We are happy to announce, that today the first major release of the new privacyIDEA 3 series was pushed to the repositories. It is available via the Python Package Index and on the Ubuntu repositories for Ubuntu 16.04LTS and 18.04LTS.

With privacyIDEA 3.1 the administrator can configure policies that will only be bound to users with certain user attributes. This way the admin can define different policies for users in the same user resolver.

Migration from proprietary 2FA solutions gets even simpler with automatic token assignment and PIN setting.

Even more flexible policies

The administrator can now define policies based on any arbitrary attributes. To do so, privacyIDEA can provide different attribute modules for the policy conditions. This version of privacyIDEA comes with a user-attribute module. Up to the latest version policies could only be assigned to a complete user resolver. This was difficult, when rights of users changed and only some users from a certain user resolver should get new policies in privacyIDEA.

Now the administrator can set an attribute e.g. in the LDAP dirctory of a user, and as soon as this is set the policy will be automatically bound to this user. This provides a bigger flexibility with handling access rights or in migration or enrollment scenarios.

We also added new policy actions for administrators. Administrators now can get a special read right on any configuration setting. This way the super user can define, which administrator is allowed to read certain configuration or which configuration should be hidden from which help desk user. The migration script, which runs automatically in the ubuntu package update will create new migration policies so that the current behaviour of the installation does not change after the update.

We did a lot of work on policies in this release – we called in polishing policies.

Migration of proprietary 2FA solutions

Again we improved the possibility to migrate from existing, proprietary 2FA solutions. Proprietary software goes end of life and sometimes leaves the user with a mess. Cornelius wrote a blog article about that problem.

The administrator can import an existing seed file from the old system. privacyIDEA then basically knows the old tokens. On authentication request privacyIDEA can automatically find out, which token belongs to which user. In addition it will set the old OTP PIN of the tokens. This way neither the user nor the administrator have anything to do to migrate to privacyIDEA.

This is possible since privacyIDEA will at first forward the authentication request to the old system. If authentication is successful privacyIDEA will use the used OTP value to identify the token for the user and it will use the rest of the passed credential to automatically set the OTP PIN.

Many enhancements

Further work was done on the TiQR-Token in privacyIDEA. This is an older concept where a challenge is passed to the user’s smartphone via a QR code, which is displayed during the login process. The user simply accepts the login request on his smartphone.

In addition with privacyIDEA 3.1 there come a lot of minor enhancements and bug fixes.

The complete changelog can be found at Github. privacyIDEA will be at the ownCloud conference in Nuremberg in September. Stop by and get safe!

You should always take a look at the Changelog, but starting with privacyIDEA we added a document READ_BEFORE_UPDATE, which contains important information to consider before upgrade.

New Features: RADIUS integration, VASCO support, Offline Refill and more

With privacyIDEA 2.22 we added the possibility to pass more useful userinformation to a RADIUS client like a VPN. The administrator can add a policy to include the resolver and the realm of a user who authenticated successfully. This response data can then be used in the FreeRADIUS plugin and modified by regular expressions to add any arbitrary RADIUS attribute in the RADIUS response, which then would be sent to the VPN. This additional information can be used by Cisco ASA, Citrix Netscaler or any other enterprise grade VPN to put the user into certain subnets or to assign resource to the user.

VASCO token support

privacyIDEA is Open Source. We love Open Source and open standards. But sometimes you have to communicate with proprietary partners, so that they have the chance to become open. This is why privacyIDEA 2.22 comes with support for the proprietary VASCO Digipass tokens. This way it is easier to run VASCO tokens and open standards tokens like HOTP, TOTP or Yuibkeys in parallel and maybe even one day migrate all VASCO tokens – after the batteries have died – to other devices.

If you want to learn more about migrating your VASCO tokens, please contact NetKnights for professional sevices.

Offline Refill

We are improving the offline capability of privacyIDEA in conjunction with the PAM module and the privacyIDEA Credential Provider. The new offline refill will allow to automatically refill the hashed OTP values on the notebooks, which are available for authentication, if the notebook is offline. This way users or administrators will not have to worry anymore when taking the hardware on a business trip.

Send SMS via SMPP

SMPP (Short Message Peer-to-Peer) is a protocol used by carriers for sending SMS. privacyIDEA 2.22 comes with a new SMS Provider to send SMS via SMPP. This can be used for sending SMS in the SMS token during authentication but also for sending SMS in the notification event handler, to notify users or administrators on certain events.

Use Counter handler for monitoring and statistics

We often see, that the event handler is a mighty tool to cope with many different requirements. In addition to the notification handler, token handler, script handler and federation handler privacyIDEA 2.22 now comes with a simply but very flexible counter handler. Just like every handler it can be attached to any event (API call) and will trigger under defined conditions. The counter handler simply increses a counter in the database for this very event.

These counters can now be used for statistics or monitoring, e.g. when increasing a certain counter on the event failed authentication with HOTP token. This way the administrator could monitor the number of failed authentications per time interval.

Each token has a tokenkind

Many installations use hardware tokens and software tokens at the same time. To be more flexible in distinguishing these tokens when it comes to deleting tokens or deciding giving access, we added an additional class attribute to tokens. The “tokenkind”. In contrast to the tokentype, which is simply the mathematics of the token, the tokenkind defines if this very token object is  hardware token, a software token or a virtual token.

Use arbitrary tokeninfo in authorization policies

Authorization policies are used to decide if an authenticated user should get access or not. As the arbitrary tokeninfo fields are getting used more in more in event handler definitions, the tokeninfo can now also be used in the authorization policies to grant or deny access.

This way event handlers could modify token information and this modified token information can be used for granting access. Event handling and authorization thus get connected more tightly.

Lots of enhancements

There are further enhancements of existing features in privacyIDEA. We improved the token export the PSKC files – we will also export PW token types and the counter values of HOTP and TOTP tokens. The export can now also be used to reencrypt a token database.

The SMS and Email token types can now either use the fixed mobile number or email address in the token data or read the mobile/email dynamically from the user store on each authentication event.

The administrator can define a policy so that the validity of the U2F attestation certificate will be ignored. Some U2F devices come with a attestation certificate with an invalid validity period.

We improved the speed of the LinOTP migration script, so that a database with tens of thousands of tokens can be easily migrated.

The pi-manage script can now generate API tokens with a freely chosen validity time.

The user can now set the description of HOTP and TOTP tokens during enrollment.

The administrator can add a timeout to the SMTP server configuration.

The email tokens can now use a complex html template for sending emails.

The LDAP resolver allows to define each attribute as a multivalue attribute.

The event handler condition can trigger on failed authentication.

For the complete changelog with also contains all the fixes, please take a look a the Github repository.

Enterprise Edition

If you are running large mission critical setups, privacyIDEA is also available as Enterprise Edition with support and warranty/liability.

privacyIDEA at Grazer Linuxtage and Linuxfest Northwest

At the end of April you can hear a talk about privacyIDEA in Austria at the Grazer Linuxtage. You will learn, how you can easily migrate an old, existing, proprietary 2FA system to privacyIDEA. Project member Friedrich Weber will also host a workshop at the Grazer Linuxtage, where you can participate in installing privacyIDEA and configuring to your needs.

At the same time Cornelius Kölbel will give a talk in Bellingham Technical Colleage, U.S.A. At the LinuxFest NorthWest 2018 you can learn about what makes privacyIDEA so unique in regards to workflow integrations using the privacyIDEA Event Handler system automating a lot of individual tasks.

Join the discussion

Join the discussion a community.privacyidea.org.

This will be things like:

• Event handler to trigger certain actions depending on events
• Improved certificate support
• Editable user resolvers – even in LDAP
• Improvements in the WebUI and policies
• Easy Migration with RADIUS passthru policy

Tübix is a Linux event in the south of Germany, so the talk will be in German. But much time to discuss things, also in the evening utilizing a cold beer.

Updating an Ubuntu installation from launchpad works out of the box. When updating a pip installation, please note that a new database table was added.

OTP system migration

privacyIDEA now helps you to migrate an old 3rd party installation to privacyIDEA. To do so the new RADIUS passthru policy was added. privacyIDEA can pass all authentication requests for users without a token to the defined RADIUS server. This way you can migrate tokens smoothly and run your old system and your new privacyIDEA side by side until you have removed all old tokens or moved all users and tokens to privacyIDEA.

LDAP Improvements

The LDAP received some nice improvements. It can now handle special characters like é and ß in the username and the password reliably. With Active Directory in Windows 2012 you can now use the objectGUID as the UID in the LDAP resolver.

We now use paged searched when retrieving user lists. This way you can get really all users in the LDAP directory.

Changelog

You can find a complete changelog at github.

So go an visit the github repo.

Check out privacyIDEA 2.0(dev) like this:

git clone https://github.com/privacyidea/privacyidea.git
cd privacyidea
virtualenv venv
source venv/bin/activate
pip install -r requirements.txt
./manage.py createdb
./manage.py addadmin admin@localhost admin
./manage.py runserver

If you want to run tests do:

nosetests -v --with-coverage --cover-package=privacyidea --cover-html

You may also just watch this video:

Watch this video on YouTube.

today I pushed the first draft of the new privacyIDEA to github. See the branch called “version2”.

You may run 252 tests with ~1500 asserts to gain a code coverage of the server backend of 97% – well, you might remember my retweet about code coverage

Anyway – the code is supposed to be testable at all levels. The lowest level being the database, then the libraries, then the REST API. I think it works quite well. Each module denotes, in which test script it is tested. Each test script tells you, which module it tests.

The readme tells you how to get started with the tests in your virtual environment.

Now to the UI part.

The UI part is now based on angularJS which calls the redesigned REST API. You can run the server like

./manage runserver

to checkout the Web UI.

Some first impressions. A intensive linking between all logically connected object should ease the handling and provide all information.

The angular ui-router is used to switch between the UI states.

Tokenlist

The tokenlist links to the token details and the user details of the user, the token is assigned to.

Token details

The tokendetails provide all information about a token and you can perform all actions on this token.

Users can be assigned to the token. The user is searched while you are typing and trying to remember his name.

You can even check the authentication with such a token. If a user is assigned, you can immediatly switch to the user details view.

User details

In the user details you can see the complete list of the users tokens, enroll a new token for the user or assign an existing token. While you are typing the serial number, the system takes care of finding the right, unassigned token. So if you only remember that the token was a TOTP token, you can start typing T… O… T… P…

Fun.

Contribute

You are welcome to comment on 2.0 and do pull request!

Cornelius