privacyIDEA 2.4 released – OTP for Hosted Environments

Hooray. We released privacyIDEA 2.4 quite a while before the original release plan. Things went well and smooth.

I already wrote about two interesting new features in privacyIDEA 2.4 – the User Management and Admin Realms.

Interesting: User Management may help to ease the scenrios of smaller installations, since you do not need to manage users in one system (like a central LDAP or SQL database) and manage the tokens in another. So in case you have a really simple VPN setup, you can manage users and tokens from within privacyIDEA. If you like to. On the other hand Administrative Realms will help you to handle really large installations. You can define realms, that are ment to be special help desk groups or super user groups, without enumerating each and every administrator. In scenarios where you have your central user repository and token administrators are not allowed to manage users, this helps to keep lean policies and easy user management (where it belongs). You could new help desk users by adding the user to the LDAP group.

A complete change log is available at github.

keys by stevebidmead @pixabay

Another interesting new Feature is API keys. API keys can be used to protect the validation endpoint. This can be used in hosted environment to protect the the validation endpoint againt denial of service attack, when issuing fake authentication request and thus running into the maximum fail counter. You can define policies to require an API key depending on the users realm or the clients IP address. In connected with the User Management this improves privacyIDEA signigicantly for hosted environments.

privacyIDEA 2.4 lets you load your token data from PSKC Seed Files. The Portable Symmetric Key Container (PSKC) is defined in RFC6030 and defined by the OpenAuthentication Initiative to be used for seed deployment. So if you choose to use preseeded hardware tokens, you can ask the vendor to deliver the secret keys in a PSKC file. Anyway – I would recommend to use seedable tokens, whenever possible.

We improved the Logging and added the possibilty to define a logging configuration file. E.g. this way you can define errors that will be logged to email addresses. So the administrator or the monitoring system will get a notification on critical events.

In privacyIDEA 2.3 the registration token was introduced. This token could be used to ease enrollment processes when doing mass enrollment to widespread users. In privacyIDEA the registration token can also be enrolled from the WebUI.

Some more minor improvements were added to the WebUI like that only a limited list of tokentypes will be shown during token enrollment. The token seed can be displayed after enrolling a token. The WebUI now provides a login_mode policy, so that you can disable the login for users from certain realms.

privacyIDEA can be installed and downloaded in the usually ways. Users running privacyIDEA on Ubuntu 14.04 can update easily. See the documentation for install scenarios.