privacyIDEA 3.0 - Python 3, crypto and easier two factor authentication

#1

Originally published at: https://www.privacyidea.org/privacyidea-3-0-python-3-push-and-policies/

Proudly we talk about our release of the major version privacyIDEA 3.0, today.

Changing the version number 2.23.5 to 3.0 indicates a lot of changes. Changes why you should take more care during the update process. And changes, why this article is a bit longer than usual. But relax! We did everything we could to still give you a smooth update experience.

So what is so different?

Get ready for the future

The most important changes in version 3.0 are under the hood.

Now privacyIDEA runs well on Python 2 and Python 3! This way we will still be in business when Python 2.7 is no longer supported in 2020. Being able to run on Python 2 or Python 3 with the same code allows you to choose, whether and when you want to move your installation to Python 3!

The other major change is in the database schema. For years tokens were assigned to a user, by storing the link to the user in the token database table in the columns userid and resolver. From this, the limitation came that a token could originally only be assigned to one user. In version 3 we store the token assignment in a new database table “tokenowner”. This way the database schema allows that a token can have multiple token owners. While currently the API and Web UI still only allow to assign one user to a token, we have laid the foundation for an even greater flexibility in the future.

This change leads to something, we did not have before during update. Data migration! While the past versions contained schema migrations, that added new columns and features to privacyIDEA, this is the first time, that the update process will also change data in the database! The userid and resolver is removed from the token table and migrated to the tokenowner table. We tested this successfully with roughly 25.000 assigned tokens. Migrating more tokens will just be a matter of time.

Push and Queue

Two new main features are the Push Token and internal Queueing.

With the Push Token privacyIDEA will send a push notification to the user’s smartphone informing the user about the login request. Using the privacyIDEA Authenticator App the user can confirm the login request by simply clicking the notification. In the background a cryptographic challenge is signed on the smartphone and sent back to privacyIDEA. privacyIDEA verifies the signature and the login for the user is granted. The Push Token adds another unique authentication mechanism to privacyIDEA. Thus the administrator can choose between a lot of different authentication types like TOTP, HOTP, Yubikey, U2F, Email, SMS… and decide which matches the user’s needs.

Developing the concept for the Push Token

privacyIDEA now offers a queue, that can run tasks outside of the request context of e.g. an authentication request. For starters the task of sending an email (e.g. during authentication with an email token or with the notification event handler) can now be pushed to the queue and thus be decoupled from the original request, resulting in reliably quicker response times.

In the future the queue can be used for a lot more tasks.

Tell me what happend – helping the administrator understanding his complex system

In big installations the administrator might have configured a lot of different policies, to tweek the system exactly to his needs. Policies define the way, how the systems responds to an authentication request, the enrollment of a token or any other API request. The combination of the policies can make things more complex and the administrator can loose the overview. “What policy combination caused the system to respond in this way?”

The Audit Log helps the administrator to track and reproduce what exactly happened and why!

The audit log already saves every API request that was sent to privacyIDEA. In version 3.0 the audit log also contains a list of all used or relevant policies during this request. I.e. the administrator can easily see, why the system behaved this way it did. The audit log will contain the complete list of policies, that led to this very decision. This will help the administrator or service desk to trouble shoot user’s requests in a shorter time.

Get it and authenticate

As always you can find the complete changelog at Github. Please be sure, to read the READ_BEFORE_UPDATE, before updating! (Just like the name suggests)

privacyIDEA 3.0 is available via the Python Package Index and via repositories for Ubuntu 16.04LTS and 18.04LTS. The repositories have been changed to be able to provide more strictly defined installation scenarios. Please read the online documentation for install methods and the update process.

New users are welcome at our community forum! Enterprise users can get an Enterprise Edition here.

1 Like

#2

Hello Cornelius,

congratulations for releasing 3.0.

Is Debian still supported or is it Ubuntu only now?

Best regards

0 Likes

#3

Hi,
we haven’t built public debian packages for a while, I think.
Internally we built debian packages for the UCS installation and we will continue to do so.
The UCS (and thus debian package) is part of the enterprise edition and will be built with 3.0.1.
But building packages will get simpler anyways, since we decided to build all packages based on virtualenvs.
Kind regards
Cornelius

0 Likes