First off, great appreciation for all the hard work done and continuing to be done on PrivacyIdea. While we haven’t been using it long and are still working towards production deployments, our initial impressions are very favorable. Kudos and good job!
Now, to the fun parts: understanding federations in v3.11. The documentation and how-tos are a bit thin in this area, and I accept that the short answer may be “go buy a support contract for Enterprise Support” – that’s OK, those wheels have been engaged and are (slowly) turning. In addition, I’ve browsed through the Github open issues and PRs and haven’t seen anything that addresses these questions.
In a nutshell, we’re looking to set up a scenario as described in the Federation Handler Module documentation – a “child” PI instance that can forward requests to “upstream” PI instances. We’re using Yubikeys if that is relevant. My explorations in this area have determined that this can and does work, albeit with some hurdles and annoyances:
- Users need to be known in both PI instances. Understandable, but annoying and probably not possible to work around?
- Users in the “child” instance need to have a Remote token assigned. Again, understandable, but several questions here:
Remote Serial
is required to be set, but appears to be updated on first usage, so a value of1
or similar appears to work? I may be confused here; lots of trials and explorations have occurred.Check the PIN locally
doesn’t appear to work (and isn’t changeable from the GUI once created). My explorations reveal that the PIN is checked on the child instance even ifremote.local_checkpin
is set to0
intokeninfo
, and (of course) needs to match the parent instance. This is a major blocker and smells like a bug, but I haven’t dug into the code yet.
Any guidance here would be appreciated!
As an aside, I’ve found the PI container stack at GitHub - gpappsoft/privacyidea-docker: Simply deploy and run a privacyIDEA instance in a container environment. to be invaluable; I was able to incorporate those pieces into my containerized test environment with relative ease to explore federations with multiple PI instances.
thanks all,
–Chan