privacyIDEA 2.17 – More Event Handling and improved Challenge Response

We are happy to annouce that we released privacyIDEA 2.17 today!

The new version is available via launchpad and pypi.

privacyIDEA the event juggler

privacyIDEA the event juggler
privacyIDEA the event juggler

privacyIDEA can handle events. It all started with a simple notification, but now privacyIDEA can juggle actions and events like a pro. In privacyIDEA there are two new event handler modules, which will help you to automate your processes a lot. If you can think of more, drop an issue at github!

Token Event Handler

As a reaction to typical events the administrator can define new actions on the corresponding token. These actions can be “set tokenrealm”, “delete”, “unassign”, “disable”, “enable”, “enroll”, “set description”, “set validity”. You could e.g. disable all newly enrolled tokens, so that first the user has somehow to confirm the reception of his device and then enable the token again. Or you could set the validity period based on the number of failed authentication requests.

I am sure, this will also help to streamline and automate your processes! See the documentation of the Token Event Handler.

Script Event Handler

privacyIDEA 2.17 is about rock solid automation!
privacyIDEA 2.17 is about rock solid automation!

The Script Event Handler Module is a monster, which limits we can not know at the moment. Yes, you can run external scripts in case of any events. The scripts have to be located in the privacyIDEA script directory and they can take several parameters like the token serial number or the username. This way you can create processes and actions outside of privacyIDEA and that have no limits. The documentation contains a full list of parameters and the location of the the script directory.

Improved Challenge Response with SMS

In case of Challenge Response privacyIDEA requires the user to authenticate with his OTP PIN. Then privacyIDEA will send the SMS or the Email. In certain cases this does not work well. So with privacyIDEA 2.17 the REST API was enhanced, that an SMS can also be sent without the users PIN but with an administrators interaction. This API will be used with the privacyIDEA ownCloud App. This way privacyIDEA and ownCloud or Nextcloud can also be used with SMS or Email Tokens.

Enhanced Resolver logic in policies

The same user in two resolvers - allows for more detailed policies.
The same user in two resolvers – allows for more detailed policies.

If a user in a realm exists in more than one resolver, privacyIDEA uses the resolvers priorities to determine the resolver should be used to identify the user for authentication. All policies would be checked against this user in this resolver.

With privacyIDEA 2.17 it is now possible to tell the policy framework, that also policies should be checked, if the user matches another resolver than this primary one. This way a user in the main resolver could authenticate, but a secondary resolver could be used to match detailed policies.

We do not expect the everage user to understand this 😉

If you want to dive into this, you may want to read the documentation and then the issue #543.

Changelog for privacyIDEA 2.17


  • Token Handler. Using the token handler the administrator can defined actions in response to events, to modify tokens like deleting, modifying, initilizing… tokens (#532)
  • Script Event Handler or Shell Event Handler allows to trigger an external shell script, if some event occurs. (#536)
  • Add additional endpoint to trigger a challenge response like the sending of an SMS, if the token PIN is not available (#531)
  • Policy Handling to also check for secondary resolvers of a user. This way a user can authenticate with his primary resolver but policy will also work for secondary resolvers (#543)


  • The event handler conditions also determine a serial number even if there is no serial number in the request:
    If the user from the request only has one token assigned. (#571)
  • Allow event definitions to be disabled (#537)
  • Allow event to be addressed by a destinct name (#522)
  • Improving LDAP performace by addressing different functionality of ldap3 version 1.x and 2.x. (#549)
  • Improve SQL Audit by adding the SQL Audit table to the schema. Table is not created during HTTP request. (#557)
  • Limit audit log entry age. Users may only view audit log entries up to a certain age. (#541)
  • Add checkbox to only display used actions in a policy (#573)
  • In event handler: Use serial number of a user’s token if the user has only one token (#571)
  • Download a filtered audit log (#539)


  • Add missing token serial number to audit log if token is deleted (#546)
  • Fix event handler saving (#551)
  • HttpSMSProvider accepts status codes 201 and 202 in addition to 200 (#562)
  • Fix checkbox bug in NOREFERRALS of LDAP resolver (#563)
  • Add documentation for SMS provider (#566)
  • Remove 301 redirects from WebUI (#576)

privacyIDEA Enterprise Edition

privacyIDEA Enterprise Edition by NetKnights
privacyIDEA Enterprise Edition by NetKnights

If you need enterprise level support and dedicated service level agreements drop by at NetKnights.