I’m trying to configure several authentication policies. I have one default realm and two resolvers. Both resolvers are selected for this realm.
So I have created two policies.
Policy1 with Priority 1 and Conditions:
- Realm = DefaultRealm
- Resolver = Resolver1
Policy2 with Priority 1 and Conditions:
- Realm = DefaultRealm
- Resolver = Resolver2.
I’m using PUSH tokens only.
If I enable both policies - I get no push at all in my PI App. I have tried a User from Resolver 1 and a User from Resolver2 - same result - no push.
If I disable one of the polices - I get push fine with parameters specified in enabled policy. Even if I enable only Policy1 and try to authenticate with User account from Resolver2, I get Policy1 applied (despite of Conditions).
If I set Priority 2 for Policy 2 is is not applied at all. Policy 1 is applied despite of User account which belongs to Resolver2.
Maybe I have some misunderstanding how Conditions work?
Take a look at the log file.
If the system behaves in a way you do not expect, it is always a good idea to look at the audit log and to look into the log file!
Sorry, didn’t think about enabling Debug logging before.
After enabling it I can see a lot of new details.
I have a huge amount of logs, for example:
[DEBUG][privacyidea.lib.policy:602] Policies after matching action: 
[DEBUG][privacyidea.lib.policy:602] Policies after matching user: 
[DEBUG][privacyidea.lib.policy:602] Policies after matching realm: 
[DEBUG][privacyidea.lib.policy:637] Policies after matching resolver: 
[DEBUG][privacyidea.lib.policy:649] Policies after matching pinode: 
[DEBUG][privacyidea.lib.policy:679] Policies after matching client: 
[DEBUG][privacyidea.lib.policy:198] Exiting list_policies with result 
[DEBUG][privacyidea.lib.policy:758] Policies after matching time: 
[DEBUG][privacyidea.lib.policy:764] Policies after matching conditions
[DEBUG][privacyidea.lib.policy:198] Exiting match_policies with result 
So it seems it cannot match any policy, right?
But I have both policies enabled. And I can see this line also:
[DEBUG][privacyidea.lib.token:2199] Found user with loginId User(login='user1', realm='DefaultRealm', resolver='Resolver1'):...
We can see that it matches the right User Resolver. This resolver is specified in Policy conditions. So why can’t it match Policy?
Here are some new information. For tests I have entered a single username in Policy1 and another username in Policy2 conditions. And removed any other conditions. Still no push. But if I set Policy1 priority to 1 and Policy2 priority to 2 - push works! But it uses a policy with lowest priority despite of username!
Some new info.
If I set priority to 1 in both Policies I can find this record in Audit:
“There are policies with conflicting actions:…”
And I cannot get Push notification.
If I set Policy1 priority to 1 and Policy2 priority to 2 I can see this record:
Action “POST /validate/check” and it shows that it matches a right Policy (policy2 as expected for test user) in Policy column. But actually I can see in Push notification a text which is set in another policy (Policy1 with priority 1). So the right policy (policy2) is actually not applied.