Today we released the ownCloud App version 2.5.1. This plugin connects ownCloud to privacyIDEA adding enterprise 2FA to your ownCloud.

privacyIDEA supports a lot of different token types to provide 2FA for the user. This can be keyfob tokens or Smartphone Apps but also authentication mechanisms that work with a challenge/response workflow like Email, SMS or U2F.

The version 2.5.1 of the privacyIDEA ownCloud app improves the challenge/response authentication when logging in to ownCloud. A user can now have several different challenge/response tokens, an Email, an SMS and/or a U2F device. The privacyIDEA ownCloud app will handle this correctly and allow the user to either authenticate with the code from an SMS or with his U2F device.

A complete changelog can be found here at Github.

The privacyIDEA ownCloud app is also available via the ownCloud Marketplace.

Challenge Response

The response of the administrative triggerchallenge call is now consistent with a user triggered challenge. This makes it easier for plugins to handle triggered challenges and also allow multiple challenges at a time. E.g. in the ownCloud or simpleSAMLphp plugin the user would now be able to have several challenge response tokens at the same time and login with either of them.

IE and LDAP

The Internet Explorer sometimes does not provide a usual expected-language header. So even if it looks like the IE would expect a German web site, the privacyIDEA web UI would still be displayed in English. This issue was fixed.

Last but not least, a minor change in the event handler code now avoids an additional LDAP request to the LDAP server, thus speeding up the responses and decreasing the load on the LDAP server.

A complete changelog can be found here.

Update

privacyIDEA can be updated from the usual sources like the launchpad repository or the Python package index.

The new release 2.5 of the privacyIDEA ownCloud app allows the administrator to define which client should require 2FA and which is ok with only a password. This is based on the IP address of the clients.

This way e.g. users would not need a second factor when accessing ownCloud from the LAN, while they would need to provide a second factor when they want to access their critical data over the internet.

The privacyIDEA ownCloud App is available from the ownCloud Marketplace and via Github.

I will give a talk about the privacyIDEA ownCloud App at FOSDEM this sunday.

Visitors will be able to talk to the core developer team of privacyIDEA and see the new features of the upcoming release 2.23, including Monitoring and Statistics and Pre-Event Handler. Once again these implementations will prove, that privacyIDEA is the most flexible two factor authentication system. The administrator can define freely which kind of values or event he wants to monitor. The pre-event handling opens unforeseen possibilties to design workflows like automagically enrolling Email tokens to the user just upon authentication.

Come and gape! The privacyIDEA booth is in the Mensa next to the ownCloud booth. And as privacyIDEA also integrates well with ownCloud, there will also be a workshop on integrating enterprise ready 2FA with the open file sharing solution on Sunday.

Kenneth Cummings gave a talk at the ownCloud Conference 2017 how to combine different components to setup such a 2FA reverse proxy.

Watch this video on YouTube.

If you can not attend or if you want to try this at home afterwards, here is what we will do!

Setup

10.0.2.201 ucs.tuebix.intranet (LDAP) Univention Corporate Server 4.2
10.0.2.202 privacyidea.tuebix.intranet, Ubuntu 16.04 LTS
10.0.2.203 wordpress.tuebix.intranet, Ubuntu 16.04 LTS with latest wordpress
10.0.2.204 owncloud.tuebix.intranet, Ubuntu 16.04 LTS with ownCloud 10

LDAP

BaseDN: cn=users,dc=tuebix,dc=intranet

The UCS has the following users:

• admininistrator
• user1
• user2
• user3

ownCloud

ownCloud is connected via LDAP, so the LDAP users can connect to ownCloud.

The ownCloud Administrator is called: admin

WordPress

WordPress only has internal users. Nevertheless the user are also called:

• administrator
• user1
• user2
• user3

What we will do – our Agenda

• We will install privacyIDEA and connect privacyIDEA to the UCS, so that privacyIDEA knows the users from the LDAP directory
• Then we will enroll different kind of tokens to the users.
  • The administrator can enroll a token for the users but
  • users can also login to the webui with their LDAP password an enroll a token for themselves.
• Then we start connecting applications to privacyIDEA to add 2FA to the applications
  • WordPress with “strong authentication” plugin
  • ownCloud with the “privacyIDEA ownCloud App” from the market place
  • SSH login with 2FA for users user1, user2, user3

privacyIDEA

Install

privacyIDEA can be installed in many different ways on different Linux distributions. We will install privacyIDEA on our Ubuntu 16.04 machine 10.0.2.202.

As root:

add-apt-repository ppa:privacyidea/privacyidea

apt update

apt install privacyidea-apache2

privacyidea-apache2 is a meta package which will install MySQL, Apache and set up privacyIDEA. Finally we only need to create the first token administrator.

pi-manage add admin super

Now we have an administrator called “super”

Configure

privacyIDEA can be configured via command line, API or the web UI.

https://10.0.2.202

We need to configure the Resolver tuebix_users as Active Directory. For this we need to fetch the certificate of the UCS server.

• LDAP Resolver to ldaps://ucs.tuebix.intranet
• Base DN cn=users,dc=tuebix,dc=intranet
• Bind DN cn=administrator,cn=users,dc=tuebix,dc=intranet
• Preset AD

And a Realm tuebix with the resolver tuebix_users.

We can also take a look at the policies and configure a policy to use otppin=userstore.

Enroll tokens

Enroll tokens as administrator and as normal user…

• Enroll Smartphone App
• Yubikey
• U2F Token
• Feitian C200 (import File Feitian.csv)

ownCloud with 2FA

For ownCloud X we login as administrator and install the “privacyIDEA ownCloud App” from the Marketplace.

We need to configure the App against privacyIDEA:

• https://privacyidea.tuebix.intranet
• no realm
• no ssl check

Note: The privacyIDEA ownCloud App will authenticate all users with a 2nd factor!

After this, users need to present a 2nd factor against privacyIDEA when they log in.

WordPress with 2FA

Install the “strong authentication” plugin.

We need to configure the Plugin against privacyIDEA:

• https://privacyidea.tuebix.intranet…

Note: Users need to enter both factors in the password field at the same time.

The WordPress plugin authenticates users only against privacyIDEA; while with ownCloud users are authenticated by ownCloud and by privacyIDEA.

SSH with 2FA

On either owncloud machine or wordpress machine we install the privacyIDEA PAM module:

add-apt-repository ppa:privacyidea/privacyidea

apt update

apt install privacyidea-pam

…and configure it accordingly against https://privacyidea.tuebix.intranet.

Note: Users need to match!

privacyIDEA LDAP Proxy

Bonus!

The new version is available via launchpad and pypi.

privacyIDEA the event juggler

privacyIDEA can handle events. It all started with a simple notification, but now privacyIDEA can juggle actions and events like a pro. In privacyIDEA there are two new event handler modules, which will help you to automate your processes a lot. If you can think of more, drop an issue at github!

Token Event Handler

As a reaction to typical events the administrator can define new actions on the corresponding token. These actions can be “set tokenrealm”, “delete”, “unassign”, “disable”, “enable”, “enroll”, “set description”, “set validity”. You could e.g. disable all newly enrolled tokens, so that first the user has somehow to confirm the reception of his device and then enable the token again. Or you could set the validity period based on the number of failed authentication requests.

I am sure, this will also help to streamline and automate your processes! See the documentation of the Token Event Handler.

Script Event Handler

The Script Event Handler Module is a monster, which limits we can not know at the moment. Yes, you can run external scripts in case of any events. The scripts have to be located in the privacyIDEA script directory and they can take several parameters like the token serial number or the username. This way you can create processes and actions outside of privacyIDEA and that have no limits. The documentation contains a full list of parameters and the location of the the script directory.

Improved Challenge Response with SMS

In case of Challenge Response privacyIDEA requires the user to authenticate with his OTP PIN. Then privacyIDEA will send the SMS or the Email. In certain cases this does not work well. So with privacyIDEA 2.17 the REST API was enhanced, that an SMS can also be sent without the users PIN but with an administrators interaction. This API will be used with the privacyIDEA ownCloud App. This way privacyIDEA and ownCloud or Nextcloud can also be used with SMS or Email Tokens.

Enhanced Resolver logic in policies

If a user in a realm exists in more than one resolver, privacyIDEA uses the resolvers priorities to determine the resolver should be used to identify the user for authentication. All policies would be checked against this user in this resolver.

With privacyIDEA 2.17 it is now possible to tell the policy framework, that also policies should be checked, if the user matches another resolver than this primary one. This way a user in the main resolver could authenticate, but a secondary resolver could be used to match detailed policies.

We do not expect the everage user to understand this

If you want to dive into this, you may want to read the documentation and then the issue #543.

Changelog for privacyIDEA 2.17

Features

• Token Handler. Using the token handler the administrator can defined actions in response to events, to modify tokens like deleting, modifying, initilizing… tokens (#532)
• Script Event Handler or Shell Event Handler allows to trigger an external shell script, if some event occurs. (#536)
• Add additional endpoint to trigger a challenge response like the sending of an SMS, if the token PIN is not available (#531)
• Policy Handling to also check for secondary resolvers of a user. This way a user can authenticate with his primary resolver but policy will also work for secondary resolvers (#543)

Enhancements

• The event handler conditions also determine a serial number even if there is no serial number in the request:
  If the user from the request only has one token assigned. (#571)
• Allow event definitions to be disabled (#537)
• Allow event to be addressed by a destinct name (#522)
• Improving LDAP performace by addressing different functionality of ldap3 version 1.x and 2.x. (#549)
• Improve SQL Audit by adding the SQL Audit table to the schema. Table is not created during HTTP request. (#557)
• Limit audit log entry age. Users may only view audit log entries up to a certain age. (#541)
• Add checkbox to only display used actions in a policy (#573)
• In event handler: Use serial number of a user’s token if the user has only one token (#571)
• Download a filtered audit log (#539)

Fixes

• Add missing token serial number to audit log if token is deleted (#546)
• Fix event handler saving (#551)
• HttpSMSProvider accepts status codes 201 and 202 in addition to 200 (#562)
• Fix checkbox bug in NOREFERRALS of LDAP resolver (#563)
• Add documentation for SMS provider (#566)
• Remove 301 redirects from WebUI (#576)

privacyIDEA Enterprise Edition

If you need enterprise level support and dedicated service level agreements drop by at NetKnights.

Since the 2nd factors can be managed within privacyIDEA, these can also be used throughout the complete network or your whole company.

privacyIDEA supports a whole lot more authentication devices in addition to TOTP.

Although the problem is still, that authentication can not be completely passed to the external authentication system. The user has to provide his ownCloud password first and then will be redirected to a 2nd-Factor-App.

Cornelius is talking about the development of such an app in the new framework and what needs to be done. Finally the privacyIDEA App emerged, which at the moment is only available via NetKnights. This App forwards the credentials of the second factor (usually a one time password) to the privacyIDEA backend.

See you in Berlin!

Watch this video on YouTube.

To do openess and transparancy the honour I would like to elaborate on what has happened.

The empire strikes back

The subdirectory authmodules in the privacyIDEA github repository contained a module for ownCloud. In ownCloud speak an “app”. This tried to support ownCloud 8. It failed with ownCloud 9. This was due to the fact, that ownCloud <= 9 had no concept or API for attaching two factor authentication system. It even had no concept of passing authentication to another module. It only allowed to change the complete user module. I.e. authentication, user existance and authorization was not separated like you would be used to e.g. from PAM. And this is why providing a module for two factor authentication for ownCloud 8 and 9 was the biggest pain in the ass I ever experienced.

Now several simple users came around and popped up on the mailing list or at github. I call them simple, because they were not able to look behind the scenes, analyze problems, look at a line of code or even add a line of code. I experienced several occasions when such users complained about, that the old privacyIDEA “app” for 8 and 9 was not working as they expected.

Finally I got really sick of those users with this simple cosuming attitude. I got sick of claiming having a two factor solution for an application, which did not provide a decently designed and documented authentication interface. And this is why I happily deleted the old ownCloud plugin from the privacyIDEA github repository.

A new hope

Finally, ownCloud 9.1 was said to come with a new authentication API – which unfortunately again was designed without asking someone, who knows some things about two factors — like me! Big mistake! Nevertheless – I decided to give it a second chance. Thanks to the help of Christoph Wurst and Thomas Müller I was able to implement a new privacyIDEA ownCloud app for ownCloud 9.1.

As I am still very disappointed in any kind of “community” regarding the old ownCloud app (for privacyIDEA itself it is a complete other picture!!!), the privacyIDEA ownCloud App for 9.1 is not publically available, yet. I don’t want to hear any comsumers complaining about things they don’t understand or are not willing to dive into! But this is no problem. ownCloud users with a handful of accounts can happily use the TOTP app which probably willl run very well for them.

These words might sound hard to some of you. But you may appreciate that they are the real truth of mine!

The return of the Jedi

Power users or companies with many users have different requirements. They will also do two factor authentication a the firewall, at portals, terminal servers or the VPN. In this case it makes no sense to manage TOTP tokens within ownCloud. Because these tokens can not be used for the VPN. Other tokens would again have to be managed for the VPN somewhere else… And for the terminal servers…

Enterprise environments require to manage the tokens of the users at one central place. All users, for all applications. In this case privacyIDEA and the privacyIDEA ownCloud app make absolute sense. Customers should contact NetKnights GmbH, because this is the place where they will receive the privacyIDEA ownCloud App!

Kind regards

Cornelius