Today we release privacyIDEA 3.2. Two new event handler modules allow for even more flexible workflows. Integrating with external logging tools like Logstash or Splunk are much easier now using the container audit module and the file audit module. Using Trusted JWTs makes it much more robust to integrate any existing portal with privacyIDEA.

Request and Response Event Handler

The event handlers have been around sind version 2.12. Every version somehow improved the event handler. They allow for a very flexible way to define actions and responses in privacyIDEA. Read a recent post about the script event handler or take a look at the complete list of event handlers.

With version 3.2 the administrator gets two new event handlers – the Request Mangler Handler and the Response Mangler Handler. You notice the word mangle – these handler allow to modify, delete or add any arbitrary REST request parameter or JSON response parameter, given the administrator unseen flexibility to flex the privacyIDEA system to the very specific need!

The Response Handler could be used to delete certain response information, after it is used e.g. by a notification handler. For example the notification handler could read this information to notify the user but then the Response handler would delete this information, so that a help desk user is maybe not able to read a randomly set password in a response. The resulting possibilities are unimaginable.

We are very excited to see how administrators will use these features!

Audit data everywhere

privacyIDEA runs in big environments. Because it integrates so well. privacyIDEA also creates an Audit log (and a log file – for debugging purposes). However, the log file is great, since every HTTP request has its dedicated audit entry.

It should be easier to add the audit data to these locations, where bigger organizations aggregate and keep their Log data. These are systems and services like Logstash or Splunk. As a first step privacyIDEA 3.2 comes with two new audit modules, the File Audit Module, that can write audit information to a plain text/log file and a Container Audit Module, that can combine any number of Audit Modules, so that privacyIDEA can write audit data to all of these modules.

We hope that this is a big leap forward to get your information to the right place!

The trusted JWTs

Did you ever want to have users manage their privacyIDEA tokens in an existing local portal? Or your helpdesk users get privacyIDEA information into the ticket system they are using? With privacyIDEA 3.2 it gets much easier now. The administrator can define trusted JWTs. I.e. he can define trusted public keys and which user this public key can impersonate.

The mentioned portal will simply use its private key to create JWTs, that are then trusted by privacyIDEA. No need to create service accounts, share passwords or other credentials.

The complete changelog

There are a lot of new enhancements, which administrators and helpdesk users will probably like for a daily use. A lot of enhancements, which we needed to provide better and easier service for certain installations.

Besides the event handlers also policies have been improved. The administrator can now use any arbitrary HTTP header in the policy condition. This way policies could be strictly bound to certain http_agents.

To improve the roll out process, the event handlers can match for the roll out state of a token. The notification handler, that was already able to send email or SMS, can now also write files to a spool directory. This way information can be easily passed to 3rd party systems or this data can be processed further like printing PIN letters.

We also did some improvement of the authentication process for the PUSH token so that it is not necessary to require a service account to verify the answered challenges.

The complete changelog can be found at github.

Go and get it

privacyIDEA 3.2 can be installed from source from github, via the Python Package Index or using ready made packages for Ubuntu 16.04 LTS and 18.04 LTS. The builds for Ubuntu are now based on Python 3.

Image by BarbaraALane on Pixabay.

Secure Rollout of a smartphone app

The central new feature of privacyIDEA 2.21 is the possibility to enroll a smartphone token in a more secure way. privacyIDEA supported smartphone Apps like the Google Authenticator and FreeOTP right from the start. But you already might be aware of the problems with enrolling smartphone tokens.

This is why we added a 2-step enrollment in privacyIDEA 2.21.

2-Step enrollment in privacyIDEA 2.21

Using privacyIDEA you have now the possibility to enroll a smartphone token in a much securer way. The sensitive secret key is created from a part generated on the server side and a second part generated on the phone side. This way an attacker can no longer easily copy the smartphone token during the enrollment process. You can find a more technical specification of the two step enrollment in the online documentation.

The new privacyIDEA Authenticator App will support this new two step enrollment and is also backward compatible to the normal Google Authenticator enrollment URI. Ask the company NetKnights to be part of the beta testing phase of the privacyIDEA Authenticator App.

Easy administration

Many enhancements will make the daily life easier for the token administrator. The root user can now export an encrypted PSKC file. The data can then be imported to another privacyIDEA instance or to any other RFC6030 complient applicantion. The event handlers were also improved: The Notification handler now has more tags to be used in the body and the Federation handler can forward administrative requests.

Clean-up Audit log

Audit Log can be rotated in a more sophisticated way. The administrator can specify retention times for different log entries.

Better HSM support

Hardware Securtiy Modules can now be used to generate random numbers at many different places within privacyIDEA:

You can view a complete changelog at github.

Enterprise Edition

If you are running large mission critical setups, privacyIDEA is also available as Enterprise Edition with support and warranty/liability.

privacyIDEA going FOSDEM

The privacyIDEA project will be at FOSDEM 2018 on February 3rd and 4th. We have a stand in building H. Please join us there!