Weird behaviour simplesamphp plugin with authsource

Question
1

Hi All,

I have set up Simplesamlphp-IDP (1.9.6) and I am test the authentication sources in the webUI of the IDP, which works fine for LDAP, but keeps looping in the pin+token dialog with the PrivacyIdea plugin (2.1.2).
I have configured LDAP and PI in authsources.php.

Strangely enough simplesamlphp logging of a seemingly failed attempt contains:

Oct 31 20:08:14 simplesamlphp DEBUG [b8b628c7cf] privacyIDEA-PHP-Client: /validate/check returned {
    "detail": {
        "message": "matching 1 tokens",
        "otplen": 6,
        "serial": "OATH000419C0",
        "threadid": 139849732232960,
        "type": "hotp"
    },
    "id": 2,
    "jsonrpc": "2.0",
    "result": {
        "authentication": "ACCEPT",
        "status": true,
        "value": true
    },
    "time": 1667243294.757975,
    "version": "privacyIDEA 3.7.3",
    "versionnumber": "3.7.3",
    "signature": "rsa_sha256_pss:4b06<redacted>"
}

And:

Oct 31 20:08:14 simplesamlphp DEBUG [b8b628c7cf] privacyIDEA: User authenticated successfully!

Which indicates everything went fine, what I don’t see in the logs is that the plugin prepares and return the user attributes. And as said the web-interface keeps on looping in a the pin+token dialog.

The relevant bit of authsources.php contains:

    'privacyidea' => [
        'privacyidea:PrivacyideaAuthSource',
        'privacyideaServerURL' => 'https://idmserver.example.com/pi',
        'sslVerifyHost' => 'true',
        'sslVerifyPeer' => 'true',
        'realm' => 'example.com',
        'doTriggerChallenge' => 'true',
        'passFieldHint' => 'PIN+OTP',
        'preferredTokenType' => 'hotp',
        'attributemap' => [
            'username' => 'sAMAccountName',
            'surname' => 'surName',
            'givenname' => 'givenName',
            'email' => 'mail',
        ],
        'concatenationmap' => [
            'givenname,surname' => 'displayName',
        ],
    ]

What would be a good approach to get further on this issue?

  • Kees
2

1.9.6 sounds really old. Too old?

Please note: SimpleSAMLphp only supports one authsource at the time. So to me at a first glance the behaviour sounds expected.

3

Sorry 1.9.6 is a typo, the actual version is 1.19.6, the most current stable version.

There is always the authsource ‘admin’ and one or more others, the setting

$config['default'] = &$config['privacyidea'];

determines what is used.
Or did I misinterpret the docs at this point?

Anyway I removed all authsources except ‘admin’ and ‘privacyidea’ for the test.

Running yesterday’s test again, I noticed at the first attempt (when the UI shows ‘user’, ‘password’ and ‘login button’, there is no contact with the PI server. Logging is just this:

Nov 01 17:37:57 simplesamlphp DEBUG [01de37b8ec] Loading state: '_6955321c8eff4eae9a22ac5b12923e19db74dab133:https://idmserver.example.com/idp/module.php/core/as_login.php?AuthId=privacyidea&ReturnTo=https%3A%2F%2Fidmserver.example.com%2Fidp%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Dprivacyidea'
Nov 01 17:37:57 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_XHTML_Template' is now using namespaces, please use 'SimpleSAML\XHTML\Template'.
Nov 01 17:37:57 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Configuration' is now using namespaces, please use 'SimpleSAML\Configuration'.
Nov 01 17:37:57 simplesamlphp DEBUG [01de37b8ec] Localization: using old system
Nov 01 17:37:57 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Auth_Source' is now using namespaces, please use 'SimpleSAML\Auth\Source'.
Nov 01 17:37:57 simplesamlphp WARNING [01de37b8ec] The class or interface 'sspmod_core_Auth_UserPassBase' is now using namespaces, please use 'SimpleSAML\Module\core\Auth\UserPassBase' instead.
Nov 01 17:37:57 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Session' is now using namespaces, please use 'SimpleSAML\Session'.
Nov 01 17:37:57 simplesamlphp DEBUG [01de37b8ec] Translate: Reading dictionary [/srv/php/simplesamlphp/releases/simplesamlphp-1.19.6/modules/privacyidea/dictionaries/privacyidea]
Nov 01 17:37:57 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Module' is now using namespaces, please use 'SimpleSAML\Module'.
Nov 01 17:37:57 simplesamlphp DEBUG [01de37b8ec] Translate: Reading dictionary [/srv/php/simplesamlphp/releases/simplesamlphp-1.19.6/dictionaries/login]

Then the UI show a single blank field and a ‘login button’, when I enter my pin + new hotp key, it gets verified with the PI server:

Nov 01 17:39:58 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Session' is now using namespaces, please use 'SimpleSAML\Session'.
Nov 01 17:39:58 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Auth_State' is now using namespaces, please use 'SimpleSAML\Auth\State'.
Nov 01 17:39:58 simplesamlphp DEBUG [01de37b8ec] Loading state: '_6955321c8eff4eae9a22ac5b12923e19db74dab133:https://idmserver.example.com/idp/module.php/core/as_login.php?AuthId=privacyidea&ReturnTo=https%3A%2F%2Fidmserver.example.com%2Fidp%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Dprivacyidea'
Nov 01 17:39:58 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Auth_Source' is now using namespaces, please use 'SimpleSAML\Auth\Source'.
Nov 01 17:39:58 simplesamlphp WARNING [01de37b8ec] The class or interface 'sspmod_core_Auth_UserPassBase' is now using namespaces, please use 'SimpleSAML\Module\core\Auth\UserPassBase' instead.
Nov 01 17:39:58 simplesamlphp DEBUG [01de37b8ec] Loading state: '_6955321c8eff4eae9a22ac5b12923e19db74dab133:https://idmserver.example.com/idp/module.php/core/as_login.php?AuthId=privacyidea&ReturnTo=https%3A%2F%2Fidmserver.example.com%2Fidp%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Dprivacyidea'
Nov 01 17:39:58 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Logger' is now using namespaces, please use 'SimpleSAML\Logger'.
Nov 01 17:39:58 simplesamlphp DEBUG [01de37b8ec] privacyIDEA: Utils::authenticatePI with form data:
username=test1, pass=, otp=4614055383, mode=otp, pushAvailable=, otpAvailable=1, modeChanged=0, webAuthnSignResponse=, webAuthnSignRequest=, origin=, u2fSignRequest=, u2fSignResponse=, message=, loadCounter=1
Nov 01 17:39:58 simplesamlphp DEBUG [01de37b8ec] privacyIDEA-PHP-Client: Sending user=test1, pass=4614055383, realm=example.com to /validate/check
Nov 01 17:40:02 simplesamlphp DEBUG [01de37b8ec] privacyIDEA-PHP-Client: /validate/check returned {
    "detail": {
        "message": "matching 1 tokens",
        "otplen": 6,
        "serial": "OATH000419C0",
        "threadid": 139849740625664,
        "type": "hotp"
    },
    "id": 2,
    "jsonrpc": "2.0",
    "result": {
        "authentication": "ACCEPT",
        "status": true,
        "value": true
    },
    "time": 1667320802.2111187,
    "version": "privacyIDEA 3.7.3",
    "versionnumber": "3.7.3",
    "signature": "rsa_sha256_pss:ad4dd78230c875c73d619de16bc2b9a1706b423b67be1beb74a7d085f90b5b97a13f1177dc4f078850f910d08406823f37df0bb0e0174720a3e5f8dc8cc7531b6dd8eb5821188f8c3ef50ea806b93e42c6713a90746948b86b46237784adb90c05b23f72edd874ccb59ebf24ea915195442ff1c7ad3737de022d1b94be61f9e33a9fcb888dceffd6e0763bdfd09d073257f14ae9d9ebd3302b6c7ea512a7df04c034009899f490cd793d464ef533fd2a482f82819d4ab143e660c419e0fce7465a0ded9aa88bf5e3a2f128b28bc7f4079743e7c4cb8cbfc6e77f0fce248568578ae22d7ac3be6402d3b7706f85ec904b8f06de85254a6ca3d7a5da5e9ad12459"
}
Nov 01 17:40:02 simplesamlphp DEBUG [01de37b8ec] Saved state: '_6955321c8eff4eae9a22ac5b12923e19db74dab133:https://idmserver.example.com/idp/module.php/core/as_login.php?AuthId=privacyidea&ReturnTo=https%3A%2F%2Fidmserver.example.com%2Fidp%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Dprivacyidea'
Nov 01 17:40:02 simplesamlphp DEBUG [01de37b8ec] Loading state: '_6955321c8eff4eae9a22ac5b12923e19db74dab133:https://idmserver.example.com/idp/module.php/core/as_login.php?AuthId=privacyidea&ReturnTo=https%3A%2F%2Fidmserver.example.com%2Fidp%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Dprivacyidea'
Nov 01 17:40:02 simplesamlphp DEBUG [01de37b8ec] privacyIDEA: User authenticated successfully!
Nov 01 17:40:02 simplesamlphp DEBUG [01de37b8ec] Saved state: '_6955321c8eff4eae9a22ac5b12923e19db74dab133:https://idmserver.example.com/idp/module.php/core/as_login.php?AuthId=privacyidea&ReturnTo=https%3A%2F%2Fidmserver.example.com%2Fidp%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Dprivacyidea'
Nov 01 17:40:02 simplesamlphp DEBUG [01de37b8ec] Loading state: '_6955321c8eff4eae9a22ac5b12923e19db74dab133:https://idmserver.example.com/idp/module.php/core/as_login.php?AuthId=privacyidea&ReturnTo=https%3A%2F%2Fidmserver.example.com%2Fidp%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Dprivacyidea'
Nov 01 17:40:02 simplesamlphp DEBUG [01de37b8ec] Saved state: '_6955321c8eff4eae9a22ac5b12923e19db74dab133:https://idmserver.example.com/idp/module.php/core/as_login.php?AuthId=privacyidea&ReturnTo=https%3A%2F%2Fidmserver.example.com%2Fidp%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Dprivacyidea'
Nov 01 17:40:02 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Module' is now using namespaces, please use 'SimpleSAML\Module'.
Nov 01 17:40:02 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Utilities' is now using namespaces, please use 'SimpleSAML\Utilities'.
Nov 01 17:40:02 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Logger' is now using namespaces, please use 'SimpleSAML\Logger'.
Nov 01 17:40:02 simplesamlphp DEBUG [01de37b8ec] Loading privacyIDEA form..
Nov 01 17:40:02 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Auth_State' is now using namespaces, please use 'SimpleSAML\Auth\State'.
Nov 01 17:40:02 simplesamlphp DEBUG [01de37b8ec] Loading state: '_6955321c8eff4eae9a22ac5b12923e19db74dab133:https://idmserver.example.com/idp/module.php/core/as_login.php?AuthId=privacyidea&ReturnTo=https%3A%2F%2Fidmserver.example.com%2Fidp%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Dprivacyidea'
Nov 01 17:40:02 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_XHTML_Template' is now using namespaces, please use 'SimpleSAML\XHTML\Template'.
Nov 01 17:40:02 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Configuration' is now using namespaces, please use 'SimpleSAML\Configuration'.
Nov 01 17:40:02 simplesamlphp DEBUG [01de37b8ec] Localization: using old system
Nov 01 17:40:02 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Auth_Source' is now using namespaces, please use 'SimpleSAML\Auth\Source'.
Nov 01 17:40:02 simplesamlphp WARNING [01de37b8ec] The class or interface 'sspmod_core_Auth_UserPassBase' is now using namespaces, please use 'SimpleSAML\Module\core\Auth\UserPassBase' instead.
Nov 01 17:40:02 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Session' is now using namespaces, please use 'SimpleSAML\Session'.
Nov 01 17:40:02 simplesamlphp DEBUG [01de37b8ec] Translate: Reading dictionary [/srv/php/simplesamlphp/releases/simplesamlphp-1.19.6/modules/privacyidea/dictionaries/privacyidea]
Nov 01 17:40:02 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Module' is now using namespaces, please use 'SimpleSAML\Module'.
Nov 01 17:40:02 simplesamlphp DEBUG [01de37b8ec] Translate: Reading dictionary [/srv/php/simplesamlphp/releases/simplesamlphp-1.19.6/dictionaries/login]

And then the same blank password + ‘login button’ re-appear in the webUI and this goes on forever.

It feels like the different states in the plugin are not selected correctly. Is that due to a mistake in the configuration of the plugin in authsources.php?

4

Hi @kvv ,

I think you were doing all good. Just need to add a new policy to your privacyIDEA, because (as you have noticed before) if you are using Authsource, simpleSAML needs more info from PI about the user.

If you don’t know how to add this policy, try to follow the instruction in this question:

I hope it’ll help you!

1 Like
5

Thank you Lukas, that solved the issue.

I did search the site before I asked, unfortunately I never found the answer myself, thanks again!

2 Likes