hi,
i have setup privacyidea with simplesamlphp successfully. i am using a authproc filter. my question is, is it possible to only use 2 factor authentication for those users that actually have a second factor within the privacyidea database?
in the long run all users (~1000) should and will need both factors, but for the transition phase, it would be greate if that have not token registered yet, can still login.
thanks
thomas
Probably yes.
You should look at one of the policies pass_on_no_token or passthru.
thanks, i will look into this.
thomas
I solved it as follows:
I gave the users that have to use 2factor authentication an attribute “2fa” with the value 1, the ones who don’t have to use 2fa got a value 0
In simplesamlphp/metadata/saml20-idp-hosted.php I added the lines
'authproc' => [
10 => [
'class' => 'core:PHP',
'code' => '
if ($state["Attributes"]["2fa"][0]==0) {
$state["use_pi"] = ["key" => "0"];
}
This causes the skip of the second factor for users with a value of 0 in there 2fa attribute
thanks, that does the trick