Using simplesamlphp module plugin as an authenticator filter

Hello!

First time user here, thanks in advanced for all the help.

I’ve currently installed a privacyIDEA server using the Ubuntu package installation following the instructions in the installation segment of the documentation, and I’m running some tests with the simplesaml plugin (https://github.com/privacyidea/simplesamlphp-module-privacyidea) againts a test instance of our simpleSAMLphp. The privacy idea has an LDAP realm connected to our AD implementation.

Since we have many Service Providers(SP’s) for our Identity Provider (IdP), I’ve followed the instructions on https://www.privacyidea.org/privacyidea-as-authproc-filter-in-simplesamlphp/ to use plugin as an authproc fileter for only one SP.

I’ve added the following configuration on the saml20-sp-remote.php file:

$metadata['http://dummyName.com'] = array(
    'authproc' => array(

            /**
             *  The first authproc filter conatins the configuration for the privacyIDEA server.
             */
            20 => array(
            'class'             => 'privacyidea:serverconfig',

            /**
             *  Enter the URL to your privacyIDEA instance
             */
            'privacyideaserver' => 'https://privacyIDEA-server.com',

            /**
             *  Enter the realm, where your users are stored (remove it or set it to '' to use default)
             */
            'realm'             => '',

            /**
             *  The uidKey is the username's attribute key.
             *  You can choose a single one or multiple ones. The first set will be used.
             */
            'uidKey'            => 'sAMAccountName',
            //'uidKey'            => 'uid',
            //  'uidKey'        => array('uid', 'userName', 'uName'),

            /**
             *  Check if the hostname matches the name in the certificate (set to true or false)
             */
            'sslverifyhost'     => false,

            /**
             *  Check if the certificate is valid, signed by a trusted CA
             */
            'sslverifypeer'     => false,

            /**
             *  Here you need to enter the username of your service account
             */
            #'serviceAccount'    => '',

            /**
             *  Enter here the password for your service account
             */
            #'servicePass'       => '',

            /**
             *  You can enable or disable trigger challenge
             */
            'doTriggerChallenge' => false,

            /**
             *  Other authproc filters can disable 2FA if you want to.
             *  If privacyIDEA should listen to the setting, you have to enter the state's path and key.
             *  The value of this key will be set by a previous auth proc filger.
             *  privacyIDEA will only be disabled, if the value of the key is set to false,
             *  in any other situation (e.g. the key is not set or does not exist), privacyIDEA will be enabled.
             */
            'enabledPath'       => '',
            'enabledKey'        => '',

            /**
             *  If you want to use passOnNoToken or passOnNoUser, you can decide, if this module should send a password to
             *  privacyIDEA. If passOnNoToken is activated and the user does not have a token, he will be passed by privacyIDEA.
             *  NOTE: Do not use it with privacyidea:tokenEnrollment.
             */

            'tryFirstAuthentication' => true,

            /**
             *  You can decide, which password should be used for tryFirstAuthentication
             */

             'tryFirstAuthPass' => 'simpleSAMLphp',
            ),


            24 => array(
                'class'         => 'privacyidea:tokenEnrollment',
                'tokentype'     => 'totp',
            ),

            /**
             *  This filter triggers the authentication against privacyIDEA. If this is not enabled, you will not be able to use 2FA
             */
            25 => array(
            'class'             => 'privacyidea:privacyidea',

            /**
             *  If it is needed, you can overwrite the configuration here.
             *  You have to use the same name as it is in privacyidea:serverconfig
             *  For example:
             *  'serviceAccount' => 'service',
             *  'servicePass' => 'service',
             */
            ),
    ),

    'AssertionConsumerService' => 'http://dummyName-service-provider.com/saml2_auth/acs/',
    'SingleLogoutService'      => 'http://dummyName-service-provider.com/saml2_auth/logout/',
    'attributes' => array('sAMAccountName','cn','sn','givenName','mail','pager'),
);

The problem is that the form login for the user to enter the TOTP token never shows up. I think there might be an issue with some state loss in the plugin, but im now sure.

Here’s the log for simplesaml:

Aug 14 14:08:53 simplesamlphp DEBUG [843cd4a95a] Loading state: '_b56046ff2ceeed14e5984f2381a8aa6cd8454504c9:http://192.168.57.182:9090/simplesaml/saml2/idp/SSOService.php?spentityid=http%3A%2F%2FDUMMY-SERVER.COM&cookieTime=1597424868'
Aug 14 14:08:53 simplesamlphp DEBUG [843cd4a95a] Loading state: '_b56046ff2ceeed14e5984f2381a8aa6cd8454504c9:http://192.168.57.182:9090/simplesaml/saml2/idp/SSOService.php?spentityid=http%3A%2F%2FDUMMY-SERVER.COM&cookieTime=1597424868'
Aug 14 14:08:53 simplesamlphp DEBUG [843cd4a95a] Library - LDAP __construct(): Setup LDAP with host='uat-ldap.mpf.gov.ar', tls=false, debug=false, timeout=0, referrals=false
Aug 14 14:08:57 simplesamlphp DEBUG [843cd4a95a] Library - LDAP bind(): Bind successful with DN 'adminpericon'
Aug 14 14:08:57 simplesamlphp DEBUG [843cd4a95a] Library - LDAP search(): Searching base (subtree) 'dc=mpf,dc=gov,dc=ar' for '(|(samaccountname=frgimenez))'
Aug 14 14:08:57 simplesamlphp DEBUG [843cd4a95a] Library - LDAP bind(): Bind successful with DN 'CN=GIMENEZ\, Francisco Andres,OU=Certificados,OU=CAP42 - Belgrano 909,OU=AMBA,OU=05-Usuarios,DC=mpf,DC=gov,DC=ar'
Aug 14 14:08:57 simplesamlphp DEBUG [843cd4a95a] Library - LDAP getAttributes(): Getting 'sAMAccountName,cn,sn,givenName,mail,description,showInAddressBook,memberOf,pager' from DN 'CN=GIMENEZ\, Francisco Andres,OU=Certificados,OU=CAP42 - Belgrano 909,OU=AMBA,OU=05-Usuarios,DC=mpf,DC=gov,DC=ar'
Aug 14 14:08:57 simplesamlphp DEBUG [843cd4a95a] Library - LDAP getAttributes(): Found attributes '(cn,sn,description,givenName,memberOf,sAMAccountName,showInAddressBook,mail,pager)'
Aug 14 14:08:57 simplesamlphp NOTICE STAT [843cd4a95a] User 'frgimenez' successfully authenticated from 10.4.15.186
Aug 14 14:08:57 simplesamlphp DEBUG [843cd4a95a] Deleting state: '_b56046ff2ceeed14e5984f2381a8aa6cd8454504c9'
Aug 14 14:08:57 simplesamlphp DEBUG [843cd4a95a] Session: doLogin("mpf-negotiate")
Aug 14 14:08:58 simplesamlphp DEBUG [843cd4a95a] Session: Valid session found with 'mpf-negotiate'.
Aug 14 14:08:58 simplesamlphp DEBUG [843cd4a95a] Session: Valid session found with 'mpf-negotiate'.
Aug 14 14:08:58 simplesamlphp WARNING [843cd4a95a] The class or interface 'SimpleSAML_Auth_ProcessingFilter' is now using namespaces, please use 'SimpleSAML\Auth\ProcessingFilter'.
Aug 14 14:08:58 simplesamlphp WARNING [843cd4a95a] The class or interface 'SimpleSAML_Configuration' is now using namespaces, please use 'SimpleSAML\Configuration'.
Aug 14 14:08:58 simplesamlphp WARNING [843cd4a95a] The class or interface 'SimpleSAML_Logger' is now using namespaces, please use 'SimpleSAML\Logger'.
Aug 14 14:08:58 simplesamlphp INFO [843cd4a95a] Create the Auth Proc Filter privacyidea
Aug 14 14:08:58 simplesamlphp DEBUG [843cd4a95a] Filter config for http://192.168.57.182:9090/simplesaml/saml2/idp/metadata.php->http://DUMMY-SERVER.COM: array (  0 =>   sspmod_privacyidea_Auth_Process_serverconfig::__set_state(array(     'serverconfig' =>     array (      'privacyideaserver' => 'https://192.168.57.182',      'sslverifyhost' => false,      'sslverifypeer' => false,      'realm' => '',      'uidKey' =>       array (        0 => 'sAMAccountName',      ),      'enabledPath' => '',      'enabledKey' => '',      'serviceAccount' => 'admin',      'servicePass' => 'admin',      'doTriggerChallenge' => false,      'tryFirstAuthentication' => true,      'tryFirstAuthPass' => 'simpleSAMLphp',    ),     'priority' => 20,  )),  1 =>   sspmod_privacyIDEA_Auth_Process_tokenEnrollment::__set_state(array(     'auth_token' => NULL,     'serverconfig' =>     array (      'privacyideaserver' => NULL,      'sslverifyhost' => NULL,      'sslverifypeer' => NULL,      'realm' => NULL,      'uidKey' => NULL,      'enabledPath' => NULL,      'enabledKey' => NULL,      'serviceAccount' => NULL,      'servicePass' => NULL,      'tokenType' => 'totp',    ),     'priority' => 24,  )),  2 =>   sspmod_privacyidea_Auth_Process_privacyidea::__set_state(array(     'serverconfig' =>     array (      'privacyideaserver' => NULL,      'sslverifyhost' => NULL,      'sslverifypeer' => NULL,      'realm' => NULL,      'uidKey' => NULL,      'enabledPath' => NULL,      'enabledKey' => NULL,      'serviceAccount' => NULL,      'servicePass' => NULL,      'doTriggerChallenge' => NULL,      'tryFirstAuthentication' => NULL,      'tryFirstAuthPass' => NULL,    ),     'priority' => 25,  )),  3 =>   SimpleSAML\Module\core\Auth\Process\LanguageAdaptor::__set_state(array(     'langattr' => 'preferredLanguage',     'priority' => 30,  )),  4 =>   SimpleSAML\Module\core\Auth\Process\StatisticsWithAttribute::__set_state(array(     'attribute' => 'realm',     'typeTag' => 'saml20-idp-SSO',     'skipPassive' => false,     'priority' => 45,  )),  5 =>   SimpleSAML\Module\core\Auth\Process\AttributeLimit::__set_state(array(     'allowedAttributes' =>     array (    ),     'isDefault' => false,     'priority' => 50,  )),  6 =>   SimpleSAML\Module\core\Auth\Process\LanguageAdaptor::__set_state(array(     'langattr' => 'preferredLanguage',     'priority' => 99,  )),)
Aug 14 14:09:01 simplesamlphp INFO [843cd4a95a] privacyIDEA Auth Proc Filter: Entering process function
Aug 14 14:09:01 simplesamlphp DEBUG [843cd4a95a] Throwing WRONGUSERPASS
Aug 14 14:09:01 simplesamlphp ERROR [843cd4a95a] privacyIDEA WRONG USER PASSWORD
Aug 14 14:09:01 simplesamlphp WARNING [843cd4a95a] The class or interface 'SimpleSAML_Error_Error' is now using namespaces, please use 'SimpleSAML\Error\Error'.
Aug 14 14:09:01 simplesamlphp DEBUG [843cd4a95a] privacyIDEA: user has token
Aug 14 14:09:01 simplesamlphp DEBUG [843cd4a95a] privacyIDEA: privacyIDEA is enabled, so we use 2FA
Aug 14 14:09:01 simplesamlphp WARNING [843cd4a95a] The class or interface 'SimpleSAML_Auth_State' is now using namespaces, please use 'SimpleSAML\Auth\State'.
Aug 14 14:09:01 simplesamlphp DEBUG [843cd4a95a] Saved state: '_b56046ff2ceeed14e5984f2381a8aa6cd8454504c9:http://192.168.57.182:9090/simplesaml/saml2/idp/SSOService.php?spentityid=http%3A%2F%2FDUMMY-SERVER.COM&cookieTime=1597424868'
Aug 14 14:09:01 simplesamlphp WARNING [843cd4a95a] The class or interface 'SimpleSAML_Module' is now using namespaces, please use 'SimpleSAML\Module'.
Aug 14 14:09:01 simplesamlphp WARNING [843cd4a95a] The class or interface 'SimpleSAML_Utilities' is now using namespaces, please use 'SimpleSAML\Utilities'.

It seems that the _b56046ff2ceeed14e5984f2381a8aa6cd8454504c9 state is never loaded.

Any ideas on by is this happening? Maybe there is a problem with my configuration.

Thanks!

Note! which might help:

Somewhere in the docs of simpleSAMLphp it states, that authproc filter does not work with the test login page of simpleSAMLphp.
This is a limitation of simpleSAMLphp, which has nothing to do with privacyIDEA.

Thanks for the response!

I’m testing the proccess with a previous working SP that uses simplesamlphp to connect to our LDAP, I’ve then added the proc filter of privacyIDEA to the metadata of said SP, to test the 2FA.
Anyhow, Im going to search on the simplesaml documentation to see if there is a problema with procfilters in SP, maybe I missed something.

Thank you for the note anyway!

Cheers

I’ve found the issue!

It was a problem with the configuration of the plugin. I had tryFirstAuthentication on true and also the privacyidea:tokenEnrollment value with TOTP. Furthermore, I didnt understand that serviceAccount and servicePassword needed to be valid credentials on the privacyIDEA server, so that privacyidea:tokenEnrollment works properly.

After the proper changes, everything started working correctly.

Thanks!

1 Like