privacyIDEA as authproc filter in simpleSAMLphp


Originally published at:

What is an authproc filter and why should I use it?

An authentication processing filter is one step of the login process in simpleSAMLphp.
For example it can be useful, if you want to authenticate the first factor against LDAP and the second one against privacyIDEA.
If you enable privacyIDEA as an authsource, both factors will be authenticated against privacyIDEA.

With privacyIDEA as an authproc filter, you are much more flexible. You can expand and individualize the authentication process in many different ways. In this how-to we want to explain some of the features and show how to configure it in the best way.

How to setup privacyIDEA as an authproc filter

Authproc filters are configured in config.php (to use them every time) or in the metadata (to use it only, if the user comes from a specific service provider for example). Every authproc filter is listed in an array with a number, which shows the priority. The lowest number begins the login process.

privacyIDEA without special features (necessary)

'authproc' => array(
  20 => array(
    'class'             => 'privacyidea:serverconfig',
    'privacyideaserver' => 'https://your.privacyidea.server',
    'realm'             => 'realm1',
    'uidKey'            => 'uid',
    'sslverifyhost'     => true,
    'sslverifypeer'     => true,
    'serviceAccount'  => 'service',
    'servicePass'     => 'service',
  25 => array(
    'class'             => 'privacyidea:privacyidea',
This configuration enables the authentication against privacyIDEA. The first factor will be authenticated against the authsource (e.g. LDAP) and the second one against privacyIDEA.
  • class: this enables the authproc filter. (Do not change it)
  • privacyideaserver: here you can enter the url of your pricacyIDEA server
  • realm: enter the user's realm name
  • uidKey: privacyIDEA has to know in which attribute the username is stored (it depends on your authsource)
  • sslverifyhost: Check if the hostname matches the name in the certificate (set to true or false)
  • sslverifypeer: Check if the certificate is valid, signed by a trusted CA (true or false)
  • serviceAccount: The service account's username
  • servicePass: The service account's password

Disable 2FA for users with specified ip addresses (optional)

You can disable 2FA for users with a special ip address (e.g. your local area network). To do that, you have to enable and configure the authproc filter privacyidea:checkClientIP
21 => array (
  'class'             => 'privacyidea:checkClientIP',
  'excludeClientIPs'  => array("", ""),
This array has to be in the authproc array, which is mentioned above.
  • class: this enables the authproc filter.
  • excludeClientIPs: You can enter a single ip address or a range. These clients will not be asked to do 2FA.

Enroll new token, if the user does not have one (optional)

If a user does not have a second factor yet, it can be enrolled by simpleSAMLphp. To do that, a service account has to be configured and enabled. This can be done either above in privacyidea:privacyidea or here in privacyidea:tokenEnrollment)
24 => array(
  'class'           => 'privacyidea:tokenEnrollment',
  'tokenType'       => 'totp',
  • class: this enables the authproc filter
  • tokenType: Here you can enter the token type. It can be hotp or totp
You can overwrite the settings from privacyidea:serverconfig, if it is necessary. For example you can change the serviceAccount and servicePass. You only have to add it in this array.