Sorry 1.9.6 is a typo, the actual version is 1.19.6, the most current stable version.
There is always the authsource ‘admin’ and one or more others, the setting
$config['default'] = &$config['privacyidea'];
determines what is used.
Or did I misinterpret the docs at this point?
Anyway I removed all authsources except ‘admin’ and ‘privacyidea’ for the test.
Running yesterday’s test again, I noticed at the first attempt (when the UI shows ‘user’, ‘password’ and ‘login button’, there is no contact with the PI server. Logging is just this:
Nov 01 17:37:57 simplesamlphp DEBUG [01de37b8ec] Loading state: '_6955321c8eff4eae9a22ac5b12923e19db74dab133:https://idmserver.example.com/idp/module.php/core/as_login.php?AuthId=privacyidea&ReturnTo=https%3A%2F%2Fidmserver.example.com%2Fidp%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Dprivacyidea'
Nov 01 17:37:57 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_XHTML_Template' is now using namespaces, please use 'SimpleSAML\XHTML\Template'.
Nov 01 17:37:57 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Configuration' is now using namespaces, please use 'SimpleSAML\Configuration'.
Nov 01 17:37:57 simplesamlphp DEBUG [01de37b8ec] Localization: using old system
Nov 01 17:37:57 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Auth_Source' is now using namespaces, please use 'SimpleSAML\Auth\Source'.
Nov 01 17:37:57 simplesamlphp WARNING [01de37b8ec] The class or interface 'sspmod_core_Auth_UserPassBase' is now using namespaces, please use 'SimpleSAML\Module\core\Auth\UserPassBase' instead.
Nov 01 17:37:57 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Session' is now using namespaces, please use 'SimpleSAML\Session'.
Nov 01 17:37:57 simplesamlphp DEBUG [01de37b8ec] Translate: Reading dictionary [/srv/php/simplesamlphp/releases/simplesamlphp-1.19.6/modules/privacyidea/dictionaries/privacyidea]
Nov 01 17:37:57 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Module' is now using namespaces, please use 'SimpleSAML\Module'.
Nov 01 17:37:57 simplesamlphp DEBUG [01de37b8ec] Translate: Reading dictionary [/srv/php/simplesamlphp/releases/simplesamlphp-1.19.6/dictionaries/login]
Then the UI show a single blank field and a ‘login button’, when I enter my pin + new hotp key, it gets verified with the PI server:
Nov 01 17:39:58 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Session' is now using namespaces, please use 'SimpleSAML\Session'.
Nov 01 17:39:58 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Auth_State' is now using namespaces, please use 'SimpleSAML\Auth\State'.
Nov 01 17:39:58 simplesamlphp DEBUG [01de37b8ec] Loading state: '_6955321c8eff4eae9a22ac5b12923e19db74dab133:https://idmserver.example.com/idp/module.php/core/as_login.php?AuthId=privacyidea&ReturnTo=https%3A%2F%2Fidmserver.example.com%2Fidp%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Dprivacyidea'
Nov 01 17:39:58 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Auth_Source' is now using namespaces, please use 'SimpleSAML\Auth\Source'.
Nov 01 17:39:58 simplesamlphp WARNING [01de37b8ec] The class or interface 'sspmod_core_Auth_UserPassBase' is now using namespaces, please use 'SimpleSAML\Module\core\Auth\UserPassBase' instead.
Nov 01 17:39:58 simplesamlphp DEBUG [01de37b8ec] Loading state: '_6955321c8eff4eae9a22ac5b12923e19db74dab133:https://idmserver.example.com/idp/module.php/core/as_login.php?AuthId=privacyidea&ReturnTo=https%3A%2F%2Fidmserver.example.com%2Fidp%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Dprivacyidea'
Nov 01 17:39:58 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Logger' is now using namespaces, please use 'SimpleSAML\Logger'.
Nov 01 17:39:58 simplesamlphp DEBUG [01de37b8ec] privacyIDEA: Utils::authenticatePI with form data:
username=test1, pass=, otp=4614055383, mode=otp, pushAvailable=, otpAvailable=1, modeChanged=0, webAuthnSignResponse=, webAuthnSignRequest=, origin=, u2fSignRequest=, u2fSignResponse=, message=, loadCounter=1
Nov 01 17:39:58 simplesamlphp DEBUG [01de37b8ec] privacyIDEA-PHP-Client: Sending user=test1, pass=4614055383, realm=example.com to /validate/check
Nov 01 17:40:02 simplesamlphp DEBUG [01de37b8ec] privacyIDEA-PHP-Client: /validate/check returned {
"detail": {
"message": "matching 1 tokens",
"otplen": 6,
"serial": "OATH000419C0",
"threadid": 139849740625664,
"type": "hotp"
},
"id": 2,
"jsonrpc": "2.0",
"result": {
"authentication": "ACCEPT",
"status": true,
"value": true
},
"time": 1667320802.2111187,
"version": "privacyIDEA 3.7.3",
"versionnumber": "3.7.3",
"signature": "rsa_sha256_pss:ad4dd78230c875c73d619de16bc2b9a1706b423b67be1beb74a7d085f90b5b97a13f1177dc4f078850f910d08406823f37df0bb0e0174720a3e5f8dc8cc7531b6dd8eb5821188f8c3ef50ea806b93e42c6713a90746948b86b46237784adb90c05b23f72edd874ccb59ebf24ea915195442ff1c7ad3737de022d1b94be61f9e33a9fcb888dceffd6e0763bdfd09d073257f14ae9d9ebd3302b6c7ea512a7df04c034009899f490cd793d464ef533fd2a482f82819d4ab143e660c419e0fce7465a0ded9aa88bf5e3a2f128b28bc7f4079743e7c4cb8cbfc6e77f0fce248568578ae22d7ac3be6402d3b7706f85ec904b8f06de85254a6ca3d7a5da5e9ad12459"
}
Nov 01 17:40:02 simplesamlphp DEBUG [01de37b8ec] Saved state: '_6955321c8eff4eae9a22ac5b12923e19db74dab133:https://idmserver.example.com/idp/module.php/core/as_login.php?AuthId=privacyidea&ReturnTo=https%3A%2F%2Fidmserver.example.com%2Fidp%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Dprivacyidea'
Nov 01 17:40:02 simplesamlphp DEBUG [01de37b8ec] Loading state: '_6955321c8eff4eae9a22ac5b12923e19db74dab133:https://idmserver.example.com/idp/module.php/core/as_login.php?AuthId=privacyidea&ReturnTo=https%3A%2F%2Fidmserver.example.com%2Fidp%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Dprivacyidea'
Nov 01 17:40:02 simplesamlphp DEBUG [01de37b8ec] privacyIDEA: User authenticated successfully!
Nov 01 17:40:02 simplesamlphp DEBUG [01de37b8ec] Saved state: '_6955321c8eff4eae9a22ac5b12923e19db74dab133:https://idmserver.example.com/idp/module.php/core/as_login.php?AuthId=privacyidea&ReturnTo=https%3A%2F%2Fidmserver.example.com%2Fidp%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Dprivacyidea'
Nov 01 17:40:02 simplesamlphp DEBUG [01de37b8ec] Loading state: '_6955321c8eff4eae9a22ac5b12923e19db74dab133:https://idmserver.example.com/idp/module.php/core/as_login.php?AuthId=privacyidea&ReturnTo=https%3A%2F%2Fidmserver.example.com%2Fidp%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Dprivacyidea'
Nov 01 17:40:02 simplesamlphp DEBUG [01de37b8ec] Saved state: '_6955321c8eff4eae9a22ac5b12923e19db74dab133:https://idmserver.example.com/idp/module.php/core/as_login.php?AuthId=privacyidea&ReturnTo=https%3A%2F%2Fidmserver.example.com%2Fidp%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Dprivacyidea'
Nov 01 17:40:02 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Module' is now using namespaces, please use 'SimpleSAML\Module'.
Nov 01 17:40:02 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Utilities' is now using namespaces, please use 'SimpleSAML\Utilities'.
Nov 01 17:40:02 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Logger' is now using namespaces, please use 'SimpleSAML\Logger'.
Nov 01 17:40:02 simplesamlphp DEBUG [01de37b8ec] Loading privacyIDEA form..
Nov 01 17:40:02 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Auth_State' is now using namespaces, please use 'SimpleSAML\Auth\State'.
Nov 01 17:40:02 simplesamlphp DEBUG [01de37b8ec] Loading state: '_6955321c8eff4eae9a22ac5b12923e19db74dab133:https://idmserver.example.com/idp/module.php/core/as_login.php?AuthId=privacyidea&ReturnTo=https%3A%2F%2Fidmserver.example.com%2Fidp%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Dprivacyidea'
Nov 01 17:40:02 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_XHTML_Template' is now using namespaces, please use 'SimpleSAML\XHTML\Template'.
Nov 01 17:40:02 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Configuration' is now using namespaces, please use 'SimpleSAML\Configuration'.
Nov 01 17:40:02 simplesamlphp DEBUG [01de37b8ec] Localization: using old system
Nov 01 17:40:02 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Auth_Source' is now using namespaces, please use 'SimpleSAML\Auth\Source'.
Nov 01 17:40:02 simplesamlphp WARNING [01de37b8ec] The class or interface 'sspmod_core_Auth_UserPassBase' is now using namespaces, please use 'SimpleSAML\Module\core\Auth\UserPassBase' instead.
Nov 01 17:40:02 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Session' is now using namespaces, please use 'SimpleSAML\Session'.
Nov 01 17:40:02 simplesamlphp DEBUG [01de37b8ec] Translate: Reading dictionary [/srv/php/simplesamlphp/releases/simplesamlphp-1.19.6/modules/privacyidea/dictionaries/privacyidea]
Nov 01 17:40:02 simplesamlphp WARNING [01de37b8ec] The class or interface 'SimpleSAML_Module' is now using namespaces, please use 'SimpleSAML\Module'.
Nov 01 17:40:02 simplesamlphp DEBUG [01de37b8ec] Translate: Reading dictionary [/srv/php/simplesamlphp/releases/simplesamlphp-1.19.6/dictionaries/login]
And then the same blank password + ‘login button’ re-appear in the webUI and this goes on forever.
It feels like the different states in the plugin are not selected correctly. Is that due to a mistake in the configuration of the plugin in authsources.php?