Login to Self-Service portal login_mode

tbi · March 4, 2017, 2:40pm

Hi all

I have a question about the privaceIDEA portal login for users (self
service portal).

It is possible to change the login_mode to privacyIDEA which forces the
user to use a Token to login instead of his userstore password.

What I would like to achieve is, that as long as the user has no Token
assigned, he is allowed to login with his userstore password. As soon as he
has a Token he needs the Token to login.

From a security point of view it makes no sense to let him login if he has
a token. Assuming that an attacker gets his credentials, he can just login
to the portal and enroll a token himself.

Any idea if this is possible?

Best regards
tbi

Jochen_Hein · March 4, 2017, 4:11pm

tbi tbalschun@gmail.com writes:

Thanks for the reply. The passthrough option really did the trick. But this
gives me another problem, now all users without a token can login.

What I really want is, that users without a token can only login to the web
ui to enroll a token. But they should not be able to login without a token
via SAML.

There’s also a “webui” policy, which has “login_mode” to handle logins
to the webui.

You could possibly add a special policy for your SAML server with the
"client" option in the policy. Would that work?

Jochen

tbi · March 4, 2017, 3:10pm

Hi Jochen

Thanks for the reply. The passthrough option really did the trick. But this
gives me another problem, now all users without a token can login.

What I really want is, that users without a token can only login to the web
ui to enroll a token. But they should not be able to login without a token
via SAML.

Regards
TobiasOn Saturday, March 4, 2017 at 3:54:40 PM UTC+1, Jochen Hein wrote:

tbi <tbal...@gmail.com <javascript:>> writes:

It is possible to change the login_mode to privacyIDEA which forces the
user to use a Token to login instead of his userstore password.

Let’s see.

What I would like to achieve is, that as long as the user has no Token
assigned, he is allowed to login with his userstore password.

This is possible with an authentication policy, enable
"passthru" and set it to “userstore”. Documencation says:

If set, the user in this realm will be authenticated against the
userstore or against the given RADIUS config, if the user has no tokens
assigned.

As soon as he has a Token he needs the Token to login.

Only the token, or OTPPIN and token, or Userstore-password and token?
Enable “otppin” in the authentication policy and select what you like.

From a security point of view it makes no sense to let him login if he
has
a token. Assuming that an attacker gets his credentials, he can just
login

You could deny token enrollment with a policy.

Hope that helps.

Jochen

Jochen_Hein · March 4, 2017, 2:54pm

tbi tbalschun@gmail.com writes:

It is possible to change the login_mode to privacyIDEA which forces the
user to use a Token to login instead of his userstore password.

Let’s see.

What I would like to achieve is, that as long as the user has no Token
assigned, he is allowed to login with his userstore password.

This is possible with an authentication policy, enable
"passthru" and set it to “userstore”. Documencation says:

If set, the user in this realm will be authenticated against the
userstore or against the given RADIUS config, if the user has no tokens
assigned.

As soon as he has a Token he needs the Token to login.

Only the token, or OTPPIN and token, or Userstore-password and token?
Enable “otppin” in the authentication policy and select what you like.

From a security point of view it makes no sense to let him login if he has
a token. Assuming that an attacker gets his credentials, he can just login

You could deny token enrollment with a policy.

Hope that helps.

Jochen

tbi · March 4, 2017, 4:48pm

Hi Jochen

Yes, I have configured that now. I guess what I would need is a passthrough
policy for the webui scope.

Anyway, thanks for the help.

Best regards
TobiasOn Saturday, March 4, 2017 at 5:11:45 PM UTC+1, Jochen Hein wrote:

tbi <tbal...@gmail.com <javascript:>> writes:

Thanks for the reply. The passthrough option really did the trick. But
this
gives me another problem, now all users without a token can login.

What I really want is, that users without a token can only login to the
web
ui to enroll a token. But they should not be able to login without a
token
via SAML.

There’s also a “webui” policy, which has “login_mode” to handle logins
to the webui.

You could possibly add a special policy for your SAML server with the
"client" option in the policy. Would that work?

Jochen