privacyIDEA with Nitrokey support

privacyIDEA adds Nitrokey OTP support in release 2.15

The open hardware pyhsical authentication device: Nitrokey (source:
The open hardware pyhsical authentication device: Nitrokey (source:

Today we released privacyIDEA 2.15. In this release privacyIDEA command line client supports the initialization and enrollment of the Nitrokey. The Nitrokey is an open USB devices that acts as authentication device and password safe. It can hold your PGP keys but also provides several OTP slots. privacyIDEA now can initialize these OTP slots, so that you can use your own key material and use the Nitrokey as an open and trusted authenticator. This way you get the maximum trust and transparency by running open source software, using open and standardized algorithms and open hardware.

Arbitrary User Attributes and Client Overview

With privacyIDEA 2.15 the administrator now can edit arbitrary user attributes. These user attributes can be included in the authentication response and the new privacyIDEA FreeRADIUS plugin can map these user attributes to any RADIUS response attribute.

In the Web UI the administrator now also gets an overview of all authenticating clients. This may help him to keep track of the connected applications.


You can download privacyIDEA via github, the python package index or the Ubuntu Launchpad repository. privacyIDEA is also available as privacyIDEA Enterprise Edition from NetKnights providing additional downloads for CentOS or the Univention Corporate Server.


  • Client Overview. Display the type of the requesting   authenticating clients (#489)
  • Support for NitroKey OTP mode (admin client)


  • You can edit arbitrary user attributes in privacyIDEA.
  • Such user attributes can be mapped to any RADIUS attribute.
  • Performance enhancements using Caching singletons for Config, Realm, Resolver and Policies
  • Allow configuration of the registration email text (#494)
  • Return SAML attributes only in case of successful authentication (#500)
  • Policy “reset_all_user_tokens” allow to reset all  failcounters on successful authentication (#471)
  • Client rewrite mapping also checks for X-Forwarded-For (#395, #495)


  • Fixing RemoteUser fails to display WebUI (#499)
  • String comparison in HOSTS resolver (#484)

Leave a comment