Originally published at: https://www.privacyidea.org/privacyidea-3-1-polished-policies/
privacyIDEA knows the rules. And it will have your users follow those.
We are happy to announce, that today the first major release of the new privacyIDEA 3 series was pushed to the repositories. It is available via the Python Package Index and on the Ubuntu repositories for Ubuntu 16.04LTS and 18.04LTS.
With privacyIDEA 3.1 the administrator can configure policies that will only be bound to users with certain user attributes. This way the admin can define different policies for users in the same user resolver.
Migration from proprietary 2FA solutions gets even simpler with automatic token assignment and PIN setting.
Even more flexible policies
The administrator can now define policies based on any arbitrary attributes. To do so, privacyIDEA can provide different attribute modules for the policy conditions. This version of privacyIDEA comes with a user-attribute module. Up to the latest version policies could only be assigned to a complete user resolver. This was difficult, when rights of users changed and only some users from a certain user resolver should get new policies in privacyIDEA.
Now the administrator can set an attribute e.g. in the LDAP directory of a user, and as soon as this is set the policy will be automatically bound to this user. This provides a bigger flexibility with handling access rights or in migration or enrollment scenarios.
We also added new policy actions for administrators. Administrators now can get a special read right on any configuration setting. This way the super user can define, which administrator is allowed to read certain configuration or which configuration should be hidden from which help desk user. The migration script, which runs automatically in the ubuntu package update will create new migration policies so that the current behaviour of the installation does not change after the update.
We did a lot of work on policies in this release – we called in polishing policies.
Migration of proprietary 2FA solutions
Again we improved the possibility to migrate from existing, proprietary 2FA solutions. Proprietary software goes end of life and sometimes leaves the user with a mess. Cornelius wrote a blog article about that problem.
The administrator can import an existing seed file from the old system. privacyIDEA then basically knows the old tokens. On authentication request privacyIDEA can automatically find out, which token belongs to which user. In addition it will set the old OTP PIN of the tokens. This way neither the user nor the administrator have anything to do to migrate to privacyIDEA.
This is possible since privacyIDEA will at first forward the authentication request to the old system. If authentication is successful privacyIDEA will use the used OTP value to identify the token for the user and it will use the rest of the passed credential to automatically set the OTP PIN.
Further work was done on the TiQR-Token in privacyIDEA. This is an older concept where a challenge is passed to the user’s smartphone via a QR code, which is displayed during the login process. The user simply accepts the login request on his smartphone.
In addition with privacyIDEA 3.1 there come a lot of minor enhancements and bug fixes.