privacyIDEA 2.23 – Pre-Event-Handling, Monitoring and Statistics

After roughly five months of development we released the new version of privacyIDEA 2.23. Ideas for features in this release started in the beginning of this year. We wanted to add a flexible and modular way to allow the creation of monitoring and statistics data. We discussed a lot, met in person several times and scribbled down some concepts on the whiteboard.

It was a long way, but finally pieces started to fit together.

We are proud to present to you privacyIDEA version 2.23!

Monitoring and Statistics

To be able to provide a flexible and modular monitoring and to create any arbitrary statistics we created a framework of periodic tasks.

Using specific modules the administrator can define, what should happen in certain time intervals or at certain dates. These modules can collect system information for statistics, but such modules could also do anything else. Currently we provide two modules – the Event Counter and Simple Stats

The Event Counter can be used in conjunction with the Event Handler to record the occurrence of any arbitrary event. The periodic task scheduler will write the number of these events to a time series. The Simple Stats module reads predefined values from the privacyIDEA system (like number of tokens, number of assigned tokens, number of not assigned hardware tokens) and also writes those to a time series.

The administrator can easily use tools like Grafana to view the time span of interest in an expressive graph.


Event Handlers were already added to privacyIDEA in Version 2.12. Using event handlers the administrator can connect any event to new actions like user notification, token management or any arbitrary script. If such an event occurs, the defined action is triggered.

With version 2.23 these actions can now be triggered, before the original event is processed. We distinguish Post-Event-Handling and Pre-Event-Handling. E.g. the administrator can define, that a user, who has no token assigned and tries to authenticate, gets a new token enrolled. And this newly enrolled token will be directly used during this authentication request. The logon experience for the user is totally transparent. There is no additional effort for the administrator.

This way a lot of tasks, which would otherwise be done manually or called by a script, will be executed automatically just at the right moment within privacyIDEA. This way the administrator can cope with unforeseen scenarios and can automate actions accordingly.

Ordered Policies

Policies have been around in privacyIDEA since day One. Policies define the way how privacyIDEA should respond to an API request. Policy definitions can become very complex. Policies also depend on time and the source IP address of the request. So in certain cases policies could overlap and the logic would not be clear, how privacyIDEA should respond.

To solve this problem we introduced a policy order in privacyIDEA 2.23. The administrator can give each policy an order number. This way the administrator can define which policy should come first and should take precedence if something should be unclear.

This can help in bigger, complex setups to make configuring privacyIDEA a lot easier.

Your next steps

We also added a lot more minor features and improved the SQL and HSM performance. For a complete Changelog please take a look at Github. You can install or update privacyIDEA via the Ubuntu Launchpad repositories or via the Python Package Index.

When you update, please see read_before_update.

If you have any questions, please have a look at the community forum.

Start the discussion at