May I suggest to replace the link to the background image in simplesamlphp-module-privacyidea/themes/google/css/google.css line 32 that links to https://ssl.gstatic.com/accounts/ui/avatar_2x.png with a link to an image available in the plugin.

Some people would like have separate levels of security within their SSO environment. They have for instance applications which do not need 2FA, whereas they have other applications which should be only used with 2FA. Additionally one could think of "insecure" applications which have also administrative accounts, which should better also use 2FA.

The primary identifier of the SAML application is the entity ID. Secondary properties may be SAML attributes like group memberships.

This leads us to the following idea: an authproc filter "checkEntityID" will do two checks using regular expressions

1. entity ID -> disable privacyIDEA on match

(for a matching entityID)

2. SAML attributes -> enable privacyIDEA on match

By doing this, one could deactivate privacyIDEA for non-secure applications but exclude any users who have the specified group memberships or other attributes.

The logics would be

if (entityID matches a regexp) AND (not any attribute value matches any regexp configured for this entityID) then 
    state_variable = false
else
    state_variable = true

If there is no match in the first round, we would fall back to 2FA. This is important since entity IDs can also change during updates or such.

After upgrading simplesamlphp from 1.14.17 to 1.15.3 the login page no longer contains any text and the title says "Array" instead of "Authenticate against privacyIDEA".

This is the debug log from simplesaml...

Feb 27 20:16:10 ip-10-5-2-78 simplesamlphp[3954]: 7 [40822102d6] Localization: using old system
Feb 27 20:16:10 ip-10-5-2-78 simplesamlphp[3954]: 3 [40822102d6] SimpleSAML_Error_Exception: Error 8 - Undefined index: AuthId
Feb 27 20:16:10 ip-10-5-2-78 simplesamlphp[3954]: 3 [40822102d6] Backtrace:
Feb 27 20:16:10 ip-10-5-2-78 simplesamlphp[3954]: 3 [40822102d6] 5 /opt/simplesamlphp-1.15.3/www/_include.php:86 (SimpleSAML_error_handler)
Feb 27 20:16:10 ip-10-5-2-78 simplesamlphp[3954]: 3 [40822102d6] 4 /opt/simplesamlphp-1.15.3/lib/SimpleSAML/Auth/Source.php:40 (SimpleSAML_Auth_Source::__construct)
Feb 27 20:16:10 ip-10-5-2-78 simplesamlphp[3954]: 3 [40822102d6] 3 /opt/simplesamlphp-1.15.3/modules/core/lib/Auth/UserPassBase.php:93 (sspmod_core_Auth_UserPassBase::__construct)
Feb 27 20:16:10 ip-10-5-2-78 simplesamlphp[3954]: 3 [40822102d6] 2 /opt/simplesamlphp-1.15.3/modules/privacyidea/lib/Auth/Source/privacyidea.php:83 (sspmod_privacyidea_Auth_Source_privacyidea::__construct)
Feb 27 20:16:10 ip-10-5-2-78 simplesamlphp[3954]: 3 [40822102d6] 1 /opt/simplesamlphp-1.15.3/modules/privacyidea/www/loginform.php:135 (require)
Feb 27 20:16:10 ip-10-5-2-78 simplesamlphp[3954]: 3 [40822102d6] 0 /opt/simplesamlphp-1.15.3/www/module.php:135 (N/A)
Feb 27 20:16:10 ip-10-5-2-78 simplesamlphp[3954]: 7 [40822102d6] Template: Reading [/opt/simplesamlphp-1.15.3/modules/privacyidea/dictionaries/privacyidea]
Feb 27 20:16:10 ip-10-5-2-78 simplesamlphp[3954]: 3 [40822102d6] SimpleSAML_Error_Exception: Error 8 - Array to string conversion
Feb 27 20:16:10 ip-10-5-2-78 simplesamlphp[3954]: 3 [40822102d6] Backtrace:
Feb 27 20:16:10 ip-10-5-2-78 simplesamlphp[3954]: 3 [40822102d6] 6 /opt/simplesamlphp-1.15.3/www/_include.php:86 (SimpleSAML_error_handler)
Feb 27 20:16:10 ip-10-5-2-78 simplesamlphp[3954]: 3 [40822102d6] 5 /opt/simplesamlphp-1.15.3/templates/includes/header.php:50 (include)
Feb 27 20:16:10 ip-10-5-2-78 simplesamlphp[3954]: 3 [40822102d6] 4 /opt/simplesamlphp-1.15.3/lib/SimpleSAML/XHTML/Template.php:632 (SimpleSAML_XHTML_Template::includeAtTemplateBase)
Feb 27 20:16:10 ip-10-5-2-78 simplesamlphp[3954]: 3 [40822102d6] 3 /opt/simplesamlphp-1.15.3/modules/privacyidea/templates/loginform.php:36 (require)
Feb 27 20:16:10 ip-10-5-2-78 simplesamlphp[3954]: 3 [40822102d6] 2 /opt/simplesamlphp-1.15.3/lib/SimpleSAML/XHTML/Template.php:409 (SimpleSAML_XHTML_Template::show)
Feb 27 20:16:10 ip-10-5-2-78 simplesamlphp[3954]: 3 [40822102d6] 1 /opt/simplesamlphp-1.15.3/modules/privacyidea/www/loginform.php:166 (require)
Feb 27 20:16:10 ip-10-5-2-78 simplesamlphp[3954]: 3 [40822102d6] 0 /opt/simplesamlphp-1.15.3/www/module.php:135 (N/A)
Feb 27 20:16:10 ip-10-5-2-78 simplesamlphp[3954]: 3 [40822102d6] SimpleSAML_Error_Exception: Error 8 - Array to string conversion

I expected to see the usual text on the login page:

In the log I see:

Jun 29 22:27:57 simplesamlphp DEBUG [00e11fd73e] privacyIDEA authId: example.org-privacyidea
Jun 29 22:27:57 simplesamlphp DEBUG [00e11fd73e] Saved state: '_222bd2a0c69b0ce1c8a3b5648d1baba84b45bf8cc8:https://pi.example.org/simplesamlphp/module.php/core/as_login.php?AuthId=example.org-privacyidea&ReturnTo=https%3A%2F%2Fpi.example.org%2Fsimplesamlphp%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Dexample.org-privacyidea'
Jun 29 22:27:57 simplesamlphp ERROR [00e11fd73e] SimpleSAML_Error_Exception: Error 8 - Undefined index: AuthId
Jun 29 22:27:57 simplesamlphp ERROR [00e11fd73e] Backtrace:
Jun 29 22:27:57 simplesamlphp ERROR [00e11fd73e] 5 /usr/share/simplesamlphp/www/_include.php:75 (SimpleSAML_error_handler)
Jun 29 22:27:57 simplesamlphp ERROR [00e11fd73e] 4 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/Source.php:40 (SimpleSAML_Auth_Source::__construct)
Jun 29 22:27:57 simplesamlphp ERROR [00e11fd73e] 3 /usr/share/simplesamlphp/modules/core/lib/Auth/UserPassBase.php:93 (sspmod_core_Auth_UserPassBase::__construct)
Jun 29 22:27:57 simplesamlphp ERROR [00e11fd73e] 2 /usr/share/simplesamlphp/modules/privacyidea/lib/Auth/Source/privacyidea.php:80 (sspmod_privacyidea_Auth_Source_priva
cyidea::__construct)
Jun 29 22:27:57 simplesamlphp ERROR [00e11fd73e] 1 /usr/share/simplesamlphp/modules/privacyidea/www/loginform.php:135 (require)
Jun 29 22:27:57 simplesamlphp ERROR [00e11fd73e] 0 /usr/share/simplesamlphp/www/module.php:127 (N/A)

Can we avoid the ERROR messages?

At the moment the plugin does not support SSO if configured as authproc filter. So if the user is already authenticated, our authproc filter will be activated whenever the user visits a new service provider. This means that the authsource (e.g. LDAP) is skipped but the 2nd factor login is shown again.

Since SAML is usually used to realize Single Sign-On, we should also default to accept a valid assertion and skip the 2FA promt in this case.

One attempt to implement this has been made in PR #80. We will extend the code introduced by PR #91 and implement SSO to be configurable with a default "enabled" behavior.

With the authproc filter we should be able to allow some users to login without 2FA. I.e. do not display the 2nd Dialog to enter the OTP value to the users.

This decision could be made by the privacyIDEA server using policies like "passOnNoUser" or "passOnNoToken".

To achieve this, the authproc filter needs to communicate with the privacyIDEA server before the Dialog is displayed to the user. We can do this via the endpoint /validate/check or via the endpoint validate/triggerchallenge.

Using the triggerchallenge we can also add the possibility to also login with SMS or Email.

Unfortunately "triggerchallenge" currently does not support the "passOnNoUser".

enableshould be gitignore'd

The button in the simpleSAMLphp login form uses the default browser theme, because we do not overwrite this class. This means, that it looks really bad in our theme.
We shuould fix it.

With the branch addEnabledKey, we can enable or disable 2FA in some situations. If we want to enable 2FA if the user is not in the local network, we can check this in another authproc filter.

Possible config for such a new filter class could be:

exclude2FAIPs = array("192.168.1.2", "10.0.0.0/29", "172.16.0.1/24");

This code has turned into spaghetti over time. It needs to be refactored.

Description

With version 1.9 of this module, I see the following form at module.php/privacyidea/otpform.php after entering my username and the PIN for my U2F-token:

On version 1.8 I was only told that I had to confirm the login with my hardware-token, but I didn't have to re-enter my username. Right now the following things happen:

• My Yubikey 5 NFC actually blinks to indicate that there's an ongoing u2f authentication.
• But when I press it, nothing else happens (it doesn't matter here whether or not I've entered my username into the form above).

Browsers

I can reliably reproduce the non-working u2f auth in the following browsers:

• Firefox 89.0.2 (Linux)
• Chromium 91.0.4472.114 (Linux)

Used software

• This module at version 1.9 (where I can observe the issue) and 1.8 (where it doesn't exist)
• PrivacyIDEA 3.6
• SimpleSAMLPHP 1.19.1
• PHP 7.4.21

Error logs

I can see the following error logs, but those seem to be related to #21 :

Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] SimpleSAML\Error\Exception: Error 8 - Undefined index: detailmap at /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/modules/privacyidea/lib/Auth/Source/privacyidea.php:68
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] Backtrace:
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 6 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/www/_include.php:44 (SimpleSAML_error_handler)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 5 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/modules/privacyidea/lib/Auth/Source/privacyidea.php:68 (sspmod_privacyidea_Auth_Source_privacyidea::__construct)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 4 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/lib/SimpleSAML/Auth/Source.php:336 (SimpleSAML\Auth\Source::parseAuthSource)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 3 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/lib/SimpleSAML/Auth/Source.php:381 (SimpleSAML\Auth\Source::getById)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 2 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/lib/SimpleSAML/IdP.php:105 (SimpleSAML\IdP::__construct)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 1 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/lib/SimpleSAML/IdP.php:139 (SimpleSAML\IdP::getById)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 0 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/www/saml2/idp/SSOService.php:23 (N/A)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] SimpleSAML\Error\Exception: Error 8 - Undefined index: concatenationmap at /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/modules/privacyidea/lib/Auth/Source/privacyidea.php:68
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] Backtrace:
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 6 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/www/_include.php:44 (SimpleSAML_error_handler)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 5 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/modules/privacyidea/lib/Auth/Source/privacyidea.php:68 (sspmod_privacyidea_Auth_Source_privacyidea::__construct)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 4 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/lib/SimpleSAML/Auth/Source.php:336 (SimpleSAML\Auth\Source::parseAuthSource)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 3 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/lib/SimpleSAML/Auth/Source.php:381 (SimpleSAML\Auth\Source::getById)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 2 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/lib/SimpleSAML/IdP.php:105 (SimpleSAML\IdP::__construct)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 1 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/lib/SimpleSAML/IdP.php:139 (SimpleSAML\IdP::getById)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 0 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/www/saml2/idp/SSOService.php:23 (N/A)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 6 [595163d129] SAML2.0 - IdP.SSOService: incoming authentication request: 'https://wolke.mbosch.me/apps/user_saml/saml/metadata'
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] SimpleSAML\Error\Exception: Error 8 - Undefined index: detailmap at /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/modules/privacyidea/lib/Auth/Source/privacyidea.php:68
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] Backtrace:
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 9 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/www/_include.php:44 (SimpleSAML_error_handler)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 8 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/modules/privacyidea/lib/Auth/Source/privacyidea.php:68 (sspmod_privacyidea_Auth_Source_privacyidea::__construct)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 7 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/lib/SimpleSAML/Auth/Source.php:336 (SimpleSAML\Auth\Source::parseAuthSource)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 6 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/lib/SimpleSAML/Auth/Source.php:381 (SimpleSAML\Auth\Source::getById)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 5 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/lib/SimpleSAML/Auth/Simple.php:68 (SimpleSAML\Auth\Simple::getAuthSource)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 4 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/lib/SimpleSAML/Auth/Simple.php:168 (SimpleSAML\Auth\Simple::login)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 3 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/lib/SimpleSAML/IdP.php:357 (SimpleSAML\IdP::authenticate)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 2 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/lib/SimpleSAML/IdP.php:415 (SimpleSAML\IdP::handleAuthenticationRequest)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 1 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/modules/saml/lib/IdP/SAML2.php:492 (SimpleSAML\Module\saml\IdP\SAML2::receiveAuthnRequest)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 0 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/www/saml2/idp/SSOService.php:26 (N/A)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] SimpleSAML\Error\Exception: Error 8 - Undefined index: concatenationmap at /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/modules/privacyidea/lib/Auth/Source/privacyidea.php:68
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] Backtrace:
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 9 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/www/_include.php:44 (SimpleSAML_error_handler)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 8 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/modules/privacyidea/lib/Auth/Source/privacyidea.php:68 (sspmod_privacyidea_Auth_Source_privacyidea::__construct)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 7 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/lib/SimpleSAML/Auth/Source.php:336 (SimpleSAML\Auth\Source::parseAuthSource)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 6 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/lib/SimpleSAML/Auth/Source.php:381 (SimpleSAML\Auth\Source::getById)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 5 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/lib/SimpleSAML/Auth/Simple.php:68 (SimpleSAML\Auth\Simple::getAuthSource)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 4 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/lib/SimpleSAML/Auth/Simple.php:168 (SimpleSAML\Auth\Simple::login)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 3 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/lib/SimpleSAML/IdP.php:357 (SimpleSAML\IdP::authenticate)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 2 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/lib/SimpleSAML/IdP.php:415 (SimpleSAML\IdP::handleAuthenticationRequest)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 1 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/modules/saml/lib/IdP/SAML2.php:492 (SimpleSAML\Module\saml\IdP\SAML2::receiveAuthnRequest)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 3 [595163d129] 0 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/www/saml2/idp/SSOService.php:26 (N/A)
Jul 13 16:34:33 ldap simplesamlphp[11032]: 4 [595163d129] The class or interface 'SimpleSAML_Logger' is now using namespaces, please use 'SimpleSAML\Logger'.
Jul 13 16:34:33 ldap simplesamlphp[11032]: 4 [595163d129] The class or interface 'SimpleSAML_Auth_State' is now using namespaces, please use 'SimpleSAML\Auth\State'.
Jul 13 16:34:33 ldap simplesamlphp[11032]: 4 [595163d129] The class or interface 'SimpleSAML_Module' is now using namespaces, please use 'SimpleSAML\Module'.
Jul 13 16:34:33 ldap simplesamlphp[11032]: 4 [595163d129] The class or interface 'SimpleSAML_Utilities' is now using namespaces, please use 'SimpleSAML\Utilities'.
Jul 13 16:34:33 ldap simplesamlphp[10739]: 4 [595163d129] The class or interface 'SimpleSAML_Auth_State' is now using namespaces, please use 'SimpleSAML\Auth\State'.
Jul 13 16:34:33 ldap simplesamlphp[10739]: 4 [595163d129] The class or interface 'SimpleSAML_Logger' is now using namespaces, please use 'SimpleSAML\Logger'.
Jul 13 16:34:33 ldap simplesamlphp[10739]: 4 [595163d129] The class or interface 'SimpleSAML_Configuration' is now using namespaces, please use 'SimpleSAML\Configuration'.
Jul 13 16:34:33 ldap simplesamlphp[10739]: 4 [595163d129] The class or interface 'SimpleSAML_XHTML_Template' is now using namespaces, please use 'SimpleSAML\XHTML\Template'.
Jul 13 16:34:33 ldap simplesamlphp[10739]: 4 [595163d129] The class or interface 'sspmod_core_Auth_UserPassBase' is now using namespaces, please use 'SimpleSAML\Module\core\Auth\UserPassBase' instead.
Jul 13 16:34:33 ldap simplesamlphp[10739]: 3 [595163d129] SimpleSAML\Error\Exception: Error 8 - Undefined index: AuthId at /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/lib/SimpleSAML/Auth/Source.php:49
Jul 13 16:34:33 ldap simplesamlphp[10739]: 3 [595163d129] Backtrace:
Jul 13 16:34:33 ldap simplesamlphp[10739]: 3 [595163d129] 6 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/www/_include.php:44 (SimpleSAML_error_handler)
Jul 13 16:34:33 ldap simplesamlphp[10739]: 3 [595163d129] 5 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/lib/SimpleSAML/Auth/Source.php:49 (SimpleSAML\Auth\Source::__construct)
Jul 13 16:34:33 ldap simplesamlphp[10739]: 3 [595163d129] 4 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/modules/core/lib/Auth/UserPassBase.php:112 (SimpleSAML\Module\core\Auth\UserPassBase::__construct)
Jul 13 16:34:33 ldap simplesamlphp[10739]: 3 [595163d129] 3 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/modules/privacyidea/lib/Auth/Source/privacyidea.php:67 (sspmod_privacyidea_Auth_Source_privacyidea::__construct)
Jul 13 16:34:33 ldap simplesamlphp[10739]: 3 [595163d129] 2 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/modules/privacyidea/www/otpform.php:141 (require)
Jul 13 16:34:33 ldap simplesamlphp[10739]: 3 [595163d129] 1 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/lib/SimpleSAML/Module.php:266 (SimpleSAML\Module::process)
Jul 13 16:34:33 ldap simplesamlphp[10739]: 3 [595163d129] 0 /nix/store/gyyv376bh204ibdziz0sl14k0zpiy7fr-simplesamlphp-1.19.1/www/module.php:10 (N/A)

After successful login, a print_r array of user attributes is displayed for a short period of time in the browser window. This is due to missing "TRUE" parameters in the call to print_r in privacyidea.php: 249 and 256

Hi there. It looks like module is not working as authsource because of missing www/loginform.php file.
Fix it please.

Getting these warnings about namespaces after upgrading to simplesamlphp 1.15. These occur when the privacyidea login page loads.

Feb 27 23:12:08 ip-10-5-2-78 simplesamlphp[28534]: 4 [40822102d6] The class or interface 'SimpleSAML_Logger' is now using namespaces, please use 'SimpleSAML\Logger'.
Feb 27 23:12:08 ip-10-5-2-78 simplesamlphp[28534]: 4 [40822102d6] The class or interface 'SimpleSAML_Module' is now using namespaces, please use 'SimpleSAML\Module'.

After a recent update, the login text now includes <em> as well as </em>. This is probably due to the addition of htmlspecialchars in one of the recent commits.

Should the translations/texts be changed to omit any HTML?

If an IdP is connected to several SPs, the SPs might require different attributes and also different login attributes.

The admin can however define different privacyidea authproc settings per SP.
But in some scenarios the admin might want to only configure the privacyIDEA authproc centrally and then use this authproc setting for all SPs.

In this scenario the autproc needs to be able to fetch the username from different attributes.
Currently our uidkey can only hold one attribute. This would work for some SPs, but not for others.

We could enhance the uidkey this way, that it also accepts and array of attributes like:

  "uidkey" => array("uid", "mail"),

Then the authproc would first fetch the "uid" from the attributes, if the "uid" does not exist, then it would fetch the "mail"...

(However, I think uidkey is the wrong name anyways. Actually it is the loginnamekey. Isn't is? ;-)

https://groups.google.com/forum/#!topic/privacyidea/yDoPWUpqdWo

Hi,

I couldn't figure out a way to stop privacyidea from doing 2FA when using the authproc method or "Method 2" when you are going between different sites. So, you login to site one, then do the 2FA, and then visit site two and it asks you to do the 2FA again.

Since, I couldn't figure out a way to do this, feel free to correct me if I'm wrong about this, I created a configuration option and some code.

Please document the new functions.

• What do they do?
• What parameters do they expect?
• What do they return?

Is it possible to login simplesamlphp icm u2f key?

The translation should not contain the english text.
This leads to not displaying the text.
https://github.com/privacyidea/simplesamlphp-module-privacyidea/blob/master/dictionaries/privacyidea.translation.json

We have checkClientIP and checkEntityID which check for client IP, entity and SAML attributes. On the long run, we may implement those three checks in a single configuration to realize condition combinations like

• IF clientIP = xyz AND attribute memberOf = asdf THEN disable
• IF entityID != xyz AND clientIP THEN enable
• IF memberOf = asdf THEN disable

We removed the debian package building from the privacyidea repo and should add it into this repo.

Can you release a new version to packagist. I'm interested in the translation fix and multi-value attributes.

We should support auth proc filters.
This way another auth source can first authenticate the user (e.g.) LDAP and in a second step an additional authentication will be run against privacyIDEA.

Yubikey auth proc does it this way:
https://github.com/simplesamlphp/simplesamlphp-module-yubikey/tree/master/lib/Auth/Process

[ ] We need to also provide the UI!?

Here is the basic concept
https://simplesamlphp.org/docs/stable/simplesamlphp-authproc

Todo: Discuss

Hi, when installing the plugin via the Ubuntu package, there are some files missing in the /usr/share/simplesamlphp/modules/privacyidea/ directory. When trying to authenticate to privacyIDEA via simplesamlphp, you will get error messages because of the missing files.

git clone https://github.com/privacyidea/simplesamlphp-module-privacyidea.git
cp -r simplesamlphp-module-privacyidea/* /usr/share/simplesamlphp/modules/privacyidea/

fixes the issue

If the option doTriggerChallenge is set to true in the serverconfig, we expect that serviceAccount and servicePass are used to do a request against /validate/triggerchallenge.

PR #112 elaborates on this issue.

SSO as introduced by 29c6ae3 is insecure. Don't use it yet.

Background:
The checked $state['Expire'] is apparently present already after sole authsource login. If a user successfully logs in with hist first factor and he returns to the login page of the IdP, he may avoid being asked for his second factor.

Resolution:

• Find a way to access the assertion from within an authproc filter.
• Write a meta authsource filter, which includes the primary authsource and privacyidea, so we have full control

When a RADIUS/SMS/Email token is used, the response field does not appear. I believe it is related to $hideResponseInput being set to true by default but not being set back to false if the challenge does not contain a u2f token.

The user does not need to manually enable this plugin. The documentation currently states otherwise.

Every Proxy-Server/Gateway might add another value for X-Forwarded-For so that the value might be 127.0.1, 1.2.3.4, 5.6.7.8. This is not considered in lib/Auth/utils.php: sspmod_privacyidea_Auth_utils::getClientIP().

I'm trying to switch an LDAP integration for simpleSAMLphp over to privacyIDEA for faster, more secure login. So far I haven't been able to get any LDAP group information propagated to the simpleSAML side.

I'm open to pretty much any idea you may have in terms of how to configure simpleSAMLphp + privacyIDEA so that LDAP group membership can be used to control access to SAML SPs.

Currently if an unexpected error occurs during u2f signing (for example because the AppID is wrong and we cannot actually authenticate using u2f), the error is not caught and we literally send the string "undefined" to the server for both clientdata and signaturedata, which will only run into an exception during base64 decoding, making it very hard for an administrator to figure out what is actually wrong:

binascii.Error: Invalid base64-encoded string: number of data characters (9) cannot be 1 more than a multiple of 4

privacyidea itself allows a resolver to return further attributes (for example, groups). However, the simplesamlphp module is limited to the attributes it knows about privacyidea.php#L236.

Could this be extended by a configuration option or be changed to map all attributes? (Personally, I just added my own attribute to the list)

It would be nice if the supported authentication methods would be documented in the readme. I just found out by testing that TiQR is currently mit supported.

The tokenenrollment checks if the user has a token here .

But the params are not used in the request. THis is, since they are not passed to curl here:
https://github.com/privacyidea/simplesamlphp-module-privacyidea/blob/master/lib/Auth/utils.php#L44

The params are only used for the POST request. In this very method the params should also be used for the GET request.
This could be done like here: http://agichevski.com/2014/01/21/php-curl-post-and-get-methods/

We should add support for push tokens.

The following two classes have an uppercase "IDEA" in the class name:

• https://github.com/privacyidea/simplesamlphp-module-privacyidea/blob/master/lib/Auth/Process/checkClientIP.php
• https://github.com/privacyidea/simplesamlphp-module-privacyidea/blob/master/lib/Auth/Process/tokenEnrollment.php

While the following two classes have a lowercase "idea" in the class name:

• https://github.com/privacyidea/simplesamlphp-module-privacyidea/blob/master/lib/Auth/Process/privacyidea.php
• https://github.com/privacyidea/simplesamlphp-module-privacyidea/blob/master/lib/Auth/Process/serverconfig.php

The result is that, if you call an Auth/Process filter that renders a template before you call the privacyIDEA modules that have the uppercase "IDEA" in the class name, you get a PHP error similar to the following:

PHP Fatal error: SimpleSAML\Auth\ProcessingChain::resumeProcessing(): The script tried to execute a method or access a property of an incomplete object. Please ensure that the class definition "sspmod_privacyIDEA_Auth_Process_checkClientIP" of the object you are trying to operate on was loaded _before_ unserialize() gets called or provide an autoloader to load the class definition in /opt/simplesamlphp-1.18.3/lib/SimpleSAML/Auth/ProcessingChain.php on line 251

I have verified that, if my Auth/Process filter never displays a template, then the error does not happen, however, if my filter displays a template, once the code eventually calls \SimpleSAML\Auth\ProcessingChain::resumeProcessing($state);, the error is thrown (which results in a server 500 error).

I tried to work around this by changing the name of the filter class in the config from privacyidea:checkClientIP to privacyIDEA:checkClientIP, but when I did that, PHP threw the following error:

An error has occurred. Caused by: Exception: Could not resolve 'privacyIDEA:checkClientIP': no class named 'SimpleSAML\Module\privacyIDEA\Auth\Process\checkClientIP' or 'sspmod_privacyIDEA_Auth_Process_checkClientIP'. error number: ...

The only solution I could find was to the change the name of the class for checkClientIP.php and tokenEnrollment.php so that "privacyidea" is lowercase, e.g.:

class sspmod_privacyidea_Auth_Process_checkClientIP extends SimpleSAML_Auth_ProcessingFilter {

Do you know why two of the classes are named with privacyIDEA and the other two are named with privacyidea?

If you would like me to submit a PR for my changes, please let me know.

Since 62973e4 we support isPassive requests. However, the set variable by

$session->setData('privacyidea:privacyidea', 'authenticated', true);

is not properly cleaned on logout, causing the 2FA login to be bypassed even after logout and another login in the same browser window.

The login forms should accept "Enter" as hitting the "Login"-Button / sending the form.

Could you release a new version? I'm interested in 1b9dd8c and 765d715. Thanks!

All commits since tag 1.7 need to be added to the Changelog.

/usr/local/openresty/nginx/www-root/sso/simplesamlphp (1.15.0-rc1)
PHP Version >= 5.4. You run: 7.1.9
privacyIDEA 2.19.1

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
1 www/_include.php:45 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: SimpleSAML\Error\CannotSetCookie: Headers already sent.
Backtrace:
6 lib/SimpleSAML/Utils/HTTP.php:1157 (SimpleSAML\Utils\HTTP::setCookie)
5 lib/SimpleSAML/Session.php:648 (SimpleSAML_Session::doLogin)
4 lib/SimpleSAML/Auth/Source.php:224 (SimpleSAML_Auth_Source::loginCompleted)
3 lib/SimpleSAML/Auth/Source.php:145 (SimpleSAML_Auth_Source::completeAuth)
2 modules/privacyidea/lib/Auth/Source/privacyidea.php:369 (sspmod_privacyidea_Auth_Source_privacyidea::handleLogin)
1 modules/privacyidea/www/loginform.php:102 (require)
0 www/module.php:135 (N/A)

We should use the endpoint /validate/check instead of the endpoint /validate/samlcheck.
The samlcheck endpoint only exists for historic reasons, since it returns the necessary user data.

However, the endpoint /validate/check can also return user data with the right policy in privacyidea.

Is it possible to concatenate privacyIDEA fields for mapping to saml attributes? Something along these lines (see displayName):

'attributemap' => array('username' => 'samlLoginName',
                       'surname' => 'surName',
                       'givenname' => 'givenName',
                       'givenname'.' '.surname' => 'displayName',
                       'email' => 'emailAddress',
                       'phone' => 'telePhone',
                       'mobile' => 'mobilePhone',
                       ),

Also, is there a support for 'core:AttributeMap' of simpleAmlPhp where one can specify mapping to multiple attributes. For example:

 'email' => array('email', 'emailAddress')

Thank you!

I was playing with simplesamlphp and this modules.
But I this configure my 'privacyideaserver' server wrong. right domain but non existing path
I allowed me to login without an error.
Any username and password is accepted.
But no attribures returns.

simplesamlphp (1.13.2) from ubuntu 15_10.

Adding the token type as returned by privacyid3a to the saml attributes allows service providers to define more granular access control. For instance, you could differentiate between users that did and did not use 2FA if passthru is enabled, or block spass, sms, and e-mail tokens for specific services that have high security needs.

I have the firefox u2f addon installed, and it works to login to privacyIDEA.

It doesn't work with the simpleSAMLphp module though :(

It is working but errors are misleading and I get apache errors.

Error below is if a user does not exists.

Apache log:

[Fri Nov 06 10:06:19.281166 2015] [:error] [pid 17217] [client xxx.xxx.xxx.xxx:55106] PHP Notice:     Trying to get property of non-object in /usr/share/simplesamlphp/modules/privacyidea/lib/Auth/Source/privacyidea.php on line 138, referer: https://www.mydomain.com/simplesampath/module.php/core/loginuserpass.php?
[Fri Nov 06 10:06:19.281199 2015] [:error] [pid 17217] [client xxx.xxx.xxx.xxx:55106] PHP Stack trace:, referer: https://www.mydomain.com/simplesampath/module.php/core/loginuserpass.php?
[Fri Nov 06 10:06:19.281210 2015] [:error] [pid 17217] [client xxx.xxx.xxx.xxx:55106] PHP   1. {main}() /usr/share/simplesamlphp/www/module.php:0, referer: https://www.mydomain.com/simplesampath/module.php/core/loginuserpass.php?
[Fri Nov 06 10:06:19.281219 2015] [:error] [pid 17217] [client xxx.xxx.xxx.xxx:55106] PHP   2. require() /usr/share/simplesamlphp/www/module.php:134, referer: https://www.mydomain.com/simplesampath/module.php/core/loginuserpass.php?
[Fri Nov 06 10:06:19.281236 2015] [:error] [pid 17217] [client xxx.xxx.xxx.xxx:55106] PHP   3. sspmod_core_Auth_UserPassBase::handleLogin() /usr/share/simplesamlphp/modules/core/www/loginuserpass.php:75, referer: https://www.mydomain.com/simplesampath/module.php/core/loginuserpass.php?
[Fri Nov 06 10:06:19.281250 2015] [:error] [pid 17217] [client xxx.xxx.xxx.xxx:55106] PHP   4. sspmod_privacyidea_Auth_Source_privacyidea->login() /usr/share/simplesamlphp/modules/core/lib/Auth/UserPassBase.php:259, referer: https://www.mydomain.com/simplesampath/module.php/core/loginuserpass.php?

It seems that Undefined property are not catch in the try block.
So Line 140 is never called.

In privacyidea.txt we have the following attributemap:

         'attributemap' => array('username' => 'samlLoginName',
         			 'surname' => 'surName',
         			 'givenname' => 'givenName',
         			 'email' => 'emailAddress',
         			 'phone' => 'telePhone',
         			 'mobile' => 'mobilePhone'),

Since privacyidea/privacyidea@330591e
the LDAP resolver returns an array of mobile numbers. And we get in the log:

Jun 29 22:00:22 simplesamlphp DEBUG [00e11fd73e] privacyidea        key: mobile
Jun 29 22:00:22 simplesamlphp DEBUG [00e11fd73e] privacyidea mapped key: mobilePhone
Jun 29 22:00:22 simplesamlphp ERROR [00e11fd73e] SimpleSAML_Error_Exception: Error 8 - Array to string conversion
Jun 29 22:00:22 simplesamlphp ERROR [00e11fd73e] Backtrace:
Jun 29 22:00:22 simplesamlphp ERROR [00e11fd73e] 4 /usr/share/simplesamlphp/www/_include.php:75 (SimpleSAML_error_handler)
Jun 29 22:00:22 simplesamlphp ERROR [00e11fd73e] 3 /usr/share/simplesamlphp/modules/privacyidea/lib/Auth/Source/privacyidea.php:262 (sspmod_privacyidea_Auth_Source_priv
acyidea::login_chal_resp)
Jun 29 22:00:22 simplesamlphp ERROR [00e11fd73e] 2 /usr/share/simplesamlphp/modules/privacyidea/lib/Auth/Source/privacyidea.php:356 (sspmod_privacyidea_Auth_Source_priv
acyidea::handleLogin)
Jun 29 22:00:22 simplesamlphp ERROR [00e11fd73e] 1 /usr/share/simplesamlphp/modules/privacyidea/www/loginform.php:101 (require)
Jun 29 22:00:22 simplesamlphp ERROR [00e11fd73e] 0 /usr/share/simplesamlphp/www/module.php:127 (N/A)

Can we enhance the documentation to either use the number or the first element of the array and avoid the ERROR messages? Since I don't use the field I simply removed the field from the attributemap.