Password+OTP requirement for one AD user in WebUI

authentication theory
, ,
1

I am running PrivacyIDEA 3.12.1 with the following policy:

  1. AllowAllTOTP

    • Scope: authentication

    • Action: otppin=tokenpin

    • Realm: ["MY_DOMAIN"]

    • Resolver: ["MY_resolver"]

    • Client: ["10.1.1.1"]

    • This allows all users in the AD realm to log into the WebUI using their AD password only, and it also allows an external application to authenticate using OTP-only via /validate/check from 10.1.1.1 (validated with curl).
      This behavior is correct.

Goal

Within the same AD realm, I need to enforce password + OTP only for one specific AD user (the intended PI administrator) when logging into the WebUI.
All other AD users must continue to authenticate with password-only.
Additionally, the OTP-only authentication done by an external application via /validate/check (from 10.1.1.1) must continue to work without changes.

What I attempted

I tried adding this policy:

  • pass_and_otp

    • Scope: authentication

    • Action: otppin=userstore | passthru=userstore

    • Realm: ["MY_DOMAIN"]

    • User: ["MY_user"]

    • Resolver: ["MY_resolver"]

    • Client: []

I also tried combining this with a webui scoped policy, but neither approach allowed me to require password+OTP for just the one user without affecting the others or breaking /validate/check.

Question

What is the correct way to configure the policies so that:

  • only one specific AD user must authenticate with password + OTP in the WebUI,

  • other AD users continue to authenticate with password-only, and

  • OTP-only validation via /validate/check from 10.1.1.1 keeps working exactly as it does now?

2

Hello Imckoll,

You can solve this cleanly by separating your “special” admin user from the rest of the AD users via a dedicated LDAP resolver and then using a WebUI policy with login_mode=privacyIDEA only for that resolver.

Add this resolver to a new or existing realm.

Create a WebUI policy that forces login against privacyIDEA (what you have tried) only for your new admin resolver:

  • Name: webui_admin_2fa

  • Scope: webui

  • Action: login_mode=privacyIDEA

  • Realm: ["MY_DOMAIN"] (or your admin realm)

  • Resolver: ["MY_admin_resolver"]

br

Julio

3

Hello Julio

I added a new resolver as you said and a policy with register scope to force the use of the new resolver and it is working now. Thank you so much!