Push Tokens + Apache

adamvb · June 15, 2021, 2:27pm

I’m having trouble getting the push tokens to work,

we are currently running a couple of reverseproxies that use the Apache2 auth module:

Before we had it set up for TOTP based tokens, so when opening a site the user needs to enter their username and then pin+token and that was it.

Now I confgured push tokens, and when entering the username + pin from the push token I get the push notification in the Privacyidea app, but the browsers auth window just comes again. I guess because the module expects the challenge response right away instead of waiting for the user.

Alternatively we also use simplesamlphp and the simplesamlphp privacyidea module for our SAML enabled sites. But here I also enter the PIN, the push notification comes, but the login page is reloaded.

Is there something special that we need to change in the config to make this work?

github.com

privacyidea/simplesamlphp-module-privacyidea/blob/master/docs/privacyidea.md

privacyidea module
==================

This module provides an authentication module for simpleSAMLphp to talk
to the privacyIDEA authentication server.

`privacyidea:privacyidea`
: Authenticate a user against a privacyidea server.

The module contacts the privacyIDEA server via the API

  https://privacyidea/validate/samlcheck
 
and authenticates the user according to the token assigned to the user.

The response can also contain some attributes.

You can use this plugin in two different ways
Method 1) authenticate against privacyIDEA only
Method 2) authenticate the 1st factor against your authsource and the 2nd factor against privacyIDEA

This file has been truncated. show original

cornelinux · June 17, 2021, 5:03am

Push can not work with basic auth in apache.

See “authentication modes” in the docs.
You might want to take a look at the policy “push wait”.

adamvb · June 17, 2021, 6:11am

ok thats too bad.

We could switch all of our sites to use saml, and the module supposedly also supports push tokens, but it’s currently broken

github.com/privacyidea/simplesamlphp-module-privacyidea

SimpleSAML_Error_Exception: Error 8 - Undefined index: AuthId

opened 08:43PM - 29 Jun 17 UTC

jh23453

Type: Bug

In the log I see: ``` Jun 29 22:27:57 simplesamlphp DEBUG [00e11fd73e] privacy…IDEA authId: example.org-privacyidea Jun 29 22:27:57 simplesamlphp DEBUG [00e11fd73e] Saved state: '_222bd2a0c69b0ce1c8a3b5648d1baba84b45bf8cc8:https://pi.example.org/simplesamlphp/module.php/core/as_login.php?AuthId=example.org-privacyidea&ReturnTo=https%3A%2F%2Fpi.example.org%2Fsimplesamlphp%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Dexample.org-privacyidea' Jun 29 22:27:57 simplesamlphp ERROR [00e11fd73e] SimpleSAML_Error_Exception: Error 8 - Undefined index: AuthId Jun 29 22:27:57 simplesamlphp ERROR [00e11fd73e] Backtrace: Jun 29 22:27:57 simplesamlphp ERROR [00e11fd73e] 5 /usr/share/simplesamlphp/www/_include.php:75 (SimpleSAML_error_handler) Jun 29 22:27:57 simplesamlphp ERROR [00e11fd73e] 4 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/Source.php:40 (SimpleSAML_Auth_Source::__construct) Jun 29 22:27:57 simplesamlphp ERROR [00e11fd73e] 3 /usr/share/simplesamlphp/modules/core/lib/Auth/UserPassBase.php:93 (sspmod_core_Auth_UserPassBase::__construct) Jun 29 22:27:57 simplesamlphp ERROR [00e11fd73e] 2 /usr/share/simplesamlphp/modules/privacyidea/lib/Auth/Source/privacyidea.php:80 (sspmod_privacyidea_Auth_Source_priva cyidea::__construct) Jun 29 22:27:57 simplesamlphp ERROR [00e11fd73e] 1 /usr/share/simplesamlphp/modules/privacyidea/www/loginform.php:135 (require) Jun 29 22:27:57 simplesamlphp ERROR [00e11fd73e] 0 /usr/share/simplesamlphp/www/module.php:127 (N/A) ``` Can we avoid the ERROR messages?