Error in enrolling token using api

eldzee · February 21, 2023, 10:43am

Hello,

can anyone give me a pointer on how to fix this problem?
after I upgrade to 3.8.x from 3.7.4, my simplesamlphp suddenly cannot do enrolltoken anymore via the api.

OTP verification from simplesamlphp still works normally if I do enroll the token manually from privacyidea, but now I’m missing the ability to have the users self-enrolling the token automatically on first-time login

here is the simplesaml debug log:

Feb 21 17:16:03 simplesamlphp DEBUG [3d12782bdf] privacyIDEA-PHP-Client: Sending username=sso.service.account, password=fakepassword, realm=DOMAIN.TLD to /auth
Feb 21 17:16:04 simplesamlphp DEBUG [3d12782bdf] privacyIDEA-PHP-Client: Sending user=USER.NAME%40DOMAIN.TLD to /token/
Feb 21 17:16:05 simplesamlphp DEBUG [3d12782bdf] privacyIDEA-PHP-Client: /token/ returned {
    "id": 1,
    "jsonrpc": "2.0",
    "result": {
        "status": true,
        "value": {
            "count": 0,
            "current": 1,
            "next": null,
            "prev": null,
            "tokens": []
        }
    },
    "time": 1676974565.146246,
    "version": "privacyIDEA 3.8.1",
    "versionnumber": "3.8.1",
    "signature": "rsa_sha256_pss:bd47cf81f36d83401078b0a263aaaf4038bd78176e9f70a44a34cc61b6711b66254318eead05516406b76ff21f9711dc7f393b34e9765b23e85978d8eecaf0b32cac13d0fddeac5af674577ca741a7ad2ed07bfe5a0d78bd129a7e0ce18c7edee3ebe46e8a51cb3c6ddedc1235ea3bd7fc36a440fed603b1db197ba5eb6a0c312684dc160eae99efeb59304e9504d0b4fc2500dc58a040caf7f5ddaf1f889e7640d82a7b3325acb4a88d368e399dba77c9a67cb2474262856159cd650bc470a4a68dcd426227192b7e4ad86502ad4ac048777541e5257f6dcd4048757ab2fa998993aae25886e0f94557e7e2f1fde6b7736b0f5b790bfe2fd074d859da50a4cb"
}

Feb 21 17:16:05 simplesamlphp DEBUG [3d12782bdf] privacyIDEA-PHP-Client: Sending user=USER.NAME%40DOMAIN.TLD, genkey=1, type=totp, description=Enrolled+with+simpleSAMLphp to /token/init
Feb 21 17:16:05 simplesamlphp DEBUG [3d12782bdf] privacyIDEA-PHP-Client: /token/init returned {
    "detail": null,
    "id": 1,
    "jsonrpc": "2.0",
    "result": {
        "error": {
            "code": 905,
            "message": "ERR905: Cannot pass user_object (<USER.NAME.zimbraLDAP@DOMAIN.TLD>) as well as user (USER.NAME@DOMAIN.TLD), resolver (zimbraLDAP), realm (None)in policy (None, 'admin', 'enrollTOTP')"
        },
        "status": false
    },
    "time": 1676974565.4908726,
    "version": "privacyIDEA 3.8.1",
    "signature": "rsa_sha256_pss:124060724982215edf83b74b20f8b6c3155e0172e5ea5523e0f930ea4f447074416db189170a6429c5ea2b4b89c20edf703c41d16004b023a81245202db4a39a24bcc7c3d5e1f9d96497cb5ef4703c01ce3d3638d37d7bed2c82a747d68515d4a0f0306fd98c5e9750d9b66972d210f03bf4ea8e03fe4f7f8425e59cdf1ce06ac19291656f8a61ab97c14eb0763be2873e870b35956e5092dc0303bd1b3d81981f854ea8a5deb6138f3c77c7cfdf55bd9b8b8731069d585f53a633d706e859c4dea2e8e83f134537c4b9f39e8c32fa42aedcd72fe8af70a5f8eb6d62e1bdbfed9ff9bc50f4b8324289e5e1daf00db2ee6647e0490d0299d89d025ac4e378c3db"
}

and the privacyidea.log:

[2023-02-21 17:16:03,798][1123487][140550873708416][INFO][privacyidea.lib.resolvers.LDAPIdResolver:333] Setting system wide POOLING_LOOP_TIMEOUT to 10.
[2023-02-21 17:16:04,627][1123487][140550873708416][INFO][privacyidea.api.auth:291] Local admin 'sso.service.account' successfully logged in.
[2023-02-21 17:16:04,880][1123488][140550873708416][WARNING][privacyidea.lib.resolvers.LDAPIdResolver:98] Could not import gssapi package. Kerberos authentication not available
[2023-02-21 17:16:04,881][1123488][140550873708416][INFO][privacyidea.lib.resolvers.LDAPIdResolver:333] Setting system wide POOLING_LOOP_TIMEOUT to 10.
[2023-02-21 17:16:05,081][1123488][140550873708416][INFO][privacyidea.lib.user:262] user 'USER.NAME' found in resolver 'zimbraLDAP'
[2023-02-21 17:16:05,081][1123488][140550873708416][INFO][privacyidea.lib.user:264] userid resolved to 'b2cc287a-dbed-1037-8657-8f3dd5354bb1'
[2023-02-21 17:16:05,248][1123489][140550873708416][INFO][privacyidea.lib.resolvers.LDAPIdResolver:333] Setting system wide POOLING_LOOP_TIMEOUT to 10.
[2023-02-21 17:16:05,437][1123489][140550873708416][INFO][privacyidea.lib.user:262] user 'USER.NAME' found in resolver 'zimbraLDAP'
[2023-02-21 17:16:05,437][1123489][140550873708416][INFO][privacyidea.lib.user:264] userid resolved to 'b2cc287a-dbed-1037-8657-8f3dd5354bb1'
[2023-02-21 17:16:05,486][1123489][140550873708416][INFO][privacyidea.lib.user:262] user 'USER.NAME' found in resolver 'zimbraLDAP'
[2023-02-21 17:16:05,486][1123489][140550873708416][INFO][privacyidea.lib.user:264] userid resolved to 'b2cc287a-dbed-1037-8657-8f3dd5354bb1'
[2023-02-21 17:16:05,487][1123489][140550873708416][INFO][privacyidea.lib.user:262] user 'USER.NAME' found in resolver 'zimbraLDAP'
[2023-02-21 17:16:05,487][1123489][140550873708416][INFO][privacyidea.lib.user:264] userid resolved to 'b2cc287a-dbed-1037-8657-8f3dd5354bb1'
[2023-02-21 17:16:05,488][1123489][140550873708416][WARNING][privacyidea.lib.policy:746] Cannot pass user_object as well as user, resolver, realm in policy (None, 'admin', 'enrollTOTP'). <USER.NAME.zimbraLDAP@DOMAIN.TLD> - USER.NAME@DOMAIN.TLD@None in resolver zimbraLDAP
[2023-02-21 17:16:05,488][1123489][140550873708416][WARNING][privacyidea.lib.policy:750] Possible programming error:   File "/opt/privacyidea/lib/python3.8/site-packages/flask/app.py", line 2464, in __call__
    return self.wsgi_app(environ, start_response)
  File "/opt/privacyidea/lib/python3.8/site-packages/flask/app.py", line 2447, in wsgi_app
    response = self.full_dispatch_request()
  File "/opt/privacyidea/lib/python3.8/site-packages/flask/app.py", line 1950, in full_dispatch_request
    rv = self.dispatch_request()
  File "/opt/privacyidea/lib/python3.8/site-packages/flask/app.py", line 1936, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/opt/privacyidea/lib/python3.8/site-packages/privacyidea/api/lib/prepolicy.py", line 158, in policy_wrapper
    return wrapped_function(*args, **kwds)
  File "/opt/privacyidea/lib/python3.8/site-packages/privacyidea/api/lib/prepolicy.py", line 158, in policy_wrapper
    return wrapped_function(*args, **kwds)
  File "/opt/privacyidea/lib/python3.8/site-packages/privacyidea/api/lib/prepolicy.py", line 156, in policy_wrapper
    self.function(request=self.request,
  File "/opt/privacyidea/lib/python3.8/site-packages/privacyidea/api/lib/prepolicy.py", line 1303, in check_token_init
    init_allowed = Match.generic(g, action=action,
  File "/opt/privacyidea/lib/python3.8/site-packages/privacyidea/lib/policy.py", line 2771, in allowed
    policies_defined = self.any(write_to_audit_log=write_to_audit_log)
  File "/opt/privacyidea/lib/python3.8/site-packages/privacyidea/lib/policy.py", line 2724, in any
    return bool(self.policies(write_to_audit_log=write_to_audit_log))
  File "/opt/privacyidea/lib/python3.8/site-packages/privacyidea/lib/policy.py", line 2713, in policies
    return self._g.policy_object.match_policies(audit_data=audit_data, request_headers=request_headers,
  File "/opt/privacyidea/lib/python3.8/site-packages/privacyidea/lib/log.py", line 151, in log_wrapper
    return func(*args, **kwds)
  File "/opt/privacyidea/lib/python3.8/site-packages/privacyidea/lib/policy.py", line 745, in match_policies
    tb_str = ''.join(traceback.format_stack())

Thanks

cornelinux · February 24, 2023, 9:11am

The policy matching has a more strict logic now. It found differences in your passed parameter.

The passed realm does not fit the user object.

So the questions are:

Question A

How does you policy look like? This seems to be an administrative enrollment for TOTP tokens.
Do you have any special conditions there?

Question B

How does the simpleSMLphp plugin performs this evil enrollment and how have you configured it?

nilsbehlen · February 24, 2023, 9:12am

Are you using the latest version of the simplesamlphp plugin?

eldzee · March 3, 2023, 10:03am

I’ve figured what happened with my SimpleSaml setup.

I was using the privacyidea as authproc in simplesaml and was tweaking the module orders to add features to disable privacyidea module from running all the time when switching to different SP to prevent it asking for OTP everytime

I moved the privacyidea module below other proc module which modified the uid attribute into user@domain.tld, which is the culprit.
seems like the api call for token/init doesn’t like this format as the username

once I tweak a bit more to change module pass the correct attribute (user without domain), the pi simplesaml enrollToken works again normally.