Hello!
First time user here, thanks in advanced for all the help.
I’ve currently installed a privacyIDEA server using the Ubuntu package installation following the instructions in the installation segment of the documentation, and I’m running some tests with the simplesaml plugin (https://github.com/privacyidea/simplesamlphp-module-privacyidea) againts a test instance of our simpleSAMLphp. The privacy idea has an LDAP realm connected to our AD implementation.
Since we have many Service Providers(SP’s) for our Identity Provider (IdP), I’ve followed the instructions on https://www.privacyidea.org/privacyidea-as-authproc-filter-in-simplesamlphp/ to use plugin as an authproc fileter for only one SP.
I’ve added the following configuration on the saml20-sp-remote.php file:
$metadata['http://dummyName.com'] = array(
'authproc' => array(
/**
* The first authproc filter conatins the configuration for the privacyIDEA server.
*/
20 => array(
'class' => 'privacyidea:serverconfig',
/**
* Enter the URL to your privacyIDEA instance
*/
'privacyideaserver' => 'https://privacyIDEA-server.com',
/**
* Enter the realm, where your users are stored (remove it or set it to '' to use default)
*/
'realm' => '',
/**
* The uidKey is the username's attribute key.
* You can choose a single one or multiple ones. The first set will be used.
*/
'uidKey' => 'sAMAccountName',
//'uidKey' => 'uid',
// 'uidKey' => array('uid', 'userName', 'uName'),
/**
* Check if the hostname matches the name in the certificate (set to true or false)
*/
'sslverifyhost' => false,
/**
* Check if the certificate is valid, signed by a trusted CA
*/
'sslverifypeer' => false,
/**
* Here you need to enter the username of your service account
*/
#'serviceAccount' => '',
/**
* Enter here the password for your service account
*/
#'servicePass' => '',
/**
* You can enable or disable trigger challenge
*/
'doTriggerChallenge' => false,
/**
* Other authproc filters can disable 2FA if you want to.
* If privacyIDEA should listen to the setting, you have to enter the state's path and key.
* The value of this key will be set by a previous auth proc filger.
* privacyIDEA will only be disabled, if the value of the key is set to false,
* in any other situation (e.g. the key is not set or does not exist), privacyIDEA will be enabled.
*/
'enabledPath' => '',
'enabledKey' => '',
/**
* If you want to use passOnNoToken or passOnNoUser, you can decide, if this module should send a password to
* privacyIDEA. If passOnNoToken is activated and the user does not have a token, he will be passed by privacyIDEA.
* NOTE: Do not use it with privacyidea:tokenEnrollment.
*/
'tryFirstAuthentication' => true,
/**
* You can decide, which password should be used for tryFirstAuthentication
*/
'tryFirstAuthPass' => 'simpleSAMLphp',
),
24 => array(
'class' => 'privacyidea:tokenEnrollment',
'tokentype' => 'totp',
),
/**
* This filter triggers the authentication against privacyIDEA. If this is not enabled, you will not be able to use 2FA
*/
25 => array(
'class' => 'privacyidea:privacyidea',
/**
* If it is needed, you can overwrite the configuration here.
* You have to use the same name as it is in privacyidea:serverconfig
* For example:
* 'serviceAccount' => 'service',
* 'servicePass' => 'service',
*/
),
),
'AssertionConsumerService' => 'http://dummyName-service-provider.com/saml2_auth/acs/',
'SingleLogoutService' => 'http://dummyName-service-provider.com/saml2_auth/logout/',
'attributes' => array('sAMAccountName','cn','sn','givenName','mail','pager'),
);
The problem is that the form login for the user to enter the TOTP token never shows up. I think there might be an issue with some state loss in the plugin, but im now sure.
Here’s the log for simplesaml:
Aug 14 14:08:53 simplesamlphp DEBUG [843cd4a95a] Loading state: '_b56046ff2ceeed14e5984f2381a8aa6cd8454504c9:http://192.168.57.182:9090/simplesaml/saml2/idp/SSOService.php?spentityid=http%3A%2F%2FDUMMY-SERVER.COM&cookieTime=1597424868'
Aug 14 14:08:53 simplesamlphp DEBUG [843cd4a95a] Loading state: '_b56046ff2ceeed14e5984f2381a8aa6cd8454504c9:http://192.168.57.182:9090/simplesaml/saml2/idp/SSOService.php?spentityid=http%3A%2F%2FDUMMY-SERVER.COM&cookieTime=1597424868'
Aug 14 14:08:53 simplesamlphp DEBUG [843cd4a95a] Library - LDAP __construct(): Setup LDAP with host='uat-ldap.mpf.gov.ar', tls=false, debug=false, timeout=0, referrals=false
Aug 14 14:08:57 simplesamlphp DEBUG [843cd4a95a] Library - LDAP bind(): Bind successful with DN 'adminpericon'
Aug 14 14:08:57 simplesamlphp DEBUG [843cd4a95a] Library - LDAP search(): Searching base (subtree) 'dc=mpf,dc=gov,dc=ar' for '(|(samaccountname=frgimenez))'
Aug 14 14:08:57 simplesamlphp DEBUG [843cd4a95a] Library - LDAP bind(): Bind successful with DN 'CN=GIMENEZ\, Francisco Andres,OU=Certificados,OU=CAP42 - Belgrano 909,OU=AMBA,OU=05-Usuarios,DC=mpf,DC=gov,DC=ar'
Aug 14 14:08:57 simplesamlphp DEBUG [843cd4a95a] Library - LDAP getAttributes(): Getting 'sAMAccountName,cn,sn,givenName,mail,description,showInAddressBook,memberOf,pager' from DN 'CN=GIMENEZ\, Francisco Andres,OU=Certificados,OU=CAP42 - Belgrano 909,OU=AMBA,OU=05-Usuarios,DC=mpf,DC=gov,DC=ar'
Aug 14 14:08:57 simplesamlphp DEBUG [843cd4a95a] Library - LDAP getAttributes(): Found attributes '(cn,sn,description,givenName,memberOf,sAMAccountName,showInAddressBook,mail,pager)'
Aug 14 14:08:57 simplesamlphp NOTICE STAT [843cd4a95a] User 'frgimenez' successfully authenticated from 10.4.15.186
Aug 14 14:08:57 simplesamlphp DEBUG [843cd4a95a] Deleting state: '_b56046ff2ceeed14e5984f2381a8aa6cd8454504c9'
Aug 14 14:08:57 simplesamlphp DEBUG [843cd4a95a] Session: doLogin("mpf-negotiate")
Aug 14 14:08:58 simplesamlphp DEBUG [843cd4a95a] Session: Valid session found with 'mpf-negotiate'.
Aug 14 14:08:58 simplesamlphp DEBUG [843cd4a95a] Session: Valid session found with 'mpf-negotiate'.
Aug 14 14:08:58 simplesamlphp WARNING [843cd4a95a] The class or interface 'SimpleSAML_Auth_ProcessingFilter' is now using namespaces, please use 'SimpleSAML\Auth\ProcessingFilter'.
Aug 14 14:08:58 simplesamlphp WARNING [843cd4a95a] The class or interface 'SimpleSAML_Configuration' is now using namespaces, please use 'SimpleSAML\Configuration'.
Aug 14 14:08:58 simplesamlphp WARNING [843cd4a95a] The class or interface 'SimpleSAML_Logger' is now using namespaces, please use 'SimpleSAML\Logger'.
Aug 14 14:08:58 simplesamlphp INFO [843cd4a95a] Create the Auth Proc Filter privacyidea
Aug 14 14:08:58 simplesamlphp DEBUG [843cd4a95a] Filter config for http://192.168.57.182:9090/simplesaml/saml2/idp/metadata.php->http://DUMMY-SERVER.COM: array ( 0 => sspmod_privacyidea_Auth_Process_serverconfig::__set_state(array( 'serverconfig' => array ( 'privacyideaserver' => 'https://192.168.57.182', 'sslverifyhost' => false, 'sslverifypeer' => false, 'realm' => '', 'uidKey' => array ( 0 => 'sAMAccountName', ), 'enabledPath' => '', 'enabledKey' => '', 'serviceAccount' => 'admin', 'servicePass' => 'admin', 'doTriggerChallenge' => false, 'tryFirstAuthentication' => true, 'tryFirstAuthPass' => 'simpleSAMLphp', ), 'priority' => 20, )), 1 => sspmod_privacyIDEA_Auth_Process_tokenEnrollment::__set_state(array( 'auth_token' => NULL, 'serverconfig' => array ( 'privacyideaserver' => NULL, 'sslverifyhost' => NULL, 'sslverifypeer' => NULL, 'realm' => NULL, 'uidKey' => NULL, 'enabledPath' => NULL, 'enabledKey' => NULL, 'serviceAccount' => NULL, 'servicePass' => NULL, 'tokenType' => 'totp', ), 'priority' => 24, )), 2 => sspmod_privacyidea_Auth_Process_privacyidea::__set_state(array( 'serverconfig' => array ( 'privacyideaserver' => NULL, 'sslverifyhost' => NULL, 'sslverifypeer' => NULL, 'realm' => NULL, 'uidKey' => NULL, 'enabledPath' => NULL, 'enabledKey' => NULL, 'serviceAccount' => NULL, 'servicePass' => NULL, 'doTriggerChallenge' => NULL, 'tryFirstAuthentication' => NULL, 'tryFirstAuthPass' => NULL, ), 'priority' => 25, )), 3 => SimpleSAML\Module\core\Auth\Process\LanguageAdaptor::__set_state(array( 'langattr' => 'preferredLanguage', 'priority' => 30, )), 4 => SimpleSAML\Module\core\Auth\Process\StatisticsWithAttribute::__set_state(array( 'attribute' => 'realm', 'typeTag' => 'saml20-idp-SSO', 'skipPassive' => false, 'priority' => 45, )), 5 => SimpleSAML\Module\core\Auth\Process\AttributeLimit::__set_state(array( 'allowedAttributes' => array ( ), 'isDefault' => false, 'priority' => 50, )), 6 => SimpleSAML\Module\core\Auth\Process\LanguageAdaptor::__set_state(array( 'langattr' => 'preferredLanguage', 'priority' => 99, )),)
Aug 14 14:09:01 simplesamlphp INFO [843cd4a95a] privacyIDEA Auth Proc Filter: Entering process function
Aug 14 14:09:01 simplesamlphp DEBUG [843cd4a95a] Throwing WRONGUSERPASS
Aug 14 14:09:01 simplesamlphp ERROR [843cd4a95a] privacyIDEA WRONG USER PASSWORD
Aug 14 14:09:01 simplesamlphp WARNING [843cd4a95a] The class or interface 'SimpleSAML_Error_Error' is now using namespaces, please use 'SimpleSAML\Error\Error'.
Aug 14 14:09:01 simplesamlphp DEBUG [843cd4a95a] privacyIDEA: user has token
Aug 14 14:09:01 simplesamlphp DEBUG [843cd4a95a] privacyIDEA: privacyIDEA is enabled, so we use 2FA
Aug 14 14:09:01 simplesamlphp WARNING [843cd4a95a] The class or interface 'SimpleSAML_Auth_State' is now using namespaces, please use 'SimpleSAML\Auth\State'.
Aug 14 14:09:01 simplesamlphp DEBUG [843cd4a95a] Saved state: '_b56046ff2ceeed14e5984f2381a8aa6cd8454504c9:http://192.168.57.182:9090/simplesaml/saml2/idp/SSOService.php?spentityid=http%3A%2F%2FDUMMY-SERVER.COM&cookieTime=1597424868'
Aug 14 14:09:01 simplesamlphp WARNING [843cd4a95a] The class or interface 'SimpleSAML_Module' is now using namespaces, please use 'SimpleSAML\Module'.
Aug 14 14:09:01 simplesamlphp WARNING [843cd4a95a] The class or interface 'SimpleSAML_Utilities' is now using namespaces, please use 'SimpleSAML\Utilities'.
It seems that the _b56046ff2ceeed14e5984f2381a8aa6cd8454504c9 state is never loaded.
Any ideas on by is this happening? Maybe there is a problem with my configuration.
Thanks!