I have a need to have TOTP and Push tokens assigned to a user that needs to be shared between realms. I’m using PI version 3.11. The reason for this is described below:
- jdoe belongs to LDAP resolver and assigned to realm “mfa” for vpn logjn access.
- jdoe should also be able to use their assigned tokens(TOTP or Push) for device ssh/https access AND full admin access to PrivacyIDEA webui but it appears I would need a separate realm for this. Tokens appear to be attached to realm and resolver so I can’t use the TOTP or Push token if I set an authentication policy matching a realm for this.
- jandedoe belongs to SAME LDAP resolver and assigned to realm “mfa” but should have vpn access ONLY.
- janedoe should NOT be able to access device ssh/https
- janedoe should NOT have full admin PrivacyIDEA webui access but should be able to login to PrivacyIDEA webui to manage their own tokens.
Anyone have any suggestions on how to do this? Thanks!
Joe
You are mixing two things here
a) Using one token by two different users and
b) controlling access to different resources.
I will here only respond to a).
You are right.
In privacyIDEA a “user” is defined by uid, resolver and realm.
Also see 5.2. Realms — privacyIDEA 3.11.3 documentation
That means, for privacyIDEA an LDAP object (aka user) will be different users in privacyIDEA, if this LDAP object is found in different ways — either via a different resolver oder a different realm.
This is the intended design decision. This can be interesting if you have different roles, like you LDAP object should on the one hand be normal user, on the other hand a helpdesk user or on the third hand an administrator.
I have a hunch: NOTE: You should NOT use resolver or realms to controll access to different applications!
Rather do this via policies!
Currently one token can not be assigned to several users. We have this idea in the back of our heads, but it would be more complicated to implement.
If you have one token, that should be used by different users, you can still use the “remote token” token type.
Several users can have a remote token that points to the same physical/real token.
1 Like
Thank you for the explanation. I may explore the remote token idea. My temporary fix was to use different realms for users that need access to different services and then apply policies to allow/deny them. I appreciate time. PrivacyIDEA is fantastic. Keep up the great work!