Slowly moving forward… Still planning to use the SimpleSAMLphp + PrivacyIDEA setup for a POC, introducing Yubikeys and Google Authenticator. Things work as they are, Yubikey in U2F mode and Google Authenticator (or any authenticator, really) in TOTP mode.
What confuses me at this point is the policy management. The setup is straightforward, I believe: Al users are in a LDAP usersource connected to pi as a LDAP resolver. Now I want 2 or 3 of these users to be “local admins”, i.e. be the only ones who can enroll and distribute tokens. But that is the only thing they should be able to do, and only TOTP and U2F tokens. So I create a second LDAP resolver connected to the same user source, but now filtering out only the very few persons who will act as local admins. Next I create a realm Local_admins and connect that to the new resolver.
Now my plan was to create a policy from the helpdesk template, which seems to have suitable powers (and remove the token types that should not be used). However, when I try this I get a message “Admin actions are defined, but the action policywrite is not allowed!” and I can’t save the policy. I somehow managed once or twice but then it didn’t do anything. A couple of times the “big admin” account lost its powers altogether when I experimented (snapshots are a good thing!). Obviously I’m missing something here. I know there is paid help to get, but this must be more of a misunderstanding from my side, only I don’t se what it is. A slight indication of what I’m missing out would be very helpful!