Require OTP for Webui if one exists

Jeremy_McNab · December 22, 2021, 6:00pm

I’m new to the privacyidea community, I’ve searched for the answer but I’m not sure if i am searching correctly.

Is there a way (policy/handler) to require a TOTP/HOTP/SMS OTP on webui login, if they have a token? And just require that they have username and password if they dont?

AAuer · December 23, 2021, 11:52am

Hi,
its in the webui- and authentication-policy:
in the webui policy you set the authentication mode to privacyidea
in the auth policy you set passonnototoken to true

Jeremy_McNab · December 23, 2021, 8:06pm

thank you for the response, what if you are using an external authentication mechanism? like ldap or sql?

cornelinux · December 27, 2021, 10:17am

Q: “What if…?”
A: “Well, everything is fine, then!”

The policies @aauer mentioned define, that the user should be authenticated against privacyIDEA (webui policy loginmode) and how the user should then be authenticated (passthru and also otppin).

Your question is very vague. So you might need to elaborate on your question.

(You might want to read this post)

Jeremy_McNab · December 27, 2021, 7:29pm

I have read that already. And have spent many hours trying different setting and searching through documentation, and reading posts.

What I am trying to accomplish is to ensure that the website that users can manage their tokens at, is at least in some fashion preventing just a basic username and password.

And @AAuer definitely helped by pointing me in the right direction which i gave thanks for.

The settings i’ve gotten to work to at least require that the user login with a token on subsequent logins when they have a token is:

authentication { “otppin”: “tokenpin”, “passthru”: “userstore” }
webui { “login_mode”: “privacyIDEA” }

cornelinux · December 28, 2021, 12:22pm

This question was not clear. So I think it is obsolete.?

Jeremy_McNab · January 14, 2022, 9:35pm

Yes, the external auth method is LDAP. My inquiry was mostly to see if there was a feature we were not seeing that when a user logs into the piserver webui with the external auth credentials that it would prompt for a token as well to ensure that piserver itself was adhering to a mulit-factor authentication scheme.

cornelinux · January 15, 2022, 7:53am

If you want LDAP ans 2nd factor at the webui, this is easily possible. You need the following policies:

7.3. Authentication policies — privacyIDEA 3.6.2 documentation (set to userstore)

7.6. WebUI Policies — privacyIDEA 3.6.2 documentation (set to privacyIDEA)