I’m trying to only have a subset of my users with more rights in some applications (teachers and staff), to use 2 factor authentication and the majority of the users (students) not.
Detailed scenario:
log in using simplesamlphp
filter logins using method 2 on https://github.com/privacyidea/simplesamlphp-module-privacyidea/blob/master/docs/privacyidea.md
-> privacyidea through a filter.
In privacyIdea I use the same authentication source as in simplesamlphp (a mysql database) and with the where clause I filter a subset of the users.
I use a policy with passonnotoken and passonnouser enabled, that applies only on a realm, not a resolver (see https://github.com/privacyidea/privacyidea/issues/798)
I switched of ‘class’ => ‘privacyidea:tokenEnrollment’ in simplesamlphp since I found somewhere that it is not a good idea to do this whit passonnouser. Therefore I enabled passonnotoken - I’ll find another way to enrol tokens later.
So the expected behaviour is that someone with an account in privacyIDEA and a token would
- get the login-page from SimpleSamlphp
- get the question for the 2nd factor
- log in
Someone without a token or without an account would
- get the login-page from SimpleSamlphp
- log in
The result here is that I always get the 2nd factor page. For known and unknown users, for known users with and without a a token. The passonnotoken and passonnouser don’t seem to work. Users without a token or account are stuck there.
However, when I perform the validate script (https://FQDN/validate/check?user=username&pass=password&realm=realm) I get
{“detail”: {“message”: “user does not exist, accepted due to ‘passOnNoUser’”, “threadid”: 139765643695872}, “id”: 1, “jsonrpc”: “2.0”, “result”: {“status”: true, “value”: true}, “time”: 1591168062.2148845, “version”: “privacyIDEA 3.3.3”, “versionnumber”: “3.3.3”, “signature”:
So it seems to work on the PrivacyIDEA side.
If I try to login with such a non existent user anyway, I get (obviously) an error message:
SimpleSAML\Error\BadRequest: BADREQUEST(’%REASON%’ => ‘privacyIDEA: Valid JSON response, but some internal error occured in PI server’)
Backtrace:
3 modules/privacyidea/lib/Auth/Process/privacyidea.php:201 (sspmod_privacyidea_Auth_Process_privacyidea::authenticate)
2 modules/privacyidea/www/otpform.php:53 (require)
1 lib/SimpleSAML/Module.php:260 (SimpleSAML\Module::process)
0 www/module.php:10 (N/A)
How do I make it so the users without token or without an account on PrivacyIDEA don’t get the second factor page? I assumed (maybe wrongly) that this would happen automagically if privacyIDEA accepted.