Username/Password Authentication error with SimpleSAMLphp + privacyIDEA

Question
1

Hi all,

I configured a fresh install of SimpleSAMLphp (version 1.3.2) along with
privacyIDEA (version 2.9.1) on Ubuntu 14.0.4 LTS. My web server is nginx.

Appreciate any help with the following two issues:

  1. UserName/Password authentication failing from SimpleSAMLphp. Please see
    attached screenshot.

  2. I accidentally deleted /var/log/privacyidea.log, and now nothing gets
    logged to this file. I restarted syslog and nginx, but no luck.

Here are additional details of my SimpleSamlphp + privacyIDEA configuration:

FYI…I created simple flat file password resolver using the following
command.

privacyidea-create-pwidresolver-user -u johns -i 1002 >> /etc/pi-flatfile

root@sso-idp:~# more /etc/pi-flatfile
johns:05ebNChJlMUJ6:1002:1002:::
root@sso-idp:~#

root@sso-idp:/var/log/privacyidea# dpkg -l|grep -i privacyidea
ii privacyidea-nginx 2.9-1trusty
all
2FA system. This is a meta package to install privacyidea with nginx
ii privacyidea-simplesamlphp 2.9-1trusty
all
SimpleSAMLphp module for privacyIDEA to do two factor authentication
ii python-privacyidea 2.9-1trusty
all
two-factor authentication system e.g. for OTP devices

root@sso-idp:/etc/simplesamlphp# grep -i “enable.saml” config.php
’enable.saml20-idp’ => true,
root@sso-idp:/etc/simplesamlphp#

root@sso-idp:/etc/simplesamlphp# ls -lt
/usr/share/simplesamlphp/modules/privacyidea/enable
-rw-r–r-- 1 root root 0 Feb 6 18:35
/usr/share/simplesamlphp/modules/privacyidea/enable
root@sso-idp:/etc/simplesamlphp#

authsources.php

    'example-privacyidea' => array(
            'privacyidea:privacyidea',
            'privacyideaserver' => 'https://sso-idp.domain.com',
            'sslverifyhost' => False,
            'sslverifypeer' => False,
            'realm' => '',
            'attributemap' => array(
                    'username' => 'samlLoginName',
                    'surname' => 'surName',
                    'givenname' => 'givenName',
                    'email' => 'emailAddress',
                    'phone' => 'telePhone',
                    'mobile' => 'mobilePhone'
            ),
    ),

root@sso-idp:/etc/simplesamlphp/metadata# more saml20-idp-hosted.php

<?php $metadata['__DYNAMIC:1__'] = array( /* * The hostname for this IdP. This makes it possible to run multiple * IdPs from the same configuration. '__DEFAULT__' means that this one * should be used by default. */ 'host' => '__DEFAULT__', /* * The private key and certificate to use when signing responses. * These are stored in the cert-directory. */ 'privatekey' => 'simplesamlphp.pem', 'certificate' => 'simplesamlphp.crt', /* * The authentication source which should be used to authenticate the * user. This must match one of the entries in config/authsources.php. */ 'auth' => 'example-privacyidea', ); root@sso-idp:/etc/simplesamlphp/metadata# Thank you very much for your help in advance. Best Regards, John
2

Couple of other pieces of information that may help in identifying the
issue.

  1. I have not changed the default salt. Here are the contents of the
    /var/lib/simplesamlphp directory.

root@sso-idp:/var/lib/simplesamlphp# ls -lt
total 8
-rw-r----- 1 root www-data 110 Feb 6 16:22 secrets.inc.php
drwx-wx— 2 root www-data 4096 Jun 5 2013 data

  1. I noticed privacyidea-create-pwidresolver-user shell script uses a salt
    to hash the user password. Should I be changing the salt in
    privacyidea-create-pwidresolver-user shell script and use the same salt as
    in secrets.inc.php?

Thank you for you help in advance.

Best Regards,

JohnOn Saturday, February 6, 2016 at 5:50:25 PM UTC-8, jskill...@gmail.com wrote:

Hi all,

I configured a fresh install of SimpleSAMLphp (version 1.3.2) along with
privacyIDEA (version 2.9.1) on Ubuntu 14.0.4 LTS. My web server is nginx.

Appreciate any help with the following two issues:

  1. UserName/Password authentication failing from SimpleSAMLphp. Please
    see attached screenshot.

  2. I accidentally deleted /var/log/privacyidea.log, and now nothing gets
    logged to this file. I restarted syslog and nginx, but no luck.

Here are additional details of my SimpleSamlphp + privacyIDEA
configuration:

FYI…I created simple flat file password resolver using the following
command.

privacyidea-create-pwidresolver-user -u johns -i 1002 >> /etc/pi-flatfile

root@sso-idp:~# more /etc/pi-flatfile
johns:05ebNChJlMUJ6:1002:1002:::
root@sso-idp:~#

root@sso-idp:/var/log/privacyidea# dpkg -l|grep -i privacyidea
ii privacyidea-nginx 2.9-1trusty
all
2FA system. This is a meta package to install privacyidea with nginx
ii privacyidea-simplesamlphp 2.9-1trusty
all
SimpleSAMLphp module for privacyIDEA to do two factor authentication
ii python-privacyidea 2.9-1trusty
all
two-factor authentication system e.g. for OTP devices

root@sso-idp:/etc/simplesamlphp# grep -i “enable.saml” config.php
‘enable.saml20-idp’ => true,
root@sso-idp:/etc/simplesamlphp#

root@sso-idp:/etc/simplesamlphp# ls -lt
/usr/share/simplesamlphp/modules/privacyidea/enable
-rw-r–r-- 1 root root 0 Feb 6 18:35
/usr/share/simplesamlphp/modules/privacyidea/enable
root@sso-idp:/etc/simplesamlphp#

authsources.php

    'example-privacyidea' => array(
            'privacyidea:privacyidea',
            'privacyideaserver' => 'https://sso-idp.domain.com',
            'sslverifyhost' => False,
            'sslverifypeer' => False,
            'realm' => '',
            'attributemap' => array(
                    'username' => 'samlLoginName',
                    'surname' => 'surName',
                    'givenname' => 'givenName',
                    'email' => 'emailAddress',
                    'phone' => 'telePhone',
                    'mobile' => 'mobilePhone'
            ),
    ),

root@sso-idp:/etc/simplesamlphp/metadata# more saml20-idp-hosted.php

<?php $metadata['__DYNAMIC:1__'] = array( /* * The hostname for this IdP. This makes it possible to run multiple * IdPs from the same configuration. '__DEFAULT__' means that this one * should be used by default. */ 'host' => '__DEFAULT__', /* * The private key and certificate to use when signing responses. * These are stored in the cert-directory. */ 'privatekey' => 'simplesamlphp.pem', 'certificate' => 'simplesamlphp.crt', /* * The authentication source which should be used to authenticate the * user. This must match one of the entries in config/authsources.php. */ 'auth' => 'example-privacyidea', ); root@sso-idp:/etc/simplesamlphp/metadata# Thank you very much for your help in advance. Best Regards, John
3

Hi John,

I think you are getting something wrong here.

The user needs to authenticate with a token not with the userstore
password (at least if you have set no policies)

So I recommend the most important step: Simplify things. Forget about
SAML and SSO and first check if authentication against privacyIDEA works
fine.

If a user authenticates against privacyIDEA you need to enroll a token
for the user - unless you have defined policies.

So please

  1. enroll a token
  2. set a PIN for the token and
  3. authenticate with and +

Kind regards
CorneliusAm Samstag, den 06.02.2016, 17:50 -0800 schrieb jskillings07@gmail.com:

Hi all,

I configured a fresh install of SimpleSAMLphp (version 1.3.2) along
with privacyIDEA (version 2.9.1) on Ubuntu 14.0.4 LTS. My web server
is nginx.

Appreciate any help with the following two issues:

  1. UserName/Password authentication failing from SimpleSAMLphp.
    Please see attached screenshot.

  2. I accidentally deleted /var/log/privacyidea.log, and now nothing
    gets logged to this file. I restarted syslog and nginx, but no luck.

Here are additional details of my SimpleSamlphp + privacyIDEA
configuration:

FYI…I created simple flat file password resolver using the following
command.

privacyidea-create-pwidresolver-user -u johns -i 1002

/etc/pi-flatfile

root@sso-idp:~# more /etc/pi-flatfile
johns:05ebNChJlMUJ6:1002:1002:::
root@sso-idp:~#

root@sso-idp:/var/log/privacyidea# dpkg -l|grep -i privacyidea
ii privacyidea-nginx 2.9-1trusty
all
2FA system. This is a meta package to install privacyidea with
nginx
ii privacyidea-simplesamlphp 2.9-1trusty
all
SimpleSAMLphp module for privacyIDEA to do two factor
authentication
ii python-privacyidea 2.9-1trusty
all
two-factor authentication system e.g. for OTP devices

root@sso-idp:/etc/simplesamlphp# grep -i “enable.saml” config.php
‘enable.saml20-idp’ => true,
root@sso-idp:/etc/simplesamlphp#

root@sso-idp:/etc/simplesamlphp# ls
-lt /usr/share/simplesamlphp/modules/privacyidea/enable
-rw-r–r-- 1 root root 0 Feb 6
18:35 /usr/share/simplesamlphp/modules/privacyidea/enable
root@sso-idp:/etc/simplesamlphp#

authsources.php

    'example-privacyidea' => array(
            'privacyidea:privacyidea',
            'privacyideaserver' => 'https://sso-idp.domain.com',
            'sslverifyhost' => False,
            'sslverifypeer' => False,
            'realm' => '',
            'attributemap' => array(
                    'username' => 'samlLoginName',
                    'surname' => 'surName',
                    'givenname' => 'givenName',
                    'email' => 'emailAddress',
                    'phone' => 'telePhone',
                    'mobile' => 'mobilePhone'
            ),
    ),

root@sso-idp:/etc/simplesamlphp/metadata# more saml20-idp-hosted.php

<?php $metadata['__DYNAMIC:1__'] = array( /* * The hostname for this IdP. This makes it possible to run multiple * IdPs from the same configuration. '__DEFAULT__' means that this one * should be used by default. */ 'host' => '__DEFAULT__', /* * The private key and certificate to use when signing responses. * These are stored in the cert-directory. */ 'privatekey' => 'simplesamlphp.pem', 'certificate' => 'simplesamlphp.crt', /* * The authentication source which should be used to authenticate the * user. This must match one of the entries in config/authsources.php. */ 'auth' => 'example-privacyidea', ); root@sso-idp:/etc/simplesamlphp/metadata# Thank you very much for your help in advance. Best Regards, John -- Please read the blog post about getting help https://www.privacyidea.org/getting-help/. For professional services and consultancy regarding two factor authentication please visit https://netknights.it/en/leistungen/one-time-services/ In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY: https://netknights.it/en/leistungen/service-level-agreements/ --- You received this message because you are subscribed to the Google Groups "privacyidea" group. To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea+unsubscribe@googlegroups.com. To post to this group, send email to privacyidea@googlegroups.com. Visit this group at https://groups.google.com/group/privacyidea. To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/b92c2aea-5289-4856-85ce-cc9cbe89d881%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)