[solved] Event handler with multiple actions and missing event

bpelaia · October 19, 2018, 1:35pm

Hi all,
I am new to PrivacyIdea, and I searched over the net for about two questions but I did not find a solution myself.
My needs: I have to add 2FA using one of email/sms/Yubikey to a security system supporting SAML authentication.
I have already configured SimpleSAMLphp and PrivacyIdea to get authentication using ldap and it works. I also configured manually two token sms/email and it works.
I have two main issue:

SimpleSAMLphp PrivacyIdea module does not use check api but samlcheck, which is not available in events, just check is and it is not fired;
While testing I created two post successful authentication to enroll sms and email token, but the second event is not fired.

Some additional information and the questions:
I’ve seen some discussion about simplesaml module and I’m going to check within github fork or write my own change to the module, but is it possible to add the event for validate_samlcheck on privacyidea?
For automate token enroll I create two events:
they are both post validate_check and validate_triggerchallenge, with token handler with condition {“logged_in_user”:“user”,“result_status”:“True”,“result_value”:“True”,“tokentype”:"",“user_token_number”:“0”}
the first issue is that just the first event was fired when testing using validate_auth.
It is not possible to fire multiple action at the same condition because the first event “email token auto enrollment” changed the conditions: the second event is not fired because the “tokentype” was set to email. To let the second event get fired I had to change tokent_number to one and tokentype to email.
Is it a bug, and my configuration is a useful workaround or am I missing something in the event handler?

Thank you.
Best Regards,
B.

cornelinux · October 19, 2018, 4:54pm

This would be dead simple: adding a decorator to the API call.
If you have an active github account, can you please open an issue on the GitHub - privacyidea/privacyidea: 🔐 multi factor authentication system (2FA, MFA, OTP Server) project? Then we can add it easily.
Thanks!

You are right. The concept does not allow to trigger multiple actions.
All actions are handled consecutive. If an action changes the state of the system (like enrolling a token), then the next action will be evaluated based on the new state.

This is, how it is implemented. This is a perfect behaviour for some users in certain cases, for other users in other cases it might be a disturbing behaviour. However, the software has to function in one way, this is the way it does.

To be more in control, you can add priorities (ordering) to the event handlers.

Cool, you are new to privacyIDEA and are directly diving into event handlers!

bpelaia · October 19, 2018, 6:42pm

Thank you Cornelius for the fast answer.
Looking at the verification python code I’ve seen the sank check already has the @event declaration, so I’m going to investigate why it is not triggered and I’llkeep you updated.
About the behavior, I agree the software has to have just one and I wanted be sure I was not missing any information.
Best Regards,
B.

bpelaia · October 31, 2018, 11:52pm

Hi Cornelius,
It was my fault in configuring the event: I set both status and result to True, while using samlcheck sets result to an associative array (dict) so the check was failing.
I do not know if this is the expected behavior, but it is ok for me to configure the policy by just use the status.

Best regards,
B.