PirvacyIDEA and Shibboleth Identity Provider 3: No token validation

#1

Dear Community,

We at the RWTH Aachen University are trying to setup PrivacyIDEA as MFA solution. The Setup of the software was easy, but now we have a problem with the integration in Shibboleth Identity Provider 3. We are using this “plugin” for shibboleth https://github.com/wraezor/privacyIDEA-shibboleth-tfa and in the setup it is asking for

pi.Serviceuser
pi.Servicepassword

I tried hier a lot of different users (local /etc/passwd realm with user, a user in our realm…) but everytime i try to authenticate, i get this error:

[2019-04-30 10:33:41,284][27515][140129695938304][INFO][privacyidea.lib.user:357] User u’“shib@local”’ from realm u’rwth-aachen. de’ tries to authenticate
[2019-04-30 10:33:41,287][27515][140129695938304][ERROR][privacyidea.lib.user:371] The user User(login=u’“shib@local”’, realm=u’rwth-aachen. de’, resolver=’’) exists in NO resolver.
[2019-04-30 10:34:05,697][27515][140129763079936][INFO][privacyidea.lib.user:357] User u’“shib@local”’ from realm u’rwth-aachen.de’ tries to authenticate
[2019-04-30 10:34:05,699][27515][140129763079936][ERROR][privacyidea.lib.user:371] The user User(login=u’“shib@local”’, realm=u’rwth-aachen. de’, resolver=’’) exists in NO resolver.

My config:

Realm: rwth-aachen. de
Resolver: LDAP-Resolver
Realm: local
Resolver: /etc/passwd

Any ideas how i can resolve this?

#2

Hello and welcome to privacyIDEA.

I do not know the shibboleth plugin. But the naming pi.Serviceuser sounds like and administrative service account.
You can setup such an account as internal admin using pi-manage.
You might want to read a bit about administrators:
https://privacyidea.readthedocs.io/en/latest/faq/admins.html