Hi!
Continuing the work… Now looking to make WebAuthn work with the above combination. It seems like SSP and the privacyidea module does not realize that the user has a WebAuthn token but still expects Password + OTP to be typed in the box.
SSP PrivacyIDEA config (in saml20-sp-remote.php):
‘authproc’ => [
05 => array(
‘class’ => ‘privacyidea:serverconfig’,
‘privacyideaserver’ => ‘https://2f.skola.engelholm.se’,
‘realm’ => ‘angport’,
‘uidKey’ => ‘cn’,
‘sslverifyhost’ => false,
‘sslverifypeer’ => false,
‘doTriggerChallenge’ => true,
‘enabledPath’ => ‘’,
‘enabledKey’ => ‘’,
‘tryFirstAuthentication’ => true,
‘tryFirstAuthPass’ => ‘simpleSAMLphp’,
),
06 => array(
‘class’ => ‘privacyidea:privacyidea’,
),
]
In the SSP log there is a lot of these:
Sep 23 16:16:39 simplesamlphp ERROR [959029610c] SimpleSAML\Error\Exception: Error 2 - count(): Parameter must be an array or an object that implements Countable at /var/simplesamlphp/modules/privacyidea/www/otpform.php:83
Sep 23 16:16:39 simplesamlphp ERROR [959029610c] Backtrace:
Sep 23 16:16:39 simplesamlphp ERROR [959029610c] 3 /var/simplesamlphp/www/_include.php:44 (SimpleSAML_error_handler)
Sep 23 16:16:39 simplesamlphp ERROR [959029610c] 2 /var/simplesamlphp/modules/privacyidea/www/otpform.php:83 (require)
Sep 23 16:16:39 simplesamlphp ERROR [959029610c] 1 /var/simplesamlphp/lib/SimpleSAML/Module.php:266 (SimpleSAML\Module::process)
Sep 23 16:16:39 simplesamlphp ERROR [959029610c] 0 /var/simplesamlphp/www/module.php:10 (N/A)
And some variations like:
Sep 23 16:16:00 simplesamlphp ERROR [959029610c] SimpleSAML\Error\Exception: Error 2 - count(): Parameter must be an array or an object that implements Countable at /var/simplesamlphp/modules/privacyidea/lib/Auth/utils.php:119
Sep 23 16:16:00 simplesamlphp ERROR [959029610c] Backtrace:
Sep 23 16:16:00 simplesamlphp ERROR [959029610c] 7 /var/simplesamlphp/www/_include.php:44 (SimpleSAML_error_handler)
Sep 23 16:16:00 simplesamlphp ERROR [959029610c] 6 /var/simplesamlphp/modules/privacyidea/lib/Auth/utils.php:119 (sspmod_privacyidea_Auth_utils::checkTokenType)
Sep 23 16:16:00 simplesamlphp ERROR [959029610c] 5 /var/simplesamlphp/modules/privacyidea/lib/Auth/Process/privacyidea.php:126 (sspmod_privacyidea_Auth_Process_privacyidea::process)
Sep 23 16:16:00 simplesamlphp ERROR [959029610c] 4 /var/simplesamlphp/lib/SimpleSAML/Auth/ProcessingChain.php:210 (SimpleSAML\Auth\ProcessingChain::processState)
Sep 23 16:16:00 simplesamlphp ERROR [959029610c] 3 /var/simplesamlphp/lib/SimpleSAML/IdP.php:335 (SimpleSAML\IdP::postAuth)
Sep 23 16:16:00 simplesamlphp ERROR [959029610c] 2 /var/simplesamlphp/lib/SimpleSAML/IdP.php:420 (SimpleSAML\IdP::handleAuthenticationRequest)
Sep 23 16:16:00 simplesamlphp ERROR [959029610c] 1 /var/simplesamlphp/modules/saml/lib/IdP/SAML2.php:492 (SimpleSAML\Module\saml\IdP\SAML2::receiveAuthnRequest)
Sep 23 16:16:00 simplesamlphp ERROR [959029610c] 0 /var/simplesamlphp/www/saml2/idp/SSOService.php:21 (N/A)
I do not completely understand what is needed to configure in the PrivacyIDEA server to make WebAuthn tokens work. I try mostly with Yubikey but also with the fingerprint sensor in my Mac. Tokens are enrolled but I can’t really figure out how to test them.
Very thankful if someone could point me to the right direction!