General understanding of use case

Hi,

I’m new to Privacyidea and wanted to check if my understanding of it is working for my use case.
Basically I have a few web-apps, like Django, PHP, …
All of them have some sort of user management.
So I want to use an SSO for all of them.
As Privacyidea does not provide user-management itself, I have created a separate SQL just with user details.
And configured that as an SQLresolver.
From what I can see so far Privacyidea is more for 2FA.
But could I just use for a normal username/password auth with this setup?
So far I had not been able to get this up and running, so not sure if this is going to work with my setup.
I used an Plugin for Django to test with, which also had an option to create users.
But it never reached the user SQL db.
If this might not be the tool to use, are there any known alternatives ?

Many thanks,
Christian

Hi Christian,

you could create a sql user database and configure a passthru policy to this user store.
No tokens enrolled!
This way all users would authenticate with their passwords.

There are also other possibilities like using the spass token.

You can to a certain extent manage users in an sql database.

Kind regards
Cornelius

Hi Cornelius,

I tried to setup a passthru policy.
But when I login with user/pass I get the following in audit log:

The user has no tokens assigned

Used the following policy settings:

authentication { “passthru”: “userstore”, “otppin”: “userstore” }

When using

authentication { “passthru”: “userstore”, “otppin”: “tokenpin” }

and assigning an spass token to the user, and use that for login it works.

If I just use the following policy

authentication { “passthru”: “userstore” }

I get a

The user has no tokens assigned

passthru should work if the user has no tokens assigned.

The policies

authentication { “passthru”: “userstore”, “otppin”: “userstore” }

and

authentication { “passthru”: “userstore” }

would result in the same, if the user has no token assigned.

But I rather think that somehow the password checking went wrong, this is why the passthru-userstore did not work, PI tried to authenticate with a token and thus the error result “The user has no tokens assigned”.

I created the user through the WebGUI.
And the mysql resolver has sha512 selected for hashing.
I’m using simplesamlphp-module-privacyidea for the implementation.
Don’t see a problem here why the password check would be wrong.
Or do I need additional policies?

Hi Christian,

you might have stumbled upon an issue in privacyIDEA 2.22: https://github.com/privacyidea/privacyidea/issues/1114. Unfortunately, password hashes are incorrectly written to the database when users are created in the WebUI and any Password Hash Type is selected in the resolver. The bug is already fixed on the current master, though.

So, could you try re-creating the resolver, leaving the Password Hash Type field blank this time (it defaults to SSHA256 then), and re-create the user?

Best Wishes