Owncloud privacyIDEA Policy passthru for local LAN


#1

Hello, I’ve set up a testenvironment with ownCloud 10.0.10 and the most recent privacyIDEA.
Everything is working fine … the SQL-Resolver, the Email-Token and 2FA on ownCloud is working.
But deploying a Policy that passes through authentication from certain local Networks is the point
where problems show up. It even did not work with a single IP-Adress.
Could please someone hint me in the right direction.


#2

All authentication requests originate from your owncloud server.
Look at the audit log!


#3

Thank you for your Reply,
I already realised that while doing research.
Maybe there is a way to route the logins at ownCloud i.e. LAN logs in directly.
External request trigger the 2FA to privacyidea.


#4

The authentication requests accept a parameter client, that can contain a modified client IP.
THis is e.g. also true for RADIUS authentication, when you need your policies based on the VPN clients, not on the VPN-Server (which actually is talking to privacyIDEA via RADIUS).

privacyIDEA allows you to define, which Request/IP is allowed to override the client information to certain IPs:
https://privacyidea.readthedocs.io/en/latest/configuration/system_config.html?highlight=override%20clients#override-authorization-client

However, the owncloud plugin currently does not support this.
This would have to happen in the POST-requests triggerchallenge (https://github.com/privacyidea/privacyidea-owncloud-app/blob/master/twofactor_privacyidea/lib/Provider/TwoFactorPrivacyIDEAProvider.php#L173)
and authenticate (https://github.com/privacyidea/privacyidea-owncloud-app/blob/master/twofactor_privacyidea/lib/Provider/TwoFactorPrivacyIDEAProvider.php#L322)

You are welcome to send a Pull Request for the owncloud app.
(Or at least file an issue)
Kind regards
Cornelius