PrivacyIDEA with UCS v5

I am trying to get PrivacyIdea working with UCS v5. I have it working in UCS v4.

I have the PrivacyIDEA server up and I can validate the PIN/TOKEN in the interface for the UCS user.

But it seems UCS is not using the HOTP PIN/TOKEN, the normal password from UCS works.

I have the ucr entries set:
ucr set privacyidea/saml/enable=True
ucr set privacyidea/saml/url=
ucr set privacyidea/saml/verifyhost=False
ucr set privacyidea/saml/verifypeer=False

I don’t see the place to modify the policies for this anymore. Before it showed up under the users in v4. Has this changed to enable OTP.

Is there a way to enable just the PIN and OTP for some users?

Thanks in advance!

Hi J_R,

That schould be




Look at:

First steps

privacyIDEA SAML adds two factor authentication to the Univention SAML (SSO) service. Authentication is done via privacyIDEA. The privacyIDEA service can be installed on any other Linux system in your network.

privacyIDEA can either completely replace the existing SAML authentication (acts as SAML authsource) or it can be added as a second step to the Univention-LDAP authentication (acts as SAML auth proc filter).

Use the following UCR variables to configure privacyIDEA SAML:

  • privacyidea/saml/enable Set this to “authsource” to activate privacyIDEA as sole 2FA authentication provider for SAML or set to “authproc” if you want the first part of authentication handled by Univention LDAP and only the second part of 2FA handled by privacyIDEA. Upon setting this registry key, the configuration is updated according to the given registry keys.

  • privacyidea/saml/url This is the URL, where your privacyIDEA server is located. Can be “https://yourserver/privacyidea”.

  • privacyidea/saml/verifypeer Set this to “false” to disable the validity check of the SSL certificate of the privacyIDEA server. Defaults to true if not set.

  • privacyidea/saml/verifyhost Set this to “false” to disable the check of the hostname in the SSL certificate of the privacyIDEA serve. Defaults to true if not set.

  • privacyidea/saml/uidkey The attribute containing the loginname. Defaults to “uid”.

  • privacyidea/saml/realm The realm the plugin should search for the user.

  • privacyidea/saml/excludeEntityIDs authproc mode - Conditionally disable privacyIDEA for the listed entity IDs. This key expects a php array as value.

  • privacyidea/saml/includeAttributes authproc mode - Conditionally enable privacyIDEA for users with certain attributes although listed in privacyidea/saml/excludeEntityIDs. Please refer to the documentation of v2.1.2.

  • privacyidea/saml/checkClientIPs authproc mode - List IP addresses for which privacyIDEA should be disabled. This key expects a php array as value.

  • privacyidea/saml/SSO authproc mode - Skip privacyIDEA if there is a valid SAML assertion present. Defaults to true.



1 Like

Thanks Julio!

I am still having issues. I did adjust the settings, but so far not working.

  • I have it running on a dedicated host.
  • PrivacyIDEA version 3.7.1
  • SAML app is 2.1.2 latest from store on UCS v5

ucr set privacyidea/saml/url=https://ip-of-privacyIDEA ( i don’t have on the same box) I don’t have it in a sub directory. Login is at https root directory
ucr set privacyidea/saml/enable=authsource
ucr set privacyidea/saml/realm=USS
ucr set privacyidea/saml/verifypeer=False
ucr set privacyidea/saml/verifyhost=False

Where does it log failures or issues for the saml attempts?
Does the ucr set options require a reboot to apply? I did try a reboot but still didn’t work.

In privacyidea audit I see this it do GET token and says ok for sig_check and missing_line

Hi J_R,

can your ucs server communicate to privacyidea server or pingable?
if no:
check your /etc/hosts

a working test configuraton looks like:


if you do some setting/changes to one of this variable above, set this variable again


that should regenerate the file for authsource


from template file:


or for authproc


from template file


to view your logs on ucs, use

journalctl -f

and check what happens

privacyidea server:
the missing line message is ok and can be safely ignored in this case. This is normal for the last entry in the audit log.



Thanks for that info. Yes, I can ping. I have the resolver working and it pulled all the UCS users into PrivacyIDEA. But it still doesn’t seem to work. Are there any other settings we need besides the resolver and creating a token for the users from UCS? The log files shows nothing when I attempt to connect from a windows 10 machine using the pin+token as the password.

My PrivacyIDEA install login at / of the webserver I don’t have it installed in a subdirectory. I have seen some docs that show /privacyidea. I have no firewall on either box as they are both on the LAN.

Here are my settings: ucr search privacy

appcenter/apps/privacyidea-saml/status: installed
appcenter/apps/privacyidea-saml/ucs: 5.0
appcenter/apps/privacyidea-saml/version: 2.1.2
appcenter/prudence/docker/privacyidea-saml: yes
privacyidea/saml/enable: authsource
privacyidea/saml/realm: ucs
privacyidea/saml/uidkey: uid
privacyidea/saml/verifyhost: False
privacyidea/saml/verifypeer: False
repository/online/component/privacyidea-saml_20220323150857/description: privacyIDEA SAML
repository/online/component/privacyidea-saml_20220323150857/localmirror: false
repository/online/component/privacyidea-saml_20220323150857/version: current
repository/online/component/privacyidea-saml_20220323150857: enabled

What are you exactly trying to do. What are you expecting?
I think you might authenitcate somewhere, were privacyIDEA is not even ment to be talked to.
Please check, if you are doing SSO with SAML (simpleSAMLphp) at all.

It is a new install. I have only setup privacyIDEA. I have it running on a server on the same network.

I am trying to have PrivacyIDEA be the authentication source. I added UCS and the resolver. It shows the usernames. I can test the token (pin+OTP) and it works in PrivacyIDEA interface.

I just want Windows 10 Pro users to use PIN+OTP to login instead of using the UCS password unless they don’t have a token in PrivacyIDEA.

I never setup SSO. Just normal UCS as standalone domain controller with AD. Only extra apps installed are Active directory compatible domain controller, dhcp server and PrivacyIDEA. I had this working v4 of USC with no issue. But has been a while since I did that install. This is a new install.

You are not clear about your problem and not clear about what you are trying to do!

Rething: WHERE are you actually trying to authenticate with your users. You do not say this. We can only guess this. I have suspecion what you are trying to do and why you are failing.
It is not our responsibility to guess what you are doing.

So think about it again. Try to explain, where users try to authenticate.
Think again. Then maybe you will realize yourself why this does not work out.

I am using Univention UCS ActiveDirectory controller. Instead of using the passwords from AD on the UCS I want to use only PrivacyIDEA (PIN+OTP) (authsource) to authenticate the windows 10 pro users when they login to the domain. We have roaming profiles. I have this working in UCS v4. This is the first time I tried to setup with UCS v5 (new install) with PrivacyIDEA. I do have the resolver setup for PrivacyIDEA and the users are showing. I added HOTP token for the user. I can test the token in PrivacyIDEA and it works.,

The issue is it doesn’t work when I try to authenticate the windows 10 Pro user when logging into the UCS domain using only the PIN+OTP, but does work with the UCS AD password for the user. Which it shouldn’t be trying to use if a token is present. I see the UCS request the auth from the PrivacyIDEA and it seems to pass the sig_chech but it doesn’t login it just says normal password failed login error. I don’t see any errors in the logs. I have been waiting to upgrade UCS because PrivacyIDEA was held back from the release of UCS v5. They released the app, but I have not been able to get it working with a new UCS v5 install.

What does this mean?

“on the UCS”.

“Login to domain”.

the privacyIDEA SAML plugin does not hook into kerberos, this is why it is not called privacyIDEA Kerberos Plugin.

My educated guess is you want to login to a windows machine, to windows desktop and expect that you are asked for an OTP value against privacyIDEA? This will not happen and never worked with UCS4, either.

edit: You might have used the privacyIDEA credential provider.

UCS is:

They have a PrivacyIDEA plugin that allows you to use PrivacyIDEA SAML plugin to authorize user login for the domain users. They have UCS documents that say it works. I have it working on v4 as of now. I have not upgraded yet until I can verify v5 works.

I never heart of this one. …and can not imagine how this should technically work at all. And would be wondering why they never talked about it.

So if there is this mysterious 2nd univention plugin, you would have to install it. You know, you are telling us, there is a univention plugin, that connects to the privacyIDEA SAML plugin, that connects to the privacyIDEA server for 2FA. And it does not work anymore. But it looks like you do not have this myterious univention plugin installed, right?

Do you have a link?
If it is so, you should probably ask univention or the univention forum.

(But honestly, I think you are completely on the wrong track)

Pro tip: Take a look at your UCS4 setup where it is working. Look at the installed software on the windows clients, where you can login with 2FA. There you should be able to see this “they have a privacyIDEA plugin that allows you…”.

Then reread this thread and enjoy how the understanding rises in your mind.

(If you posted this link with this mysterious plugin, mine would also rise)

Hi @J_R , could you post here specific Documentation UCS-PrivacyIDEA link?

Thank you

Crosspost to PrivacyIdea with UCS v5 - privacyidea - Univention Help

I will join you here to concentrate the efforts

any updates here? might be the same issue we are facing right now

@olivention : Thanks. Yeah I had tried here and it seems people had no idea it could be used with UCS. Has the update come out? I can test again and see if it has been resolved.

Just to get the information straight:

We, from univention, have only one PrivacyIDEA plugin, which is provided by netknights.
It integrates as a module in our SAML SSO and is provided in the app center (sorry, no link, as I can only post 2)

The App source code is available in github and had no updates since march.

So, definitely no 2nd plugin here!

@J_R if you want to try out the last patch, put the changes to /etc/univention/templates/info/ and do
ucr commit /etc/simplesamlphp/metadata/saml20-idp-hosted.php /etc/simplesamlphp/authsources.php.
Now all UCR variables under privacyidea/saml/ are evaluated, especially privacyidea/saml/enabled, privacyidea/saml/setkey and privacyidea/saml/uidkey should be evaluated properly.

@olivention I have the patch applied. One thing I noticed is I don’t get any logs in /var/log/simplesamlphp directory. I have enabled DEBUG, when I try to login I never see any debug information. I check both privacyIDEA logs and syslog. This is a new UCS v5 install and not in production. I am still testing before I move version v5 in production. Any ideas why I am not getting DEBUG to work. I restarted the service and rebooted no change in debug logging.