I apologize for my ignorance on this, but it appears that an issue I am having with the privacyidea module for simplesamlphp is fixed in the latest commit of the module. It’s related to the password not get authenticated when using privacyidea for both LDAP authentication and TOTP. Just like in this issue:
opened 10:29AM - 04 Nov 22 UTC
closed 10:12AM - 06 Jan 23 UTC
Type: Bug
Prio: High
When configuring the plugin as `authsource` a couple of things look wierd.
"A… uthsource" in simpleSAMLphp means, that this plugin is the only/main source of authentication. Thus all authentication needs to run against privacyIDEA.
### password
The plugin display a login mask with fields "username" and "password". But this password-field has no effect.
The contents of this password-field (credentials) is supposed to be verified by privacyIDEA. Thus it needs to be sent to the privacyIDEA server. If there is a pin+otp, a password+otp or only otp or whatever is determined by the policies in the privacyIDEA server.
### otpExtra
In 2017 the meaning of otpExtra was the following:
Normal behaviour:
he login mask has a username field and a password field. password-field gets sent to privacyIDEA.
otpExrta activated:
the login mask has a username field, a password field and an OTP field. This has not technical background it is only a UI look-and-feel for users to get a specific understanding.
The contents from `password-field + otp-field` get sent to privacyIDEA. The same stuff as if the user would enter pin+otp in one field. It is only splitting the one field in two - nothing else. And this makes phsycological sense and is important.
# Implementation
## Existing Configuration of authproc filter
* doSendPassword (sends password from first authsource)
* ~~doSemdEmptyPass (not sure)~~
* doTriggerChallenge (sends a trigger challenge before displaying the input field)
## Sensible Config options for authsource
* authSourceMode: "SendPassword", "TriggerChallenge", "OtpExtra" (similar to SendPassword), "DoValidateCheckRequestWithEmptyPassword"
* SendPassword (Default): UI has username + 1stPassword is sent via /validate/check **2 fields**
* TriggerChallenge: UI only displays username and /validate/triggerchallenge is sent **1 field**
* OtpExtra: List SendPassword, but the field 1stPassword + OTP is concatenated **3 fields**
* ~~DoValidage....": UI has only username and an empty password is sent via /validate/check **1 field**~~
* otpExtra is removed since it is contained in mode "OtpExtra".
* PasswordHint: already exists.
If the mode has a typo or does not exist, we default to "SendPassword" and an error should be logged (at least in the log file)
## New:
- Instead of `authsourceMode` will be used the name: `authenticationFlow`.
- To maintain uniformity, `authenticationFlow` will also be implemented into the `authproc`.
Github is reporting that it’s fixed in this version that was submitted to be merged already:
privacyidea:master ← privacyidea:Fix-otp-extra
opened 04:34PM - 04 Nov 22 UTC
+ Implement the authentication flows.
+ Update the authsource config template w… ith an `authenticationFlow` option. Valid values are: `sendPass`, `triggerChallenge`, and `otpExtra`.
+ `doTriggerChallenge`, `doSendPassword` and `otpExtra` options are outdated and removed from the config template.
+ `authenticationFlow` is required. If the option isn't found or the value is invalid, the login mask contains per default: 1 username field and 1 pass field, and a proper error is written to the log.
+ Implement the `authenticationFlow` in `authproc`. Valid values: `default`, `triggerChallenge`.
+ rm submodule configuration and belonging files from the repo.
+ Fix: process token enrollment after trigger challenge if is set.
However, when I attempt to install it using composer or even manually download the files from github, I am getting the same version of files that do not have the fix. Is there a way for me to get the fixed version of the files or do I have to wait until it’s fully merged into the master branch.
Thank you for the assistance.
You must not use the release but the latest master.
https://github.com/privacyidea/simplesamlphp-module-privacyidea/archive/refs/heads/master.zip
Ok, thank you. Is the otpExtra fix actually in the master branch, then? Sorry, I am not too familiar with how github displays the changes. I was looking for otpExtra in the updated files and it seemed like it wasn’t there, but maybe the fix was to remove that piece of it. If it’s already in the master branch, then I should be good.
Thanks again!