Feature request: PrivacyIDEA as OpenID Connect Identity Provider

Hi Nicke, hi all,

ah, here is your post.

Well OAuth2 in fact is no Single Sign-On protocol but rather a rights
delegation protocol.

OpenID is a bit outdated. Unfortunately no one ever used it for many
years - so in my opinion it is dead.

OpenID Connect would be a great way to go (as authentication extension
to OAuth2)

Last year I decided to concentrate with Univention on the SAML protocol.
In my opinion SAML is more often used in an enterprise environment while
OpenID Connect/OAuth2 is more often used in a provider context that
involves end users.

This is why we went with SAML in the first step.

This is achieved by a plugin for simpleSAMLphp.

This plugin is roughly an absurd 200 lines of code. I guess this is what
you call a low hanging fruit.
Imho there was never sense in writing a SAML IdP completely anew.

The same is valid for openid connect.

And this is my current status of thinking:

I am not aware of an OpenID Connect implementation that has the same
ready-to-run server qualities like simpleSAMLphp. If you know any, just
tell me!

There is however the pyoidc implementation by Roland Hedberg. But

  1. in my eyes it is more of a framework than a server compared to
    simpleSAMLphp and
  2. oups. I am wrong. I thought it was huge, but in fact sloccount
    src/oic tells me, it is only 12.000 lines of code. (Ok, it was pysaml2
    that has 40.000 sloc)

Honestly - privacyidea has 15.000 lines of code and till now there was
no necessity to provide OIDC. Well, by adding pyoidc you could add
OpenID Connect IdP functionality to privacyIDEA.

Don’t get me wrong! I very much would like this!
When do you get start coding? :wink:

This is quite an effort and would require the corresponding project!

I am very curious about your or your other’s opinions.

Kind regards
CorneliusAm Freitag, den 12.02.2016, 07:06 -0800 schrieb ‘Nicke’ via privacyidea:

OAuth 2.0, OpenID, OpenID Connect are popular Single Sign On
PrivacyIdea should fit perfect in this world by becoming OpenID
Connect Identity Provider that a massive amount of relying parties can
authenticate against.

Please read the blog post about getting help

For professional services and consultancy regarding two factor
authentication please visit

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.

Cornelius Kölbel
+49 151 2960 1417

NetKnights GmbH
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Hello. Thank you for a great product. It has been three years since my original feature request. I still believe PrivacyIDEA should make it easy for me as a system administrator to integrate into a OAuth2 environment in the same way as SAML

If more people think this is needed, please reply and explain why you need it.
Have nice day! :slight_smile:

Hi Nicke,

thanks a lot for coming back.
We are now working on a plugin for keycloak. Keycloak will be able to act as OAuth2 Open ID conncet IdP and forward the auth requests to privacyIDEA.

Kind regards