We are proud to present you privacyIDEA 3.6. Administrators and Users can manage custom user attributes. These additional attributes can overwrite and enrich the existing user attributes, which privacyIDEA reads from the user stores. This way the token administrator in privacyIDEA has additional possibilities to manage the users and to manage the user rights. These user attributes can be used within privacyIDEA policies. In addition policies can now also contain any token attribute like tokentype or fail counter. These attributes and policy conditions help administrators to keep control in larger setups by logically grouping users and tokens.

Policies with Custom User Attributes and Token Attributes

privacyIDEA is no Identity Management. Users are usually managed in an IdM, or only in LDAP or Active Directory. Nevertheless it can be important to add attributes to users – in case the token administrator has no access rights to the IdM or user directory. The administrator can now do so in privacyIDEA 3.6 using custom user attributes. The administrator can even allow users to manage their own attributes. This way the user can e.g. update his mobile number himself, without the need to contact the help desk or the administrator.

Based on these user attributes the administrator can now define policies and thus the access rights can be tuned in more detail.

In addition policies can now have conditions on each and every token attribute like description, serial, tokentype, otp length, maximum failcounter, failcounter, active state and more.

This way the administrator could allow helpdesk users to only delete tokens, that have previously been disabled by the user himself. Possibilities are endless.

Simple PUSH Token

Starting with privacyIDEA 3.0 we introduced the PUSH token. If everything works out fine, the PUSH token can work like a charm. But setting it up is quite complicated. Also the Push services by Google and Apple actually do not work that reliably. With privacyIDEA 3.6 the administrator can now configure the PUSH token to only work in a polling method. In this scenario no external 3rd party service is needed and the user’s smartphone only communicates with the privacyIDEA server.

By giving up some comfort such a setup can gain stability and improve the privacy aspect.

Token Rollover

The administrator can now configure a WebUI policy to allow users to roll over their tokens. This means that the key material is generated anew and the user can enroll the token again, e.g. by scanning a new QR code. This comes in handy, if the user is only allowed to have one token, but wants to move his token to a new smartphone or if the company decides to increase the key size of the tokens.

Enhancements

Besides these main features there are a lot of enhancements. The administrator can use pi-manage to export and import the system configuration. This can be used to move configuration from testing environments to productive environments. You can have different PIN policies for different tokentypes.

In pi.cfg the system administrator can define a custom entry point for the WebUI. This way you can create your complete own WebUI without changing anything in the code.

The token janitor received several improvements. It can export arbitrary user attributes, the seed can either be exported in hex or base32 to increase the interoperability with other MFA systems. The token export can now also contain the user assignment. This way tokens can easily be transferred between different privacyIDEA installations.

You can find the complete Changelog at Github.

Availability

You can download privacyIDEA 3.6 from Github or install it from the Python Package Index. For easy deployment you can use the community repositories for Ubuntu 16.04, 18.04 and 20.04. You can find the installation guidline in the online documentation. If you are updating, it is crucial to read the READ_BEFORE_UPDATE, which contains important information about LDAP resolvers and TLS.

If you want to get involved, be sure to drop by at the community forum. You can also take a look at Weblate, were the community can translate to different languages. We are grateful for the community effort to be able to ship translations in Dutch and French!

For mission critical scenarios the company NetKnights provides an Enterprise Edition with Support.

Today we put privacyIDEA 3.5 under your Christmas tree. Unwrap it and you will find a lot of enhancements. One of the most important features is that version 3.5 does the first step to also support smartcard management. For high security environments we drastically imrpoved the workflow of Four-Eyes-Tokens.

Let’s do this togeather – Four-Eyes-Tokens

Using the Four-Eyes-Tokens the administrator can define how many users from several different groups should come togeather when the account – the holder of the Four-Eyes-Token – wants to authenticate. This way you can define, that this account worthy of protection can only be used if e.g. two IT administrators and one member of the works council come togeather and use their own 2nd factors to authenticate.

The Four-Eyes-Token has been around for a while in privacyIDEA. But now we are using the Multi–Challenge, that was introduced in privacyIDEA 3.4, to heavily improve the workflow and authentication flow. It is totally transparent to our application plugins and the RADIUS protocol, so that it can be used e.g. with Citrix Netscaler.

Do not copy, rather sign! – PIV smartcards with privacyIDEA

Smartcards are interesting devices, that have certain disadvantages in handling but also come with advantages and features, that allow for completely other use cases like offline authentication, decryption or document signing.

privacyIDEA was already capable of enrolling and manageing x509v3 user certificates. As a first step to better support smartcards, privacyIDEA 3.5 now can require that certificate requests are generated on a PIV smartcard. This is done by
using policies to force the presence of an attestation certificate during enrollment. The attestation certificate confirms, that actually the key pair was generated on a smartcard and there is no copy of the private key.

This was successfully done with the Yubikey 5 and a corresponding enrollment tool. We will continue working on imrpoving the privacyIDEAs smartcard capabilities.

Make the admin’s life easier – serveral enhancements

Tokens

The Push token gets a lot of feedback in the community. So we are continuously improving it. User certain conditions a smartphone device can renew its firebase token, that is used to communicate with Google’s firebase push service. The smartphone app can now contact the privacyIDEA server to update this firebase token.

The registration token is a long “registration code”, that can be used to authenticate once during enrollment processes. The admin can now configure a policy to define the length and contents of the registration code.

A Webauthn token should also provide a signature counter, that is used to identify and avoid cloned tokens. However, not all cheap devices implement this. privacyIDEA now also allows to use Webauthn tokens without a signature counter on demand.

Hardware tokens come with a seed file. privacyIDEA can import a lot of different formats, also PSKC which is defined in RFC6030. The import of PSKC files now also verifies the MAC of the token secrets.

The questionnaire token can now ask more than one question during the authentication process.

Event handlers and policies

The policies may now contain additional extened conditions from the tokeninfo attributes. This can be any arbitrary attribute, so that the admin could define policies, that e.g. allow the authentication at certain applications with a hardware token but not with a software token.

The Tokenhandler can choose the SMS Gateway Identifier or the SMTP Identifier when enrolling an SMS or respectively an Email token.

The Tokenhandler can now increase and decrease the fail counter and also set the Maxfail counter.

The Web UI

Several enhancements allow a smoother work experience for administrators and service desk users. The admin can define a policy to hide certain columns in the audit log. This way the service desk users only see this information, which they really need. Also, the audit log contains the start time, the end time and the duration of a request. This way it is easy to filter or search for long running requests to debug authentication problems. In the dashboard the usernames of the users with failed authentications are displayed with a short link to their user details. This helps the service desk to immidiately find failing users and offer quickers support.

The WebUI now supports the PIN change via multi-challenge response.

The conditions for event handlers and actions for policies have been redesigned to make them look the same and easily searchable.

Managing privacyIDEA

In certain setups you might have a testing environment, a staging environment and a production environment. Configuration changes are often first tested in the testing environment and then transferred to the staging and production environment.

The pi-manage script has a new sub command to export and import resolver configuration, that will help in such scenarios.

The full list of features, enhancements and fixes can be found in the Changelog.

Get privacyIDEA

privacyIDEA is an enterprise grade, extremely flexible multi-factor authentication system, that can adapt to your needs and that lets you automate a lot of tasks. Using privacyIDEA will increase your security. Migrating from other mult-factor
systems to privacyIDEA will ease your life. People have done this and dropped many well-known, but old and crusty authentication systems. Take a look at privacyIDEA and join the community.

It is freely available via the Python package index and via community repositories for Ubuntu LTS 16.04, 18.04 and 20.04.

The company NetKnights provides an Enterprise Edition with Service Level Agreements and stable packages for Ubuntu LTS and Red Hat Enterprise Linux/CentOS.

If you want to stay tuned, join the community forum or subscribe the NetKnights’ newsletter.

Today we release privacyIDEA 3.2. Two new event handler modules allow for even more flexible workflows. Integrating with external logging tools like Logstash or Splunk are much easier now using the container audit module and the file audit module. Using Trusted JWTs makes it much more robust to integrate any existing portal with privacyIDEA.

Request and Response Event Handler

The event handlers have been around sind version 2.12. Every version somehow improved the event handler. They allow for a very flexible way to define actions and responses in privacyIDEA. Read a recent post about the script event handler or take a look at the complete list of event handlers.

With version 3.2 the administrator gets two new event handlers – the Request Mangler Handler and the Response Mangler Handler. You notice the word mangle – these handler allow to modify, delete or add any arbitrary REST request parameter or JSON response parameter, given the administrator unseen flexibility to flex the privacyIDEA system to the very specific need!

The Response Handler could be used to delete certain response information, after it is used e.g. by a notification handler. For example the notification handler could read this information to notify the user but then the Response handler would delete this information, so that a help desk user is maybe not able to read a randomly set password in a response. The resulting possibilities are unimaginable.

We are very excited to see how administrators will use these features!

Audit data everywhere

privacyIDEA runs in big environments. Because it integrates so well. privacyIDEA also creates an Audit log (and a log file – for debugging purposes). However, the log file is great, since every HTTP request has its dedicated audit entry.

It should be easier to add the audit data to these locations, where bigger organizations aggregate and keep their Log data. These are systems and services like Logstash or Splunk. As a first step privacyIDEA 3.2 comes with two new audit modules, the File Audit Module, that can write audit information to a plain text/log file and a Container Audit Module, that can combine any number of Audit Modules, so that privacyIDEA can write audit data to all of these modules.

We hope that this is a big leap forward to get your information to the right place!

The trusted JWTs

Did you ever want to have users manage their privacyIDEA tokens in an existing local portal? Or your helpdesk users get privacyIDEA information into the ticket system they are using? With privacyIDEA 3.2 it gets much easier now. The administrator can define trusted JWTs. I.e. he can define trusted public keys and which user this public key can impersonate.

The mentioned portal will simply use its private key to create JWTs, that are then trusted by privacyIDEA. No need to create service accounts, share passwords or other credentials.

The complete changelog

There are a lot of new enhancements, which administrators and helpdesk users will probably like for a daily use. A lot of enhancements, which we needed to provide better and easier service for certain installations.

Besides the event handlers also policies have been improved. The administrator can now use any arbitrary HTTP header in the policy condition. This way policies could be strictly bound to certain http_agents.

To improve the roll out process, the event handlers can match for the roll out state of a token. The notification handler, that was already able to send email or SMS, can now also write files to a spool directory. This way information can be easily passed to 3rd party systems or this data can be processed further like printing PIN letters.

We also did some improvement of the authentication process for the PUSH token so that it is not necessary to require a service account to verify the answered challenges.

The complete changelog can be found at github.

Go and get it

privacyIDEA 3.2 can be installed from source from github, via the Python Package Index or using ready made packages for Ubuntu 16.04 LTS and 18.04 LTS. The builds for Ubuntu are now based on Python 3.

Image by BarbaraALane on Pixabay.