Exclude Local Users from 2FA and Enforce 2FA Only for UPN Domain Users

Hi

I am using PrivacyIDEA and would like to configure it so that local users (those who are not part of the Active Directory domain) are excluded from 2FA, and 2FA is enforced only for domain users (users in the Active Directory domain, using UPN format, e.g., username@domain.com).

Here’s what I want to achieve:

Exclude local users from 2FA: Users who log in with the format .\username should be able to authenticate without requiring 2FA.

Enforce 2FA only for domain users: Users who log in with the UPN format (username@domain.com) or domain\username should be required to use 2FA.

Could anyone guide me on how to achieve this setup? Is there a specific configuration I need to apply to exclude local users from 2FA while enforcing it for domain users only?

Thank you

You are talking of “local users” so my assumption is, that your scenario is “logging in to windows desktop using the privacyIDEA credential provider”.
It would help, if you actual give such context!

If so, then note:

  1. All users will go through the privacyIDEA Credential Provider.
  2. The privacyIDEA Credential Provider has no logic for different users, but all auth requests are sent to privacyIDEA.
  3. Thus you need to distinguish the authentication within the privacyIDEA server.

You can achieve this, with the following ingredients:

  1. Use the two_step_hide_otp setting in the privacyIDEA Credential Provider.
  2. You will probably want to use two_step_send_password or two_step_send_empty_password. Read Configuration — privacyIDEA Credential Provider 2.2 documentation
  3. Thus, also authentication requests for local users will also arrive at the privacyIDEA server.
  4. You now have to ensure, that the first authentication request for local users will be handled by privacyIDEA and return a successful authentication without the need for a 2nd factor. Take a look at 7.3. Authentication policies — privacyIDEA 3.10dev1 documentation or at 7.3. Authentication policies — privacyIDEA 3.10dev1 documentation.
  5. AD users will have to do challenge request, first factor will be the AD passwords and the 2nf factor will be requested in a 2nd step by the Credential Provider.

Note: This is not ment as a step by step guide but as some hints for you to understand the concept.