Originally published at: https://www.privacyidea.org/privacyidea-flexibility-in-the-very-genes/
Successful two factor authentication is a matter of smooth workflows.
We learnt this in a lot of set ups and are claiming it since 2018 at the LinuxFest North West. One-solution-fits-all does not work out! Nowadays a company or organization wants to deploy 2FA to not only secure a certain login to a certain application, but also wants to have secure workflows around the authentication process. Thus the perfect 2FA or MFA software needs to adapt to the needs of such company or organisation.
The beauty of the event handlers
privacyIDEA introduced the Event Handlers already in version 2.12, May 2016. The script event handlers, which I want to talk about today, followed in version 2.17, December 2016.
Event Handlers were used quite actively since then. Only the script handles seemed special and awkward. It has been quiet around this one for a while. But recently a comment and question of a German partner (IT-Schmid), who was implementing a roll out concept for a customer, caught my attention and reactivated the thinking about the beauty of the script handlers.
privacyIDEA is implemented in a very modular way – on a horizontal but also on a vertical level. Database level, library level, the REST API and the Web UI are different, separated parts. And this helps us a lot with the script handlers. It is easily possible to write python scripts, that are using the library level, without the need to issue REST Requests that are processed through the web server. This improves performance of such scripts and it gives you access to ready made library functions, that allow you to address tasks with a few lines of code.
Script collection at Github repository
We realized, that it makes sense to provide a collection of example scripts, to give you a better understanding, what scripts can do and how this could be done. A new repository has been added at Github to host such example scripts. The first script is a script is a few lines, that can reassign a token from a username in one realm to a username in another realm. This can be a useful step during more complex rollout scenario. But automating such tasks of course reduces complexity and efforts to be taken.
We are happy to receive ideas and pull requests with new interesting scripts, which could enhance the scenarios with privacyIDEA to unexpected widths.
Visit our community forum for further discussions!