Login flow privacyIDEA + SimpleSAMLphp push token

Hi! New here, excuse me if my question only depends on my not reading the docs thoroughly. Anyway, I’m looking at setting up privacyIDEA as our second factor managing system an to work in conjunction with our existing SimpleSAMLphp IdP. At this moment I am investigating push tokens to privacyIDEA app (Android so far). The privacyIIDEA module is installed in the IdP. Everything works just fine, but…
Only certain services will use 2FA at the moment so the pi module is configured as an authproc filter included in the metadata for the services. Works fine! So, when accessing a 2FA protected service SSP displays an authentication request to the user with a field labelled “Please confirm with one of these tokens:” and in the adjacent input box the text “Password + OTP” is shown. This is a bit confusing as the user set a “PIN” when enrolling the push token (in the input box it says “Enter password”, though). There is no OTP to enter, just the passord (pin). Then, when entering the correct password/pin nothing happens, unless the privacyIDEA app was used very recently. If it was closed it seems it doesn’t listen to push notifications. Starting the app, clicking the link to the protected service and entering password makes the the app say “ding” alright and show the Allow/Dismiss buttons. Pushing “Allow” here makes the app go back to rest but nothing happens in the authentification request window from SimpleSAML. Clicking the “Login” button again takes the user to the protected service.

So, the setup works and protects the selected services, but the user experience of the login process could be improved. Are there tunings and adjustments in SimpleSAML that could smoothen the process? Can the app be set to always listen to push notifications? And, this I could lookup myself but I ask anyway: Can the “Login” button be set in focus so that pushing enter after entering the password would do the same as clicking “Login”? If the second click is necessary this would make it a lot smoother.
The whole privacyIDEA seems really great and plans are to take it into limited production soon.

Kind regards
Bengt Wällstedt

Hello @benwal,
welcome to privacyIDEA. The push token is somehow still a work in progress, and it has been only implemented in some components lately.
You provide a lot of information what you are doing, but we none about your installation and setup.

  • From where/which version of the privacyIDEA simpleSAMLphp plugin have you installed?
  • Which version of privacyIDEA are you using?
  • The functionality depends on your setup - so you need to clarify, if you have configured authsource or authprocfilter? Your comment about “Password + OTP” sounds like authsource. But guessing is always a not good idea. By the way, this text can not be configued, so you need to adapt it in the template.

On Android you do not have to have the app in the foreground. I think It has to be started and can run in the background. But every android behaves a bit different.

Thans a lot for the hint with the “Login”-Button.

Kind regards

Hello! Thanks for your reply! Of course you need to know more about the config we’re using, I just didn’t expect specific help (as you rightly state - if I would like someone to do it for me then I should pay for that!), more like if I had missed something. Anyway, this is what I’m using at the moment:
SimpleSAMLphp 1.18.7 (a test IdP with identical setup as our production IdP except for the PI part) running on Ubuntu server 20.04.1 LTS
PrivacyIDEA 3.3.3 running on Ubuntu server 18.04.4 LTS
PrivacyIDEA simpleSAML module 1.8 installed from Packagist
PrivacyIDEA is called from an authproc filter added to the metadata of a specific service. This is how:

             'authproc' => [
               05 => array(
                 'class'              => 'privacyidea:serverconfig',
                 'privacyideaserver'  => 'https://2f.skola.engelholm.se',
                 'realm'              => 'angport',
                 'uidKey'             => 'cn',
                 'sslverifyhost'      => false,
                 'sslverifypeer'      => false,
                 'doTriggerChallenge' => true,
                 'enabledPath'        => '',
                 'enabledKey'         => '',
                 'tryFirstAuthentication' => true,
                 'tryFirstAuthPass'   => 'simpleSAMLphp',
               06 => array(
                 'class'              => 'privacyidea:privacyidea',

Next step is to try it out on iOS devices and to make Yubikeys work. I am strongly considering WebAuthn for that, everybody says it’s the future and very good, but it seems there is a lot of reading and understanding to do to set it up.
Kind regards