/lib/Auth/Process/privacyidea.php:201 (sspmod_privacyidea_Auth_Process_privacyidea::authenticate)
2 modules/privacyidea/www/otpform.php:53 (require)
1 lib/SimpleSAML/Module.php:260 (SimpleSAML\Module::process)
0 www/module.php:10 (N/A)

In /var/log/apache2/error.log

Tue Nov 17 12:42:30.531970 2020] [php7:notice] [pid 6417] [client IP1.IP2.IP3.IP4:61260] simplesamlphp WARNING [5eb6b8621d] The class or interface ‘SimpleSAML_Au
th_ProcessingFilter’ is now using namespaces, please use ‘SimpleSAML\Auth\ProcessingFilter’., referer: https:// IPP1.IPP2.IPP3.IPP4/simplesaml/module.php/privacyidea
/otpform.php?StateId=_c27ae31dbb180e5b37b64a0fba71d645dc92397f80%3Ahttps%3A%2F%2FIPP1.IPP2.IPP3.IPP4%2Fsimplesaml%2Fsaml2%2Fidp%2FSSOService.php%3Fspentityid%3DFichad
asDes%26cookieTime%3D1605613340
[Tue Nov 17 12:42:30.532001 2020] [php7:notice] [pid 6417] [client IP1.IP2.IP3.IP4:61260] simplesamlphp ERR [5eb6b8621d] SimpleSAML\Error\Exception: Error 2 - I
llegal offset type at /var/simplesamlphp/modules/privacyidea/lib/Auth/Process/privacyidea.php:156, referer: https:// IPP1.IPP2.IPP3.IPP4/simplesaml/module.php/privacyi
dea/otpform.php?StateId=_c27ae31dbb180e5b37b64a0fba71d645dc92397f80%3Ahttps%3A%2F%2FIPP1.IPP2.IPP3.IPP4%2Fsimplesaml%2Fsaml2%2Fidp%2FSSOService.php%3Fspentityid%3DFic
hadasDes%26cookieTime%3D1605613340
[Tue Nov 17 12:42:30.532019 2020] [php7:notice] [pid 6417] [client IP1.IP2.IP3.IP4:61260] simplesamlphp ERR [5eb6b8621d] Backtrace:, referer: https:// IPP1.IPP2.IPP3.IPP4
/simplesaml/module.php/privacyidea/otpform.php?StateId=_c27ae31dbb180e5b37b64a0fba71d645dc92397f80%3Ahttps%3A%2F%2FIPP1.IPP2.IPP3.IPP4%2Fsimplesaml%2Fsaml2%2Fidp%2FSS
OService.php%3Fspentityid%3DFichadasDes%26cookieTime%3D1605613340
[Tue Nov 17 12:42:30.532028 2020] [php7:notice] [pid 6417] [client IP1.IP2.IP3.IP4:61260] simplesamlphp ERR [5eb6b8621d] 4 /var/simplesamlphp/www/_include.php:48
(SimpleSAML_error_handler), referer: https:// IPP1.IPP2.IPP3.IPP4/simplesaml/module.php/privacyidea/otpform.php?StateId=_c27ae31dbb180e5b37b64a0fba71d645dc92397f80%3Ah
ttps%3A%2F%2FIPP1.IPP2.IPP3.IPP4%2Fsimplesaml%2Fsaml2%2Fidp%2FSSOService.php%3Fspentityid%3DFichadasDes%26cookieTime%3D1605613340
[Tue Nov 17 12:42:30.532037 2020] [php7:notice] [pid 6417] [client IP1.IP2.IP3.IP4:61260] simplesamlphp ERR [5eb6b8621d] 3 /var/simplesamlphp/modules/privacyidea/
lib/Auth/Process/privacyidea.php:156 (sspmod_privacyidea_Auth_Process_privacyidea::authenticate), referer: https:// IPP1.IPP2.IPP3.IPP4/simplesaml/module.php/privacyid
ea/otpform.php?StateId=_c27ae31dbb180e5b37b64a0fba71d645dc92397f80%3Ahttps%3A%2F%2FIPP1.IPP2.IPP3.IPP4%2Fsimplesaml%2Fsaml2%2Fidp%2FSSOService.php%3Fspentityid%3DFich
adasDes%26cookieTime%3D1605613340
[Tue Nov 17 12:42:30.532046 2020] [php7:notice] [pid 6417] [client IP1.IP2.IP3.IP4:61260] simplesamlphp ERR [5eb6b8621d] 2 /var/simplesamlphp/modules/privacyidea/
www/otpform.php:53 (require), referer: https:// IPP1.IPP2.IPP3.IPP4/simplesaml/module.php/privacyidea/otpform.php?StateId=_c27ae31dbb180e5b37b64a0fba71d645dc92397f80%3
Ahttps%3A%2F%2FIPP1.IPP2.IPP3.IPP4%2Fsimplesaml%2Fsaml2%2Fidp%2FSSOService.php%3Fspentityid%3DFichadasDes%26cookieTime%3D1605613340
[Tue Nov 17 12:42:30.532054 2020] [php7:notice] [pid 6417] [client IP1.IP2.IP3.IP4:61260] simplesamlphp ERR [5eb6b8621d] 1 /var/simplesamlphp/lib/SimpleSAML/Modul
e.php:260 (SimpleSAML\Module::process), referer: https:// IPP1.IPP2.IPP3.IPP4/simplesaml/module.php/privacyidea/otpform.php?StateId=_c27ae31dbb180e5b37b64a0fba71d645d
c92397f80%3Ahttps%3A%2F%2FIPP1.IPP2.IPP3.IPP4%2Fsimplesaml%2Fsaml2%2Fidp%2FSSOService.php%3Fspentityid%3DFichadasDes%26cookieTime%3D1605613340
[Tue Nov 17 12:42:30.532063 2020] [php7:notice] [pid 6417] [client IP1.IP2.IP3.IP4:61260] simplesamlphp ERR [5eb6b8621d] 0 /var/simplesamlphp/www/module.php:10 (N
/A), referer: https:// IPP1.IPP2.IPP3.IPP4/simplesaml/module.php/privacyidea/otpform.php?StateId=_c27ae31dbb180e5b37b64a0fba71d645dc92397f80%3Ahttps%3A%2F%2F10.104.1.1
08%2Fsimplesaml%2Fsaml2%2Fidp%2FSSOService.php%3Fspentityid%3DFichadasDes%26cookieTime%3D1605613340
[Tue Nov 17 12:42:30.532070 2020] [php7:warn] [pid 6417] [client IP1.IP2.IP3.IP4:61260] PHP Warning: Illegal offset type in /var/simplesamlphp/modules/privacyide
a/lib/Auth/Process/privacyidea.php on line 156, referer: https:// IPP1.IPP2.IPP3.IPP4/simplesaml/module.php/privacyidea/otpform.php?StateId=_c27ae31dbb180e5b37b64a0fba
71d645dc92397f80%3Ahttps%3A%2F%2FIPP1.IPP2.IPP3.IPP4%2Fsimplesaml%2Fsaml2%2Fidp%2FSSOService.php%3Fspentityid%3DFichadasDes%26cookieTime%3D1605613340

The illegal offset type… its so strange… any idea??

Thanks

egonzalez · November 18, 2020, 12:15pm

After a lot off changes, finally I get working!!
You need to set:
‘uidKey’ => ‘sAMAccountName’,
In the authproc, it resolves the illegal offset of the previous message. The problem is that simplesaml is sending the user with that name… and PrivacyIdea don’t know that if you don’t say especifically.
Now, enroll a new token hotp or totp to the user, try to autenticate… and it works.

Now I am working with the auto enrollment and with other types of enrollment.

egonzalez · November 18, 2020, 12:39pm

Which user is used in serviceAccount??
root from local machine?
a user from resolvers ??
I have a ldap server with all the users and a local machine with their local users.
I have a user in ldap for queries, this one is for this purpose?

The user User(login=‘root’, realm=‘prueba’, resolver=‘’) exists in NO resolver.

egonzalez · November 18, 2020, 1:25pm

It seems that you need to use the ldap user to query ldap server:

[2020-11-18 14:03:22,138][16533][140128627881728][INFO][privacyidea.lib.user:233] user ‘queryldap’ found in resolver ‘ldapServer’
[2020-11-18 14:03:22,142][16533][140128627881728][INFO][privacyidea.lib.user:234] userid resolved to ‘UID’

I’m not sure about tokenEnrollment, that you can enable in authoproc.
Is token created at the time? Must token be created before but without association? any policy to set??

My prodecure is:
No token created in authproc, I set tokenEnrollment enable with hotp.
When I try the 2FA, I get a new token created for the ldap query user… but no one for the user that I’m trying to autheticate.
Any idea?
When do I set the pin for a token?

Thanks in advance.