SImpleSAML PrivacyIdea 2 step login page


#1

Hi,
Would someone be able to point me in the right direction to set up SImpleSAML and Privacy idea as a 2 step login process?

I have synced PrivacyIdea with LDAP and connected simplesamlphp using PrivacyIDEA as an austhsource.
I set a policy using otppin=userstore so I can use LDAP password instead of user pin. I can successfully login from simplesaml using LDAP Username, LDAPPassword+OTP.

I would like to configure it so the login page is a two step process.
Step 1/Page 1: LDAP Username + LDAP password
Step2/Page 2: OTP code

I would also like to add an IP policy in.so MFA process is only required from outside the office IP range.

How would I go about implementing this?

Thanks.


#2

Hi James,

in regards to the two steps: This is not ment to be used this way. However, you can simulate this.
privacyIDEA and the privacyIDEA simpleSAMLphp Plugin suppot challenge response.
This is normaly used for sending Emails or SMS. However, you can run C/R also with normal tokens. Maybe you are using the cool privacyIDEA Authenticator App as smartphone TOTP topen.

Then you need to configure an authentication policy, and define the TOTP (or HOTP) tokens to also do challenge response. Then the user can login as you intended.

The other possiblity would be to not use the authsource but our new authprocfilter. It is currently in the release state for 1.7. But the code is already available at github.
This way the first authsource would be the simplesaml ldap module and privacyIDEA would add as a 2nd step.

In regards to the client IPs: privacyIDEA supports this, defining policies depending on the client IP.
BUT for privacyIDEA the client is always the IdP.
And I think the plugin does this, too: https://github.com/privacyidea/simplesamlphp-module-privacyidea/blob/007f23cb86eee41de2d1148fa7996f39e32f2c59/lib/Auth/Source/privacyidea.php#L176

Read: https://privacyidea.readthedocs.io/en/latest/configuration/system_config.html#override-authorization-client

Kind regards
Cornelius


#3

I went ahead and worked towards this solution on your advice, its mostly working well as intended. However I can’t get the client IP to pass it to PrivacyIDEA server. Client IP always appears as the proxy.

In Simplesaml debug logs it is detecting REMOTE_ADDR as correct IP.
By the time it gets to PrivacyIDEA server client IP shows as SimpleSAML server IP.
I set override authorization clients to allow masquerading according to documentation correctly.

There are no useful error messages in SAML or PrivacyIDEA debug logs. This is the only item of any interest but not sure it is relevant.
WARNING [0deb153847] The class or interface ‘SimpleSAML_Logger’ is now using namespaces, please use ‘SimpleSAML\Logger’.

Is there a simple step I have missed to pass the Remote IP as the client IP? Do I need to map it as an attribute? Otherwise I guess I could have an environment issue. Apart from the lack of IP everything else seems to work though.

Thanks


#4

You have to pass the original IP as parameter client.

As far as override is concerned: It could also be localhost!?

Do you have some code to look at, some git repo?


#5

You have to pass the original IP as parameter client .
Where do I need to do this?

I don’t understand why it would be local host, but I tried to experiment with that anyway. I will need to sort the code out and upload it.

I also found this error in PrivacyIDEA
[2018-12-03 13:18:28,522][2564][140227201443584][DEBUG][privacyidea.api.lib.utils:246] Can not get param: No JSON object could be decoded


#6

Here ins this array:

"client" => REMOTE_ADDR,

#7

I don’t see how this is going to work because the authproc filter doesn’t talk to the privacyidea server until the OTP has been inserted(after stage 2). So no way to make a decision whether MFA is required or not until the communication happens which is after the OTP is already inserted.


#8

Edit:
I see what you mean now.

I was able to replicate the behavior of a two step process using privacyIDEA as an Authsource, This also passes the client IP through properly allowing me to create a policy for a subnet, Which I can then specify the challenge as an spass token which allows bypass of mfa(need to test the spass bit still).

Thanks :slight_smile: