SimpleSAMLphp and PrivacyIDEA module

Question
1

Hello everybody,

I try to setup SimpleSAMLphp with PrivacyIDEA (final goal: 2FA for Nextcloud as described in the how-to " How to use Nextcloud with privacyIDEA"). PrivacyIDEA is up and running, I can successfully test the enrolled user with the software token in the web GUI.

But something with the SimpleSAMLphp module seems not to work. When I use the test functionality in SimpleSAMLphp, I receive the (german) answer “In der Anfrage dieser Seite trat ein Fehler auf, der Grund ist: Valid JSON response, but some internal error occured in privacyidea server.”.

I attach the debug log from SimpleSAMLphp:
Jan 05 10:35:25 simplesamlphp WARNING [438fa9784e] The class or interface ‘SimpleSAML_Auth_State’ is now using namespaces, please use ‘SimpleSAML\Auth\State’.
Jan 05 10:35:25 simplesamlphp DEBUG [438fa9784e] Loading state: ‘725b56e109087e3d414cc9c42613135f9d9e50508c:sso.my-domain.de/saml/module.php/core/as_login.php?AuthId=myauth-pi&ReturnTo=https%3A%2F%2F_sso.my-domain.de%2Fsaml%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Dmyauth-pi’
Jan 05 10:35:25 simplesamlphp WARNING [438fa9784e] The class or interface ‘sspmod_core_Auth_UserPassBase’ is now using namespaces, please use ‘SimpleSAML\Module\core\Auth\UserPassBase’ instead.
Jan 05 10:35:25 simplesamlphp WARNING [438fa9784e] The class or interface ‘SimpleSAML_Logger’ is now using namespaces, please use ‘SimpleSAML\Logger’.
Jan 05 10:35:25 simplesamlphp DEBUG [438fa9784e] calling privacyIDEA handleLogin with authState: 725b56e109087e3d414cc9c42613135f9d9e50508c:sso.my-domain.de/saml/module.php/core/as_login.php?AuthId=myauth-pi&ReturnTo=https%3A%2F%2F_sso.my-domain.de%2Fsaml%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Dmyauth-pi for user test.user
Jan 05 10:35:25 simplesamlphp WARNING [438fa9784e] The class or interface ‘SimpleSAML_Utilities’ is now using namespaces, please use ‘SimpleSAML\Utilities’.
Jan 05 10:35:25 simplesamlphp DEBUG [438fa9784e] Loading state: ‘725b56e109087e3d414cc9c42613135f9d9e50508c:sso.my-domain.de/saml/module.php/core/as_login.php?AuthId=myauth-pi&ReturnTo=https%3A%2F%2F_sso.my-domain.de%2Fsaml%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Dmyauth-pi’
Jan 05 10:35:25 simplesamlphp WARNING [438fa9784e] The class or interface ‘SimpleSAML_Auth_Source’ is now using namespaces, please use ‘SimpleSAML\Auth\Source’.
Jan 05 10:35:25 simplesamlphp DEBUG [438fa9784e] Using IP from REMOTE_ADDR: 85.85.85.85
Jan 05 10:35:25 simplesamlphp DEBUG [438fa9784e] privacyidea URL:nfa.int.my-domain.de/pi
Jan 05 10:35:25 simplesamlphp DEBUG [438fa9784e] user : test.user
Jan 05 10:35:25 simplesamlphp DEBUG [438fa9784e] transaction_id:
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] SimpleSAML\Error\Exception: Error 8 - Trying to get property ‘result’ of non-object at /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/modules/privacyidea/lib/Auth/Source/privacyidea.php:180
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] Backtrace:
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 5 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/www/_include.php:48 (SimpleSAML_error_handler)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 4 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/modules/privacyidea/lib/Auth/Source/privacyidea.php:180 (sspmod_privacyidea_Auth_Source_privacyidea::login_chal_resp)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 3 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/modules/privacyidea/lib/Auth/Source/privacyidea.php:374 (sspmod_privacyidea_Auth_Source_privacyidea::handleLogin)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 2 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/modules/privacyidea/www/otpform.php:60 (require)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 1 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/lib/SimpleSAML/Module.php:254 (SimpleSAML\Module::process)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 0 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/www/module.php:10 (N/A)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] SimpleSAML\Error\Exception: Error 8 - Trying to get property ‘detail’ of non-object at /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/modules/privacyidea/lib/Auth/Source/privacyidea.php:181
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] Backtrace:
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 5 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/www/_include.php:48 (SimpleSAML_error_handler)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 4 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/modules/privacyidea/lib/Auth/Source/privacyidea.php:181 (sspmod_privacyidea_Auth_Source_privacyidea::login_chal_resp)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 3 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/modules/privacyidea/lib/Auth/Source/privacyidea.php:374 (sspmod_privacyidea_Auth_Source_privacyidea::handleLogin)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 2 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/modules/privacyidea/www/otpform.php:60 (require)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 1 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/lib/SimpleSAML/Module.php:254 (SimpleSAML\Module::process)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 0 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/www/module.php:10 (N/A)
Jan 05 10:35:25 simplesamlphp DEBUG [438fa9784e] privacyidea result:
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] SimpleSAML\Error\Exception: Error 8 - Trying to get property ‘status’ of non-object at /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/modules/privacyidea/lib/Auth/Source/privacyidea.php:183
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] Backtrace:
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 5 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/www/_include.php:48 (SimpleSAML_error_handler)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 4 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/modules/privacyidea/lib/Auth/Source/privacyidea.php:183 (sspmod_privacyidea_Auth_Source_privacyidea::login_chal_resp)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 3 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/modules/privacyidea/lib/Auth/Source/privacyidea.php:374 (sspmod_privacyidea_Auth_Source_privacyidea::handleLogin)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 2 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/modules/privacyidea/www/otpform.php:60 (require)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 1 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/lib/SimpleSAML/Module.php:254 (SimpleSAML\Module::process)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 0 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/www/module.php:10 (N/A)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] SimpleSAML\Error\Exception: Error 8 - Trying to get property ‘value’ of non-object at /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/modules/privacyidea/lib/Auth/Source/privacyidea.php:184
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] Backtrace:
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 5 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/www/_include.php:48 (SimpleSAML_error_handler)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 4 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/modules/privacyidea/lib/Auth/Source/privacyidea.php:184 (sspmod_privacyidea_Auth_Source_privacyidea::login_chal_resp)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 3 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/modules/privacyidea/lib/Auth/Source/privacyidea.php:374 (sspmod_privacyidea_Auth_Source_privacyidea::handleLogin)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 2 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/modules/privacyidea/www/otpform.php:60 (require)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 1 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/lib/SimpleSAML/Module.php:254 (SimpleSAML\Module::process)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 0 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/www/module.php:10 (N/A)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] SimpleSAML\Error\Exception: Error 8 - Trying to get property ‘auth’ of non-object at /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/modules/privacyidea/lib/Auth/Source/privacyidea.php:184
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] Backtrace:
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 5 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/www/_include.php:48 (SimpleSAML_error_handler)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 4 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/modules/privacyidea/lib/Auth/Source/privacyidea.php:184 (sspmod_privacyidea_Auth_Source_privacyidea::login_chal_resp)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 3 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/modules/privacyidea/lib/Auth/Source/privacyidea.php:374 (sspmod_privacyidea_Auth_Source_privacyidea::handleLogin)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 2 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/modules/privacyidea/www/otpform.php:60 (require)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 1 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/lib/SimpleSAML/Module.php:254 (SimpleSAML\Module::process)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 0 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/www/module.php:10 (N/A)
Jan 05 10:35:25 simplesamlphp WARNING [438fa9784e] The class or interface ‘SimpleSAML_Error_BadRequest’ is now using namespaces, please use ‘SimpleSAML\Error\BadRequest’.
Jan 05 10:35:25 simplesamlphp NOTICE STAT [438fa9784e] Unsuccessful login attempt from 85.85.85.85.
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] SimpleSAML\Error\BadRequest: BADREQUEST(’%REASON%’ => ‘Valid JSON response, but some internal error occured in privacyidea server.’)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] Backtrace:
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 4 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/modules/privacyidea/lib/Auth/Source/privacyidea.php:191 (sspmod_privacyidea_Auth_Source_privacyidea::login_chal_resp)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 3 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/modules/privacyidea/lib/Auth/Source/privacyidea.php:374 (sspmod_privacyidea_Auth_Source_privacyidea::handleLogin)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 2 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/modules/privacyidea/www/otpform.php:60 (require)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 1 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/lib/SimpleSAML/Module.php:254 (SimpleSAML\Module::process)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] 0 /var/www/clients/client3/web36/private/simplesamlphp-1.18.3/www/module.php:10 (N/A)
Jan 05 10:35:25 simplesamlphp ERROR [438fa9784e] Error report with id c04fc0a9 generated.
Jan 05 10:35:25 simplesamlphp DEBUG [438fa9784e] Localization: using old system
Jan 05 10:35:25 simplesamlphp DEBUG [438fa9784e] Translate: Reading dictionary [/var/www/clients/client3/web36/private/simplesamlphp-1.18.3/dictionaries/errors]

Please let me kindly know what I can do about this or which information I can present to help find the “internal error”. Thanks!

Regards
Andreas

PS: I had to delete some “https” because otherwise the system wouldn’t let me post.

2

Hello and welcome to the privacyIDEA community!

If you get an internal server error from privacyIDEA, it is a good idea to look at privacyIDEA for more information. You can take a look at the privacyIDEA log file (usually /var/log/privacyidea/privacyidea.log) and at the webserver error log (depending on your web server and your distro, like /var/log/apache2/error.log).

Regards
Cornelius

3

Thanks for your immediate reply!

Unfortunately /var/log/privacyidea/privacyidea.log is empty (last entry from 2019-12-19). I checked, time and date are correct on my machine.

In /var/log/apache2/error.log I find just the following:
[Sun Jan 05 10:35:24.006653 2020] [wsgi:error] [pid 2555:tid 140008860104448] The configuration name is: production
[Sun Jan 05 10:35:24.006691 2020] [wsgi:error] [pid 2555:tid 140008860104448] Additional configuration can be read from the file /etc/privacyidea/pi.cfg
[Sun Jan 05 10:35:24.031541 2020] [wsgi:error] [pid 2555:tid 140008860104448] The config file specified in PI_LOGCONFIG does not exist.
[Sun Jan 05 10:35:24.031559 2020] [wsgi:error] [pid 2555:tid 140008860104448] Could not use PI_LOGCONFIG. Using PI_LOGLEVEL and PI_LOGFILE.
[Sun Jan 05 10:35:24.031565 2020] [wsgi:error] [pid 2555:tid 140008860104448] Using PI_LOGLEVEL 20.
[Sun Jan 05 10:35:24.031568 2020] [wsgi:error] [pid 2555:tid 140008860104448] Using PI_LOGFILE /var/log/privacyidea/privacyidea.log.

The system is Ubuntu 18.04.3 LTS with PrivacyIDEA 3.2-1bionic.

4

Something could we wired in your installation:

Your privacyidea.log file should not be empty, since it looks like you have log level “INFO” configured, which will always produce output in the privacyidea.log file. So either the server is using another file or the server can not write to the file.

An internal server error usually should produce output in the apache error log. - strange it does not.

You could also as a first step take a look at the Audit log in the web ui, what happens (or what kind of entry you get from the authentication request by simplesamlphp.)

5

Thanks again for your support! Now I found some time to dig into this. I’ve setup a fresh install of PrivacyIDEA on a fresh VM just to be sure. Here the logfile is written correctly and that pointed me to the missing detail:

[2020-03-28 16:28:08,226][1152][140403970782976][DEBUG][privacyidea.api.before_after:84] Begin handling of request ‘/pi/validate/samlcheck?’
[2020-03-28 16:28:08,228][1152][140403970782976][DEBUG][privacyidea.api.before_after:90] End handling of request ‘/pi/validate/samlcheck?’

The PI server is listening on the root directory but I configured erroneously …/pi in authsources.php of SimpleSAMLphp. Fixing this helped me to a working installation.

I’m glad it works now but this is a little embarrassing… :zipper_mouth_face:

2 Likes
6

Just on a sidenote:
In regard to method 1 “first factor” or “password” mean the PIN I can set inside PrivacyIDEA for each user individually, correct?
Just with method 2 it is possible to use the for example LDAP based “native password” of each user, right?

7

Independent of simpleSAMLphp you can send authentication requests to privacyIDEA.
This authentication request can require

Within simpleSAMLphp you can either do authproc filter or authsource.

With authsource authentication is only done by privacyIDEA. The above mentioned 3 possibilities apply.

With authproc filter you can “add” privacyIDEA authentication to a previous authentication (like LDAP).
Still the above mentioned three possibilities would apply.

1 Like
8

Thanks again, both ways work like a charm now!

But when would I choose which way? I probably haven’t understood the difference in total…

In privacyIDEA as authproc filter in simpleSAMLphp Micha writes authproc filter is “much more flexible”. So I take that for example the enrollment of a new token during login is only possible with the authproc filter variant. Is it that in the authproc filter way the plugin in SimpleSAMLphp “works on its own” whereas in the authsource way the credentials are “only” sent to PrivacyIDEA which then can only respond with “correct” or “incorrect”?

9

You would use the authproc filter, if you run the first authentication step maybe by the ldap module. The authproc is always and “addon” for a previous authentication.

You would run the authsource if you want privacyIDEA plugin to handle the whole process.

Somewhere in the simpleSAMLphp docs there is a good explanation of it. authproc filters as “addons”, can do anything after authentication - even like adding attributes.
User authentication will run only through one authsource but you can stack authprocs and run through several authproc filters.

Do not enroll tokens within simpleSAMLphp. It might very well be that this functionality will disappear. I also would not recommend it from a standpoint of enrollment strategies.

1 Like
10

Thanks for your explanation and warning!

What would be your proposed workflow for users which currently only have a password in LDAP set (and no token enrolled), but should enroll a token and (currently) don’t know or use the PrivacyIDEA web management (given that I shouldn’t use the built in enrollment of the SimpleSAMLphp PrivacyIDEA module anymore)? I suppose it is not possible to forward a user during the login process to an arbitrary web application to the PrivacyIDEA web management and provide him for example with the “token enrollment wizard”? I investigated in this wizard already because it sounds quite promising!

11

Rollout strategies are usually the topic for our consultancy. There is no one-size-fits-all.
You may take a look here:
https://privacyidea.readthedocs.io/en/latest/faq/rollout-strategies.html

Imho from a security standpoint you should not enroll tokens where you are authenticating. I think you can actually proof this mathematically. :wink: