Hello, I’m trying to implement 2FA for my custom applications, with custom authentications schemes.
But I don’t fully understand authentication flow that privacy idea (PI) offers.
Do I have to setup my applications to authenticate trough PI?
- Setup PI
- Add SQL resolver to my application user table
- Instead of logging in via my application window, redirect user to PI web and let him log in trough there?
Or is something like this
- Setup PI
- Add SQL resolver to my application user table
- Modify application login flow of authenticating user itself, to authenticate using PE?
I do not understand your question.
2FA does not happen “magically” this way, that privacyIDEA uses the same user database like your application.
Your application has to communicate with privacyIDEA via the REST API.
(See 15.1.1.3. Validate endpoints — privacyIDEA 3.10dev1 documentation)
I.e. you need a plugin for your application, so that it can communicate with privacyIDEA.
Alternatively your application has to use a decent authentication protocol like RADIUS, SAML or OpenID Connect. Then the RADIUS Server or the SAML/OIDC IdP needs the plugin to communicate with privacyIDEA.
What is “your application” anyways?