User attributes from multiple sources (ldap&sql)


#1

Hi,
I am using PrivacyIdea with SimpleSAMLphp through the simplesaml-module-privacyidea.
In simpleSAML I can get user attribute from different sources using the Auth Proc filters, and I have to use them to get user roles.
I want to integrate PrivacyIdea in managing also an existing yubikey validation server which is up&running and in use for corporate managed yubikey tokens.
I know this service is running an sql backend and I would like to use this backend to read the already enrolled yubikey token without asking user to enroll their token.
I was not able to find anything about this kind of integration.
It would be enough for me to get user attributes using multiple source, let’s say an ldap userstore for credentials/mail/phone attributes (already done and it is working), a different ldap without authentication for getting roles and an sql source to get the yubikey id already associated with the user and talking with the validation server I can check for the yubikey otp.
What do you think about?
Thank you.
Best regards,
B.


#2

You can integrate these yubikeys into privacyIDEA by using the “yubico” token type, which actually forwards the authentication request to the yubico server.
https://privacyidea.readthedocs.io/en/latest/configuration/tokens/yubico.html

Thus simpleSAMLphp only needs to talk to privacyIDEA.


#3

Does this mean that I have to manually enroll more than 2000 tokens one by one while already having the association user/token on the validation server?
In SimpleSAML i can enrich the user information taking this extra information by an SQL source and use it with a module. For using the yubico token I have to know setup/import the id/uid and keep it updated?

Thank you,
B.


#4

No, of course not. This means you should get into discussion, which is the best workflow for you.