<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>Policy &#8211; privacyID3A</title>
	<atom:link href="https://www.privacyidea.org/tag/policy/feed/" rel="self" type="application/rss+xml" />
	<link>https://www.privacyidea.org</link>
	<description>flexible, Open Source Multi Factor Authentication (2FA)</description>
	<lastBuildDate>Wed, 04 Sep 2019 08:25:29 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=6.9.4</generator>

<image>
	<url>https://www.privacyidea.org/wp-content/uploads/2016/06/cropped-only-logo-white-background-32x32.png</url>
	<title>Policy &#8211; privacyID3A</title>
	<link>https://www.privacyidea.org</link>
	<width>32</width>
	<height>32</height>
</image> 
	<item>
		<title>privacyIDEA 3.1 released</title>
		<link>https://www.privacyidea.org/privacyidea-3-1-polished-policies/</link>
					<comments>https://www.privacyidea.org/privacyidea-3-1-polished-policies/#comments</comments>
		
		<dc:creator><![CDATA[Cornelius Kölbel]]></dc:creator>
		<pubDate>Wed, 04 Sep 2019 04:23:40 +0000</pubDate>
				<category><![CDATA[release]]></category>
		<category><![CDATA[Whatsup]]></category>
		<category><![CDATA[Migration]]></category>
		<category><![CDATA[Policy]]></category>
		<guid isPermaLink="false">https://www.privacyidea.org/?p=1621</guid>

					<description><![CDATA[privacyIDEA 3.1 has the most flexible policies to cope with every login situation. It allows easy migration from any proprietary 2FA system.]]></description>
										<content:encoded><![CDATA[
<figure class="wp-block-image"><img fetchpriority="high" decoding="async" width="1024" height="512" src="https://www.privacyidea.org/wp-content/uploads/2019/09/american-football-referees-1476038_1280-1024x512.jpg" alt="" class="wp-image-1627" srcset="https://www.privacyidea.org/wp-content/uploads/2019/09/american-football-referees-1476038_1280-1024x512.jpg 1024w, https://www.privacyidea.org/wp-content/uploads/2019/09/american-football-referees-1476038_1280-300x150.jpg 300w, https://www.privacyidea.org/wp-content/uploads/2019/09/american-football-referees-1476038_1280-768x384.jpg 768w, https://www.privacyidea.org/wp-content/uploads/2019/09/american-football-referees-1476038_1280.jpg 1280w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption>privacyIDEA knows the rules. And it will have your users follow those.</figcaption></figure>



<p>We are happy to announce, that today the first major release of the new privacyIDEA 3 series was pushed to the repositories. It is available via the Python Package Index and on the Ubuntu repositories for <a rel="noreferrer noopener" aria-label="Ubuntu 16.04LTS and 18.04LTS (opens in a new tab)" href="https://privacyidea.readthedocs.io/en/latest/installation/ubuntu.html" target="_blank">Ubuntu 16.04LTS and 18.04LTS</a>.</p>



<p>With privacyIDEA 3.1 the administrator can configure policies that will only be bound to users with certain user attributes. This way the admin can define different policies for users in the same user resolver.</p>



<p>Migration from proprietary 2FA solutions gets even simpler with automatic token assignment and PIN setting.</p>



<h2 class="wp-block-heading">Even more flexible policies</h2>



<p>The administrator can now define policies based on any arbitrary attributes. To do so, privacyIDEA can provide different attribute modules for the policy conditions. This version of privacyIDEA comes with a user-attribute module. Up to the latest version policies could only be assigned to a complete user resolver. This was difficult, when rights of users changed and only some users from a certain user resolver should get new policies in privacyIDEA.</p>



<p>Now the administrator can set an attribute e.g. in the LDAP dirctory of a user, and as soon as this is set the policy will be automatically bound to this user. This provides a bigger flexibility with handling access rights or in migration or enrollment scenarios.</p>



<p>We also added new policy actions for administrators. Administrators now can get a special read right on any configuration setting. This way the super user can define, which administrator is allowed to read certain configuration or which configuration should be hidden from which help desk user. The migration script, which runs automatically in the ubuntu package update will create new migration policies so that the current behaviour of the installation does not change after the update.</p>



<p>We did a lot of work on policies in this release &#8211; we called in <em>polishing policies</em>.</p>



<h2 class="wp-block-heading">Migration of proprietary 2FA solutions</h2>



<p>Again we improved the possibility to migrate from existing, proprietary 2FA solutions. Proprietary software goes end of life and sometimes leaves the user with a mess. <a rel="noreferrer noopener" aria-label="Cornelius wrote a blog article about that problem (opens in a new tab)" href="https://netknights.it/en/consolidation-of-the-market-and-migrations/" target="_blank">Cornelius wrote a blog article about that problem</a>.</p>



<p>The administrator can import an existing seed file from the old system. privacyIDEA then basically knows the old tokens. On authentication request privacyIDEA can automatically find out, which token belongs to which user. In addition it will set the old OTP PIN of the tokens. This way neither the user nor the administrator have anything to do to migrate to privacyIDEA.</p>



<p>This is possible since privacyIDEA will at first forward the authentication request to the old system. If authentication is successful privacyIDEA will use the used OTP value to identify the token for the user and it will use the rest of the passed credential to automatically set the OTP PIN.</p>



<h2 class="wp-block-heading">Many enhancements</h2>



<p>Further work was done on the TiQR-Token in privacyIDEA. This is an older concept where a challenge is passed to the user&#8217;s smartphone via a QR code, which is displayed during the login process. The user simply accepts the login request on his smartphone.</p>



<p>In addition with privacyIDEA 3.1 there come a lot of minor enhancements and bug fixes.</p>



<p>The complete changelog can be found at <a href="https://github.com/privacyidea/privacyidea/blob/branch-3.1/Changelog">Github</a>. privacyIDEA will be at the <a rel="noreferrer noopener" aria-label="ownCloud conference (opens in a new tab)" href="https://conference.owncloud.org/" target="_blank">ownCloud conference</a> in Nuremberg in September. Stop by and get safe!</p>
]]></content:encoded>
					
					<wfw:commentRss>https://www.privacyidea.org/privacyidea-3-1-polished-policies/feed/</wfw:commentRss>
			<slash:comments>1</slash:comments>
		
		
			</item>
		<item>
		<title>Setting policies via command line</title>
		<link>https://www.privacyidea.org/setting-policies-via-command-line/</link>
		
		<dc:creator><![CDATA[Cornelius Kölbel]]></dc:creator>
		<pubDate>Sun, 02 Dec 2018 12:51:40 +0000</pubDate>
				<category><![CDATA[Howto]]></category>
		<category><![CDATA[pi-manage]]></category>
		<category><![CDATA[Policy]]></category>
		<guid isPermaLink="false">https://www.privacyidea.org/?p=1446</guid>

					<description><![CDATA[privacyIDEA comes with a central tool &#8220;pi-manage&#8221;. pi-manage runs on the local privacyIDEA machine. The interesting thing is, that it operates directly on the database level. So you can use pi-manage, even if your webserver is not running. One important thing is, that you can use pi-manage to manage policies! This way the root user [&#8230;]]]></description>
										<content:encoded><![CDATA[<p>privacyIDEA comes with a central tool &#8220;pi-manage&#8221;. pi-manage runs on the local privacyIDEA machine. The interesting thing is, that it operates directly on the database level. So you can use pi-manage, even if your webserver is not running.</p>
<p>One important thing is, that you can use <a href="https://privacyidea.readthedocs.io/en/latest/installation/system/pimanage/index.html" target="_blank" rel="noopener">pi-manage</a> to manage <a href="https://privacyidea.readthedocs.io/en/latest/policies/index.html" target="_blank" rel="noopener">policies</a>! This way the root user can for example deactivate policies, if the token admin misconfigured something in the Web UI.</p>
<p>But you can even use pi-manage to setup poliies.</p>
<h2>Setting up simple policies</h2>
<p>To view all configured policies run</p>
<pre>pi-manage policy list</pre>
<p>This will give you a list of the policies with their names, and whether they are active or not.</p>
<p>To create a new policy use</p>
<pre>pi-manage policy create &lt;parameters&gt;</pre>
<p>The &#8220;create&#8221; command accepts the positional arguments &#8220;name&#8221;, &#8220;scope&#8221; and &#8220;action&#8221;.</p>
<p>So to create a policy, that sets otppin=userstore, so that users should authenticate with their LDAP password, you need to run</p>
<pre>pi-manage policy create policyname1 authentication otppin=userstore</pre>
<p>This quickly creates a policy with the name &#8220;policyname1&#8221;. Please note, that this does not allow for more complex policies, like with several actions or with user or IP restrictions.</p>
<p>Anyway, this is a quick and easy way to bootstrap your privacyIDEA installation.</p>
<p>If you need more complex setups, you can use the parameter &#8220;filename&#8221;.</p>
<h2>Setting up more complex policies</h2>
<p>Maybe you want to create a policy, that requires users to present their LDAP password, but you also want to pass authentication if the user has no tokens or the user does not exist.</p>
<p>But only for a specific realm! Then you can create a JSON config file, that describes this policy and use this file to bootstrap the privacyIDEA configuration.</p>
<p>The file contains a dictionary with the following content:</p>
<pre>{ 'action': { 
       u'otppin': u'userstore', 
      'passOnNoUser':True, 
      'passOnNoToken':True },
   'active': False,
   'adminrealm': [],
   'check_all_resolvers': False,
   'client': [],
   'condition': 0,
   'name': u'policyname2',
   'priority': 17,
   'realm': ['userrealm'],
   'resolver': [],
   'scope': u'authentication',
   'time': u'',
   'user': []
}</pre>
<p>This way you can set all parameters of a policy. In this case we bound the policy to the userrealm &#8220;userrealm&#8221; and initially deactivated the policy.</p>
<p>You see that using the policy subcommands of the pi-manage tool gives you a lot of possibilities to setup your privacyIDEA system automatically or reconfigure it to a previously defined state.</p>
<p>There are a lot more subcommands of the pi-manage tool, check out the <a href="https://privacyidea.readthedocs.io/en/latest/installation/system/pimanage/index.html" target="_blank" rel="noopener">manpage</a> and stop by at the <a href="https://community.privacyidea.org" target="_blank" rel="noopener">community forum</a>, if you want to discuss any aspects of policies.</p>
<p>&nbsp;</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Most flexible two factor authentication &#8211; handling your events!</title>
		<link>https://www.privacyidea.org/most-flexible-two-factor-authentication-handling-your-events/</link>
		
		<dc:creator><![CDATA[Cornelius Kölbel]]></dc:creator>
		<pubDate>Wed, 19 Jul 2017 12:19:06 +0000</pubDate>
				<category><![CDATA[documentation]]></category>
		<category><![CDATA[events]]></category>
		<category><![CDATA[Tips and Tricks]]></category>
		<category><![CDATA[Event Handler]]></category>
		<category><![CDATA[notification]]></category>
		<category><![CDATA[Policy]]></category>
		<guid isPermaLink="false">https://www.privacyidea.org/?p=1241</guid>

					<description><![CDATA[privacyIDEA comes with a great feature: The event handling framework. So learn more about the unlimited power of the event handling framework and how to use its flexibility to get a privacyIDEA setup, which fits your needs. Event Handling Framework When speaking of software or products the term &#8220;framework&#8221; might raise a connotation of &#8220;you have [&#8230;]]]></description>
										<content:encoded><![CDATA[<p>privacyIDEA comes with a great feature: The <strong>event handling framework</strong>.</p>
<p>So learn more about the unlimited power of the event handling framework and how to use its flexibility to get a privacyIDEA setup, which fits your needs.</p>
<h2>Event Handling Framework</h2>
<p>When speaking of software or products the term &#8220;framework&#8221; might raise a connotation of &#8220;you have to do it yourself&#8221;, &#8220;things are not ready&#8221;, &#8220;the software is not usable&#8221;.</p>
<p>A javascript framework can help you to develop cool web front ends. A python framework can be the basis for developing microservices and the framework Qt still requires the developer to develop the real program with the business logic.</p>
<p>When speaking of the Event Handling Framework things might similar: We the developer do not know how you want to use privacyIDEA and thus we give you the biggest flexibility. We have not thought of all possibilities in which you &#8211; the administrator &#8211; could use this framework! So you can come up with usage scenarios or configuration combinations <strong>noone has ever seen before</strong>!</p>
<p>But when speaking of the Event Handling Framework things are a bit different: You do not have to be a developer to solve your ideas or have privacyIDEA run the way you want it to.</p>
<p>Using the Event Handling Framework you can get the highest flexibility out of a state of the art authentication server, just by easily configuring rules in an easy web interface.</p>
<h2>The basic concept of Event Handlers</h2>
<p><figure id="attachment_1249" aria-describedby="caption-attachment-1249" style="width: 612px" class="wp-caption aligncenter"><a href="https://www.privacyidea.org/wp-content/uploads/2017/07/event-handler-overview.png"><img decoding="async" class="wp-image-1249" src="https://www.privacyidea.org/wp-content/uploads/2017/07/event-handler-overview-300x152.png" alt="" width="612" height="310" srcset="https://www.privacyidea.org/wp-content/uploads/2017/07/event-handler-overview-300x152.png 300w, https://www.privacyidea.org/wp-content/uploads/2017/07/event-handler-overview-768x389.png 768w, https://www.privacyidea.org/wp-content/uploads/2017/07/event-handler-overview-1024x519.png 1024w, https://www.privacyidea.org/wp-content/uploads/2017/07/event-handler-overview.png 1281w" sizes="(max-width: 612px) 100vw, 612px" /></a><figcaption id="caption-attachment-1249" class="wp-caption-text">The list of event handling definitions</figcaption></figure></p>
<h3>A top level view</h3>
<p>Each API request is an event:</p>
<ul>
<li>An authentication request,</li>
<li>the request to issue a token,</li>
<li>to block a token</li>
<li>or unassign a token.</li>
<li>If a user logs in to the Web UI, this is an API request&#8230;</li>
</ul>
<p>You can see the <a href="http://privacyidea.readthedocs.io/en/latest/modules/api.html" target="_blank" rel="noopener noreferrer">full list of all API calls here</a>.</p>
<p>The Event Handling Framework allows the administrator to &#8220;attach&#8221; new actions to each and every API call/event. It roughly works like this:</p>
<p style="padding-left: 30px;">event -&gt; condition -&gt; action</p>
<h3>Conditions</h3>
<p>But these actions are only triggered in case a list of <strong>conditions</strong> evaluate to <em>true</em>.  Conditions can be:</p>
<ul>
<li>if an authentication request was successful,</li>
<li>if the role of the user in the request was &#8220;administrator&#8221; or &#8220;user&#8221;,</li>
<li>if the token used was of a certain type</li>
<li>but also more complex conditions like if a date contained in a tokeninfo field of the used token is before or after a certain timestamp or of a certain age.</li>
</ul>
<p>There are currently 14 different, sometimes rather complex conditions and the number is growing.  For a <a href="http://privacyidea.readthedocs.io/en/latest/eventhandler/index.html#conditions" target="_blank" rel="noopener noreferrer">full list of conditions see the online documentation</a>.</p>
<h3>Actions &#8211; The Event Handlers</h3>
<p>Actions are performed by the event handlers. Currently there are three &#8220;groups&#8221;: Notifications, Token actions and scripts.</p>
<p>Roughly speaking the <em>Notification</em> actions will automatically notify administrators or users in case of certain events and if certain conditions apply. Notification can be done via email or SMS.</p>
<p>The administrator can also define that <em>Token actions</em> will happen. These are roughly all actions on tokens you can think of: enable, disable, set description and validity period, set abitrary tokeninfo fields, delete tokens and even enroll new tokens! This is probably the most important handler for automating tasks which e.g. can help large organizations with enrollment processes.</p>
<p>Finally there is the <em>Script Handler</em>, which can trigger shell scripts. The privacyIDEA administrator can write and define any number of shell scripts and thus gets unlimited possibilities. The usual use case we think about might be running backups or cleaning up orphaned tokens. But you will have probably a lot of other ideas.</p>
<p><figure id="attachment_1251" aria-describedby="caption-attachment-1251" style="width: 557px" class="wp-caption aligncenter"><a href="https://www.privacyidea.org/wp-content/uploads/2017/07/event-details.png"><img decoding="async" class=" wp-image-1251" src="https://www.privacyidea.org/wp-content/uploads/2017/07/event-details-300x169.png" alt="" width="557" height="314" srcset="https://www.privacyidea.org/wp-content/uploads/2017/07/event-details-300x169.png 300w, https://www.privacyidea.org/wp-content/uploads/2017/07/event-details-768x433.png 768w, https://www.privacyidea.org/wp-content/uploads/2017/07/event-details.png 918w" sizes="(max-width: 557px) 100vw, 557px" /></a><figcaption id="caption-attachment-1251" class="wp-caption-text">The action &#8220;set description&#8221; defined in a token event. During enrollment the description of the token gets set to &#8220;This token needs to be shipped 2017-07-10T10:00+0200&#8221;.</figcaption></figure></p>
<h2>Examples</h2>
<p>Some of these examples might occur to you a bit far fetched. But after all these are examples of what is possible. So you may come up with your own scenarios which very probably will also work out nicely.</p>
<h3>Notify the user in case his password is breached</h3>
<p>The notification event handler can send an email or an SMS to the user, if &#8220;he&#8221; fails to authenticate. This way the user knows, if someone else tried to authenticate.</p>
<p>This can be combined with the condition of the <em>tokentype</em>. The tokentype is only known (and thus only the event handler will trigger) if the OTP PIN a.k.a. static password of the user is correct. Thus the user gets notified if someone guessed or sniffed his static password but fails at the second factor.</p>
<p><figure id="attachment_1258" aria-describedby="caption-attachment-1258" style="width: 537px" class="wp-caption aligncenter"><a href="https://www.privacyidea.org/wp-content/uploads/2017/07/tokentype-definition.png"><img loading="lazy" decoding="async" class=" wp-image-1258" src="https://www.privacyidea.org/wp-content/uploads/2017/07/tokentype-definition-300x119.png" alt="" width="537" height="213" srcset="https://www.privacyidea.org/wp-content/uploads/2017/07/tokentype-definition-300x119.png 300w, https://www.privacyidea.org/wp-content/uploads/2017/07/tokentype-definition-768x304.png 768w, https://www.privacyidea.org/wp-content/uploads/2017/07/tokentype-definition.png 973w" sizes="auto, (max-width: 537px) 100vw, 537px" /></a><figcaption id="caption-attachment-1258" class="wp-caption-text">The condition contains the tokentype. The event will only trigger if the used token is an HOTP or TOTP token.</figcaption></figure></p>
<h3>Limit token usage</h3>
<p>If for any reason you need a token, that the user is only allowed to use for a limited time. E.g. the user would only be allowed to login 100 times.</p>
<p>You can create an event handler definition in the token handler to disable the token, if it either was successfully used more than 100 times or it was unsuccessfully used more than 50 times. (To whoever this may concern).</p>
<p><figure id="attachment_1259" aria-describedby="caption-attachment-1259" style="width: 542px" class="wp-caption aligncenter"><a href="https://www.privacyidea.org/wp-content/uploads/2017/07/disable-token.png"><img loading="lazy" decoding="async" class=" wp-image-1259" src="https://www.privacyidea.org/wp-content/uploads/2017/07/disable-token-300x154.png" alt="" width="542" height="278" srcset="https://www.privacyidea.org/wp-content/uploads/2017/07/disable-token-300x154.png 300w, https://www.privacyidea.org/wp-content/uploads/2017/07/disable-token-768x393.png 768w, https://www.privacyidea.org/wp-content/uploads/2017/07/disable-token.png 992w" sizes="auto, (max-width: 542px) 100vw, 542px" /></a><figcaption id="caption-attachment-1259" class="wp-caption-text">Disable a token, that was used too often.</figcaption></figure></p>
<h3>Automatically Unlock locked tokens</h3>
<p>Starting with privacyIDEA 2.20 (currently under development) you can also use timestamp tags in the tokeninfo condition and settings. I.e. if one event occurs, the token event handler can use the &#8220;set tokeninfo&#8221; to set additional information like <strong>tokeninfo key=locked</strong> and <strong>tokeninfo value={now}</strong>. The tag &#8220;now&#8221; will be converted to the current timestamp. This action could be called on a failed authentication request. You could also mark the token for any other reason.</p>
<p><figure id="attachment_1260" aria-describedby="caption-attachment-1260" style="width: 600px" class="wp-caption aligncenter"><a href="https://www.privacyidea.org/wp-content/uploads/2017/07/mark-the-token.png"><img loading="lazy" decoding="async" class="wp-image-1260" src="https://www.privacyidea.org/wp-content/uploads/2017/07/mark-the-token-300x162.png" alt="" width="600" height="324" srcset="https://www.privacyidea.org/wp-content/uploads/2017/07/mark-the-token-300x162.png 300w, https://www.privacyidea.org/wp-content/uploads/2017/07/mark-the-token-768x415.png 768w, https://www.privacyidea.org/wp-content/uploads/2017/07/mark-the-token.png 968w" sizes="auto, (max-width: 600px) 100vw, 600px" /></a><figcaption id="caption-attachment-1260" class="wp-caption-text">Mark the token with the current timestamp.</figcaption></figure></p>
<p>A second event handler can check for this timestamp. I.e. the condition can verify if the timestamp is past &#8211; lets say &#8211; one week/7 days. In this case a second action like unlocking the token can be performed.</p>
<p><figure id="attachment_1261" aria-describedby="caption-attachment-1261" style="width: 600px" class="wp-caption aligncenter"><a href="https://www.privacyidea.org/wp-content/uploads/2017/07/tokeninfo-conditions.png"><img loading="lazy" decoding="async" class="wp-image-1261" src="https://www.privacyidea.org/wp-content/uploads/2017/07/tokeninfo-conditions-300x54.png" alt="" width="600" height="108" srcset="https://www.privacyidea.org/wp-content/uploads/2017/07/tokeninfo-conditions-300x54.png 300w, https://www.privacyidea.org/wp-content/uploads/2017/07/tokeninfo-conditions-768x139.png 768w, https://www.privacyidea.org/wp-content/uploads/2017/07/tokeninfo-conditions.png 970w" sizes="auto, (max-width: 600px) 100vw, 600px" /></a><figcaption id="caption-attachment-1261" class="wp-caption-text">Check if the locked timestamp is newer than 7 days old.</figcaption></figure></p>
<p>This can be achieved by using the <em>tokeninfo</em> condition. This check can also check strings, integers and dates for being less, equal or greater. This helps to easily automate many tedious tasks.</p>
<h2>Under the hood</h2>
<p>The online documentation should <a href="http://privacyidea.readthedocs.io/en/latest/eventhandler/index.html" target="_blank" rel="noopener noreferrer">contain the full developer view of the event handlers</a>.</p>
<h3>Decorators</h3>
<p>privacyIDEA is based on the python framework Flask and uses a lot of decorators to structure code, reduce lines of code and improve testability. The event handler adds one decorator &#8220;@event&#8221;. E.g. this <a href="https://github.com/privacyidea/privacyidea/blob/master/privacyidea/api/validate.py#L176" target="_blank" rel="noopener noreferrer">decorator decorates the endpoint &#8220;/validate/check&#8221;</a>.</p>
<p>The decorator takes care of registering this endpoint in the event handler framework but also calling possible actions.</p>
<h3>Event Handler Class</h3>
<p>Each event handler (<a href="http://privacyidea.readthedocs.io/en/latest/eventhandler/usernotification.html" target="_blank" rel="noopener noreferrer">Notification</a>, <a href="http://privacyidea.readthedocs.io/en/latest/eventhandler/tokenhandler.html" target="_blank" rel="noopener noreferrer">Token Handler</a>, <a href="http://privacyidea.readthedocs.io/en/latest/eventhandler/scripthandler.html" target="_blank" rel="noopener noreferrer">Scripts</a>) is a python Class, that inherits from the Base Handler. Each handler could define its own conditions and its own actions and thus can work self-contained and add any functionality to privacyIDEA.</p>
<h3>Do actions</h3>
<p>As the event handler like the Token Event Handler use already existing code for diabling or enrolling tokens, these eventhandlers are relatively small and stable. E.g. the token event handler is roughly 100 lines of code defining the allowed actions and another 100 lines of code for calling existing lower level functions.</p>
<p>This is done in the main function &#8220;<a href="https://github.com/privacyidea/privacyidea/blob/master/privacyidea/lib/eventhandler/tokenhandler.py#L211" target="_blank" rel="noopener noreferrer">do</a>&#8221; of the event handler.</p>
<h3>Conditions</h3>
<p>Each event handler could also define its own conditions, if this is necessary or makes sense. But for now all conditions are the same for all event handlers and thus only the base event handler class implements the method &#8220;<a href="https://github.com/privacyidea/privacyidea/blob/master/privacyidea/lib/eventhandler/base.py#L245" target="_blank" rel="noopener noreferrer">check_conditions</a>&#8220;.</p>
<h2>Finally</h2>
<p><figure id="attachment_1255" aria-describedby="caption-attachment-1255" style="width: 518px" class="wp-caption aligncenter"><a href="https://www.privacyidea.org/wp-content/uploads/2017/07/stairs-1036882_1280.jpg"><img loading="lazy" decoding="async" class="wp-image-1255" src="https://www.privacyidea.org/wp-content/uploads/2017/07/stairs-1036882_1280-300x200.jpg" alt="" width="518" height="345" srcset="https://www.privacyidea.org/wp-content/uploads/2017/07/stairs-1036882_1280-300x200.jpg 300w, https://www.privacyidea.org/wp-content/uploads/2017/07/stairs-1036882_1280-768x512.jpg 768w, https://www.privacyidea.org/wp-content/uploads/2017/07/stairs-1036882_1280-1024x682.jpg 1024w, https://www.privacyidea.org/wp-content/uploads/2017/07/stairs-1036882_1280.jpg 1280w" sizes="auto, (max-width: 518px) 100vw, 518px" /></a><figcaption id="caption-attachment-1255" class="wp-caption-text">Your imagination!</figcaption></figure></p>
<p>Adding event handler definitions is a matter of a few clicks for the administrator. But it is a great step for the automation of your privacyIDEA installation.</p>
<p>Adding a new event handler class is also only a matter of inheriting the base handler class and starting with woughly 50 lines of code. The hardest thing is to come up with a new idea! But the only limit is your imagination!</p>
<h2></h2>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>More flexible policies with regular expressions</title>
		<link>https://www.privacyidea.org/flexible-policies-regular-expressions/</link>
		
		<dc:creator><![CDATA[Cornelius Kölbel]]></dc:creator>
		<pubDate>Tue, 14 Feb 2017 16:18:26 +0000</pubDate>
				<category><![CDATA[Uncategorized]]></category>
		<category><![CDATA[Development]]></category>
		<category><![CDATA[Policy]]></category>
		<category><![CDATA[User Management]]></category>
		<guid isPermaLink="false">https://www.privacyidea.org/?p=1143</guid>

					<description><![CDATA[Today I want to give you an idea about the current development in privacyIDEA. You may like privacyIDEA because it is probably the most flexible and extensible multi factor authentication system due to its sophisticated policies and event handler framework. But I just pushed a small enhancement in regards to the policies, which my ease [&#8230;]]]></description>
										<content:encoded><![CDATA[<p><figure id="attachment_1145" aria-describedby="caption-attachment-1145" style="width: 300px" class="wp-caption alignleft"><a href="https://www.privacyidea.org/wp-content/uploads/2017/02/characters-2029373_640.png"><img loading="lazy" decoding="async" class="size-medium wp-image-1145" src="https://www.privacyidea.org/wp-content/uploads/2017/02/characters-2029373_640-300x157.png" alt="" width="300" height="157" srcset="https://www.privacyidea.org/wp-content/uploads/2017/02/characters-2029373_640-300x157.png 300w, https://www.privacyidea.org/wp-content/uploads/2017/02/characters-2029373_640.png 640w" sizes="auto, (max-width: 300px) 100vw, 300px" /></a><figcaption id="caption-attachment-1145" class="wp-caption-text">Identify users by regular expression.</figcaption></figure></p>
<p>Today I want to give you an idea about the current development in privacyIDEA. You may like privacyIDEA because it is probably the most flexible and extensible multi factor authentication system due to its sophisticated <a href="http://privacyidea.readthedocs.io/en/latest/policies/index.html" target="_blank">policies</a> and <a href="http://privacyidea.readthedocs.io/en/latest/eventhandler/index.html" target="_blank">event handler framework</a>.</p>
<p>But I just pushed a small enhancement in regards to the policies, which my ease your life. You are now able to not only define policies based on realms, resolvers and list of users, but you may also use <a href="https://github.com/privacyidea/privacyidea/issues/581" target="_blank">regular expressions for the users in policies</a>. This will be part of privacyIDEA 2.18 which is scheduled for midth of March 2017.</p>
<p>This way you do not need to rely on the user realms and user resolvers. You can also specify, that a certain policy should be bound to all users matching <em>customer_.*</em> or <em>admin_.*</em>.</p>
<p>This can help to ease things, since you do not need to split up a realm into many resolvers.</p>
<p>Tell us, what you like. Join the <a href="https://groups.google.com/forum/#!forum/privacyidea" target="_blank">Google Group</a>, post your issues at <a href="https://github.com/privacyidea/privacyidea" target="_blank">Github</a> or <a href="https://www.youtube.com/channel/UCesoTaB76oX42vX7WGfyyFA" target="_blank">subscribe to the Youtube Channel.</a></p>
<p>&nbsp;</p>
<p>&nbsp;</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>privacyIDEA 2.13 released &#8211; Improved Text Messages and PIN</title>
		<link>https://www.privacyidea.org/privacyidea-2-13-released/</link>
					<comments>https://www.privacyidea.org/privacyidea-2-13-released/#respond</comments>
		
		<dc:creator><![CDATA[Cornelius Kölbel]]></dc:creator>
		<pubDate>Thu, 30 Jun 2016 14:05:56 +0000</pubDate>
				<category><![CDATA[release]]></category>
		<category><![CDATA[Whatsup]]></category>
		<category><![CDATA[notification]]></category>
		<category><![CDATA[PIN handling]]></category>
		<category><![CDATA[Policy]]></category>
		<category><![CDATA[SMS]]></category>
		<guid isPermaLink="false">https://www.privacyidea.org/?p=976</guid>

					<description><![CDATA[Yes I know. And I also always said, please do not use SMS for two factor authentication. Rely on a decent piece of hardware. Although you should stop using text for two factor authentication, privacyIDEA supports text messages or SMS besides a long list of other token types. Text message (SMS) enhancements Nevertheless privacyIDEA 2.13 [&#8230;]]]></description>
										<content:encoded><![CDATA[<p>Yes I know. And I also always said, please do not use SMS for two factor authentication. Rely on a decent piece of hardware. Although <a href="https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/" target="_blank">you should stop using text for two factor authentication</a>, privacyIDEA supports text messages or SMS besides a <a href="https://www.privacyidea.org/about/features/">long list of other token types</a>.<a href="https://www.privacyidea.org/wp-content/uploads/2016/06/iphone-388387_640.jpg"><img loading="lazy" decoding="async" class="size-medium wp-image-978 alignright" src="https://www.privacyidea.org/wp-content/uploads/2016/06/iphone-388387_640-300x200.jpg" alt="iphone-388387_640" width="300" height="200" srcset="https://www.privacyidea.org/wp-content/uploads/2016/06/iphone-388387_640-300x200.jpg 300w, https://www.privacyidea.org/wp-content/uploads/2016/06/iphone-388387_640.jpg 640w" sizes="auto, (max-width: 300px) 100vw, 300px" /></a></p>
<h2>Text message (SMS) enhancements</h2>
<p>Nevertheless privacyIDEA 2.13 comes with improved SMS handling. But be sure, SMS can not only be used for authentication but for many other things. privacyIDEA 2.13 now lets you define a central list of SMS gateways &#8211; just like with centrally defined <a href="https://www.privacyidea.org/privacyidea-2-10-released-all-for-the-user/">SMTP servers</a> and <a href="https://www.privacyidea.org/privacyidea-2-11-easy-migration-radius-policy/">RADIUS servers</a>. Now privacyIDEA can centrally define all communication channels it needs. Defining your SMS gateway centrally eases the setup of your SMS token type.</p>
<p>But text messages now can also be used to notify users in case of certain events. The <a href="https://www.privacyidea.org/privacyidea-2-12-released-event-handler-certificates-pkcs12-pkcs11-much/">event handling with user notification was added in version 2.12</a> with notification via email &#8211; now you can also use text messages.</p>
<p>These SMS gateways could be used for other features in the future like notifying administrators in case of certain errors&#8230; Feel free to <a href="https://github.com/privacyidea/privacyidea" target="_blank">open any feature request on github</a>.</p>
<h3>PIN handling</h3>
<p>The second main features is PIN handling. You may have noticed the new logo of privacyIDEA.</p>
<p><figure id="attachment_964" aria-describedby="caption-attachment-964" style="width: 300px" class="wp-caption alignnone"><a href="https://www.privacyidea.org/wp-content/uploads/2016/06/privacyIDEA-800px.png"><img loading="lazy" decoding="async" class="wp-image-964 size-medium" src="https://www.privacyidea.org/wp-content/uploads/2016/06/privacyIDEA-800px-300x162.png" alt="privacyIDEA-800px" width="300" height="162" srcset="https://www.privacyidea.org/wp-content/uploads/2016/06/privacyIDEA-800px-300x162.png 300w, https://www.privacyidea.org/wp-content/uploads/2016/06/privacyIDEA-800px-768x415.png 768w, https://www.privacyidea.org/wp-content/uploads/2016/06/privacyIDEA-800px.png 800w" sizes="auto, (max-width: 300px) 100vw, 300px" /></a><figcaption id="caption-attachment-964" class="wp-caption-text">privacyIDEA &#8211; the flexible, modular authentication system.</figcaption></figure></p>
<p>You can see the bottom line &#8220;Authentication System&#8221;. Already a while ago privacyIDEA left the track of a pure OTP system, when adding support for SSH keys, certificates and Yubikeys for LUKS.</p>
<p>privacyIDEA can now take care about PIN policies and require the user to change the PIN after a defined time span. You can also set a policy that a user will have to change the PIN after first use! I am curious what you think about the PIN thing. If you have any further ideas about passwords and PINs drop us a note, write a comment or and <a href="https://github.com/privacyidea/privacyidea" target="_blank">issue on github</a>.</p>
<h2>Further Enhancements</h2>
<p>&#8230;are</p>
<ul>
<li>Performence enhancements in the Web UI regarding the token view and the audit log.</li>
<li>An additional log level below &#8220;DEBUG&#8221;. Debug will log no passwords. If you need passwords in your debug output, set the loglevel to &#8220;9&#8221;.</li>
<li>Quick actions in the token list. Try and click on the Failcounter or the &#8220;active&#8221; column.</li>
<li>Intelligent proxy handling or &#8220;OverrideAuthorizationClient&#8221; setting, which allows to define, which proxy server is allowed to change the client information.</li>
</ul>
<p>The <a href="https://github.com/privacyidea/privacyidea/blob/master/Changelog" target="_blank">full changelog can be found here</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://www.privacyidea.org/privacyidea-2-13-released/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>privacyIDEA 2.12 released. Event Handler, Certificates, PKCS12 / PKCS11 and much more&#8230;</title>
		<link>https://www.privacyidea.org/privacyidea-2-12-released-event-handler-certificates-pkcs12-pkcs11-much/</link>
					<comments>https://www.privacyidea.org/privacyidea-2-12-released-event-handler-certificates-pkcs12-pkcs11-much/#comments</comments>
		
		<dc:creator><![CDATA[Cornelius Kölbel]]></dc:creator>
		<pubDate>Tue, 24 May 2016 14:41:24 +0000</pubDate>
				<category><![CDATA[release]]></category>
		<category><![CDATA[Whatsup]]></category>
		<category><![CDATA[CA]]></category>
		<category><![CDATA[Certificates]]></category>
		<category><![CDATA[Policy]]></category>
		<guid isPermaLink="false">https://www.privacyidea.org/?p=936</guid>

					<description><![CDATA[Today we released privacyIDEA 2.12. Certificates and Hardware Security Modules The certificate handling in privacyIDEA was improved. Administrators can now enroll a certificate token for a user and also generate the RSA key pair. Users can download the certificate and the private key as a PKCS12/PFX container. This is useful in certain scenarios where a [&#8230;]]]></description>
										<content:encoded><![CDATA[<p>Today we released privacyIDEA 2.12.</p>
<h2>Certificates and Hardware Security Modules</h2>
<p><a href="https://www.privacyidea.org/wp-content/uploads/2016/05/wristwatch-407096_640.jpg"><img loading="lazy" decoding="async" class="size-medium wp-image-939 alignright" src="https://www.privacyidea.org/wp-content/uploads/2016/05/wristwatch-407096_640-300x200.jpg" alt="wristwatch-407096_640" width="300" height="200" srcset="https://www.privacyidea.org/wp-content/uploads/2016/05/wristwatch-407096_640-300x200.jpg 300w, https://www.privacyidea.org/wp-content/uploads/2016/05/wristwatch-407096_640.jpg 640w" sizes="auto, (max-width: 300px) 100vw, 300px" /></a>The certificate handling in privacyIDEA was improved. Administrators can now enroll a certificate token for a user and also generate the RSA key pair. Users can download the certificate and the private key as a PKCS12/PFX container. This is useful in certain scenarios where a VPN client requires the local installation of a client certificate that stays on the machine.</p>
<p>In addition support for <a href="https://www.privacyidea.org/privacyidea-2-12-hardware-security-module-support/">hardware security modules</a> like the <a href="https://shop.nitrokey.com/shop/product/nitrokey-hsm-7" target="_blank">Nitrokey HSM</a> was added. This was done by adding a <a href="http://privacyidea.readthedocs.io/en/latest/installation/system/securitymodule.html#pkcs11-security-module" target="_blank">PKCS11 security module</a>.</p>
<h2>Time Dependent Policies</h2>
<p>It is now possible to restrict policies to certain times. Thus you can allow the login outside of the office hours only with a yubikey while allowing login with a Google Authenticator only during daylight. Or the token management of the C-level group tokens could only be allowed on mondays&#8230;</p>
<p>&#8230;do what you want!</p>
<h2>Event Handler Framework</h2>
<p>The <a href="https://www.privacyidea.org/privacyidea-2-12-delayed-event-handling-framework/">event handler</a> is a complete new concept of allowing new workflows in privacyIDEA. Depending on certain conditions each event (REST API calls) may trigger a new action. The administrator may configure the triggered actions in the most flexible manner.</p>
<p>E.g. if a token is enrolled or assigned, the user may be notified about this. The event handler framework allows for any kind of thinkable workflow. <a href="https://www.privacyidea.org/privacyidea-2-12-delayed-event-handling-framework/">Please read our previous post on this topic</a>.</p>
<p>&#8230;do what you want!</p>
<h2>Changelog</h2>
<p>This is the complete <a href="https://github.com/privacyidea/privacyidea/blob/v2.12/Changelog" target="_blank">changelog</a>.</p>
<h3>Features</h3>
<ul>
<li>Event Handler Framework #360</li>
<li>local CA connector can enroll certificates for users. Users can download PKCS12 file. #383</li>
<li>Add and edit users in LDAP resolvers #372</li>
<li>Hardware Security Module support via PKCS11</li>
<li>Time dependent policies #358</li>
</ul>
<h3>Enhancements</h3>
<ul>
<li>Policy for web UI enrollment wizard #402</li>
<li>Realm dropdown box at login screen #400</li>
<li>Apply user policy settings #390</li>
<li>Improve QR Code for TOTP token enrollment #384</li>
<li>Add documentation for enrollment wizard #381</li>
<li>Improve pi-manage backup to use pymysql #375</li>
<li>Use X-Forwarded-For HTTP header as client IP #356</li>
<li>Add meta-package privacyidea-mysql #376</li>
</ul>
<p>&nbsp;</p>
<h3>Fixes</h3>
<ul>
<li>Adduser honors resolver setting in policy #403</li>
<li>Add documentation for SPASS token #399</li>
<li>Hide enrollment link (WebUI) is user can not enroll #398</li>
<li>Fix getSerial for TOTP tokens #393</li>
<li>Fix system config checkboxes #378</li>
<li>Allow a realm to be remove from a token #363</li>
<li>Improve the date handling in emails #352</li>
<li>Sending test emails #350</li>
<li>Authentication with active token not possible if the user has a disabled token #339</li>
</ul>
]]></content:encoded>
					
					<wfw:commentRss>https://www.privacyidea.org/privacyidea-2-12-released-event-handler-certificates-pkcs12-pkcs11-much/feed/</wfw:commentRss>
			<slash:comments>1</slash:comments>
		
		
			</item>
		<item>
		<title>privacyIDEA talk at Tübix</title>
		<link>https://www.privacyidea.org/privacyidea-talk-tubix/</link>
					<comments>https://www.privacyidea.org/privacyidea-talk-tubix/#respond</comments>
		
		<dc:creator><![CDATA[Cornelius Kölbel]]></dc:creator>
		<pubDate>Thu, 19 May 2016 07:31:13 +0000</pubDate>
				<category><![CDATA[events]]></category>
		<category><![CDATA[Certificates]]></category>
		<category><![CDATA[Migration]]></category>
		<category><![CDATA[Policy]]></category>
		<category><![CDATA[talk]]></category>
		<guid isPermaLink="false">https://www.privacyidea.org/?p=934</guid>

					<description><![CDATA[Cornelius will give a talk about what&#8217;s new in privacyIDEA at the tübix in Tübingen. This will be things like: Event handler to trigger certain actions depending on events Improved certificate support Editable user resolvers &#8211; even in LDAP Improvements in the WebUI and policies Easy Migration with RADIUS passthru policy Tübix is a Linux [&#8230;]]]></description>
										<content:encoded><![CDATA[<p>Cornelius will give a talk about what&#8217;s new in <a href="http://www.tuebix.org/2016/programm/cornelius-koelbel-open-source-mehr-faktor-authentifizierung-mit-privacyidea/" target="_blank">privacyIDEA at the tübix in Tübingen</a>.</p>
<p>This will be things like:</p>
<ul>
<li>Event handler to trigger certain actions depending on events</li>
<li>Improved certificate support</li>
<li>Editable user resolvers &#8211; even in LDAP</li>
<li>Improvements in the WebUI and policies</li>
<li>Easy Migration with RADIUS passthru policy</li>
</ul>
<p>Tübix is a Linux event in the south of Germany, so the talk will be in German. But much time to discuss things, also in the evening utilizing a cold beer.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://www.privacyidea.org/privacyidea-talk-tubix/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Bug in passOnNoUser policy allows arbitrary authentication</title>
		<link>https://www.privacyidea.org/bug-passonnouser-policy-allows-arbitrary-authentication/</link>
					<comments>https://www.privacyidea.org/bug-passonnouser-policy-allows-arbitrary-authentication/#comments</comments>
		
		<dc:creator><![CDATA[Cornelius Kölbel]]></dc:creator>
		<pubDate>Wed, 04 May 2016 12:48:42 +0000</pubDate>
				<category><![CDATA[Bug]]></category>
		<category><![CDATA[Security]]></category>
		<category><![CDATA[Authentication]]></category>
		<category><![CDATA[passOnNoUser]]></category>
		<category><![CDATA[Policy]]></category>
		<guid isPermaLink="false">https://www.privacyidea.org/?p=923</guid>

					<description><![CDATA[A bug in the passOnNoUser policy allows authentication with an arbitrary password. Affected version: up to privacyIDEA 2.11.2 Propability: Medium Security Severity: High Technical Background The passOnNoUser policy is supposed to check if an authenticating user exists. If the user exists, normal authentication is performed. If the user does not exist in the user store authentication is immediately successful. [&#8230;]]]></description>
										<content:encoded><![CDATA[<p>A bug in the passOnNoUser policy allows authentication with an arbitrary password.</p>
<ul>
<li>Affected version: up to privacyIDEA 2.11.2</li>
<li>Propability: Medium</li>
<li><strong>Security Severity: High</strong></li>
</ul>
<h2>Technical Background</h2>
<p>The passOnNoUser policy is supposed to check if an authenticating user exists. If the user exists, normal authentication is performed. If the user does not exist in the user store authentication is immediately successful. This is useful in special scenarios, where the Application has several levels of authentication and privacyIDEA is just the second level. Users that do not exist in privacyIDEA will only authenticate with the first level and users, that have an account in privacyIDEA will need to authenticate with the second level.</p>
<p>The Bug: If the policy passOnNoUser is set, it is not checked, if the user exists. <strong>I.e. even users that do exist are successfully authenticated, without checking their OTP value or password.</strong></p>
<h2>Advisory</h2>
<p>You need to disable a policy containing the passOnNoUser action or remove the passOnNoUser action from you policies immediately.</p>
<h2>Fix</h2>
<p>You should update to version 2.11.3 which is released today.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://www.privacyidea.org/bug-passonnouser-policy-allows-arbitrary-authentication/feed/</wfw:commentRss>
			<slash:comments>1</slash:comments>
		
		
			</item>
		<item>
		<title>privacyIDEA 2.10 released. All for the user &#8211; self registration, password reset, token wizard</title>
		<link>https://www.privacyidea.org/privacyidea-2-10-released-all-for-the-user/</link>
					<comments>https://www.privacyidea.org/privacyidea-2-10-released-all-for-the-user/#comments</comments>
		
		<dc:creator><![CDATA[Cornelius Kölbel]]></dc:creator>
		<pubDate>Thu, 11 Feb 2016 07:00:21 +0000</pubDate>
				<category><![CDATA[release]]></category>
		<category><![CDATA[Whatsup]]></category>
		<category><![CDATA[Enrollment]]></category>
		<category><![CDATA[mass enrollment]]></category>
		<category><![CDATA[Policy]]></category>
		<category><![CDATA[Self Registration]]></category>
		<category><![CDATA[Token Wizard]]></category>
		<guid isPermaLink="false">https://www.privacyidea.org/?p=882</guid>

					<description><![CDATA[Today we have pleasure in announcing the release of privacyIDEA 2.10. In this release the two factor authentication solution privacyIDEA eases the lives of the users. Self Registration and Password Reset privacyIDEA comes with a new policy scope &#8220;register&#8221;. If this policy is set new users may create a new account. The creation of the [&#8230;]]]></description>
										<content:encoded><![CDATA[<p>Today we have pleasure in announcing the release of privacyIDEA 2.10. In this release the two factor authentication solution privacyIDEA eases the lives of the users.</p>
<h3>Self Registration and Password Reset</h3>
<p><a href="https://www.privacyidea.org/wp-content/uploads/2016/02/checklist-911841_640.png" rel="attachment wp-att-885"><img loading="lazy" decoding="async" class="wp-image-885 alignleft" src="https://www.privacyidea.org/wp-content/uploads/2016/02/checklist-911841_640-300x240.png" alt="checklist-911841_640" width="126" height="101" srcset="https://www.privacyidea.org/wp-content/uploads/2016/02/checklist-911841_640-300x240.png 300w, https://www.privacyidea.org/wp-content/uploads/2016/02/checklist-911841_640.png 640w" sizes="auto, (max-width: 126px) 100vw, 126px" /></a>privacyIDEA comes with <a href="http://privacyidea.readthedocs.org/en/latest/policies/register.html" target="_blank">a new policy scope &#8220;register&#8221;</a>. If this policy is set new users may create a new account. The creation of the account can be limited to certain realms or to certain email addresses. This way you can define, that only user with an email address from a certain domain are allowed to register.</p>
<p>The user will get an email with a registration token, that can be used to access the privacyIDEA Web UI.</p>
<p><a href="https://www.privacyidea.org/thoughts-about-2-10-user-self-registration-an-notification/">User registration was also introduced in a previous blog post</a>.</p>
<p>User registration is possible due to the concept of writeable userstores, which was introduced earlier. Another possibility that arises from the writeable userstores and which is introduced in <a href="http://privacyidea.readthedocs.org/en/latest/policies/user.html#password-reset" target="_blank">version 2.10 is User Password Reset</a>. In a user-policy you may define, if a user should be allowed to reset his userstore password.</p>
<p><figure id="attachment_886" aria-describedby="caption-attachment-886" style="width: 300px" class="wp-caption aligncenter"><a href="https://www.privacyidea.org/wp-content/uploads/2016/02/Password-Reset.png" rel="attachment wp-att-886"><img loading="lazy" decoding="async" class="size-medium wp-image-886" src="https://www.privacyidea.org/wp-content/uploads/2016/02/Password-Reset-300x208.png" alt="A user may be allowed to reset his userstore password." width="300" height="208" srcset="https://www.privacyidea.org/wp-content/uploads/2016/02/Password-Reset-300x208.png 300w, https://www.privacyidea.org/wp-content/uploads/2016/02/Password-Reset.png 363w" sizes="auto, (max-width: 300px) 100vw, 300px" /></a><figcaption id="caption-attachment-886" class="wp-caption-text">A user may be allowed to reset his userstore password.</figcaption></figure></p>
<h3>Token Wizard</h3>
<p>Enrolling tokens to the user is always quite a challenge. No project or installation works the same, has the same requirements and chooses the very same enrollment strategy. It always seems very tempting to let users enroll their tokens, hoping that this strategy will not generate high traffic and costs in the help desk.</p>
<p>With privacyIDEA 2.10 the token user selfenrollment was drastically simplified providing a token enrollment wizard. <a href="http://privacyidea.readthedocs.org/en/latest/policies/webui.html?#tokenwizard" target="_blank">The token enrollment wizard can be enabled using a policy</a>. The enrollment wizard will jump in, if the user has no token. When the user logs in to the WebUI he will be presented a two step enrollment without any distracting additional questions or choices.</p>
<p><figure id="attachment_888" aria-describedby="caption-attachment-888" style="width: 331px" class="wp-caption aligncenter"><a href="https://www.privacyidea.org/wp-content/uploads/2016/02/tokenwizard1.png" rel="attachment wp-att-888"><img loading="lazy" decoding="async" class=" wp-image-888" src="https://www.privacyidea.org/wp-content/uploads/2016/02/tokenwizard1-300x146.png" alt="Token Wizard: First step." width="331" height="161" srcset="https://www.privacyidea.org/wp-content/uploads/2016/02/tokenwizard1-300x146.png 300w, https://www.privacyidea.org/wp-content/uploads/2016/02/tokenwizard1.png 753w" sizes="auto, (max-width: 331px) 100vw, 331px" /></a><figcaption id="caption-attachment-888" class="wp-caption-text">Token Wizard: First step.</figcaption></figure></p>
<p>The tokenwizard works for all kind of tokens. In this example it is a smartphone based Google Authenticator HOTP token.</p>
<p><figure id="attachment_889" aria-describedby="caption-attachment-889" style="width: 332px" class="wp-caption aligncenter"><a href="https://www.privacyidea.org/wp-content/uploads/2016/02/tokenwizard2.png" rel="attachment wp-att-889"><img loading="lazy" decoding="async" class=" wp-image-889" src="https://www.privacyidea.org/wp-content/uploads/2016/02/tokenwizard2-277x300.png" alt="Token Wizard: Second step." width="332" height="360" srcset="https://www.privacyidea.org/wp-content/uploads/2016/02/tokenwizard2-277x300.png 277w, https://www.privacyidea.org/wp-content/uploads/2016/02/tokenwizard2.png 756w" sizes="auto, (max-width: 332px) 100vw, 332px" /></a><figcaption id="caption-attachment-889" class="wp-caption-text">Token Wizard: Second step.</figcaption></figure></p>
<h3>Email</h3>
<p>After all this user stuff another important feature is the configuration of the Email-capabilities in privacyIDEA. Emails are used at different locations like EMail Token, SMS Token, Registration process and Password Reset. Therefore you can defined SMTP Server configurations centrally and choose which SMTP configuration you want to use for the specified task.</p>
<p><figure id="attachment_891" aria-describedby="caption-attachment-891" style="width: 1024px" class="wp-caption aligncenter"><a href="https://www.privacyidea.org/wp-content/uploads/2016/02/smtp-servers.png" rel="attachment wp-att-891"><img loading="lazy" decoding="async" class="size-large wp-image-891" src="https://www.privacyidea.org/wp-content/uploads/2016/02/smtp-servers-1024x337.png" alt="Central SMTP Server definitions can be used for different purposes." width="1024" height="337" srcset="https://www.privacyidea.org/wp-content/uploads/2016/02/smtp-servers-1024x337.png 1024w, https://www.privacyidea.org/wp-content/uploads/2016/02/smtp-servers-300x99.png 300w, https://www.privacyidea.org/wp-content/uploads/2016/02/smtp-servers-768x253.png 768w, https://www.privacyidea.org/wp-content/uploads/2016/02/smtp-servers.png 1170w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></a><figcaption id="caption-attachment-891" class="wp-caption-text">Central SMTP Server definitions can be used for different purposes.</figcaption></figure></p>
<h2>ChangeLog</h2>
<p>This is the complete changelog of version 2.10:</p>
<p>Version 2.10, 2016-02-11</p>
<h3>Features</h3>
<ul>
<li>User Registration: A user may register himself and thus create his new user account.</li>
<li>Password Reset: Using a recovery token a user may issue a password reset without bothering the administrator or the help desk.</li>
<li>Enrollment Wizard for easy user token enrollment</li>
<li>SMTP Servers: Define several system wide SMTP settings and use these for
<ul>
<li>Email token,</li>
<li>SMTP SMS Provider,</li>
<li>registration process,</li>
<li>or password reset.</li>
</ul>
</li>
</ul>
<h3>Enhancements</h3>
<ul>
<li>Ease the Smartphone App (Google Authenticator) rollout. Hide otplen, hash, timestep in the UI if a policy is defined.</li>
<li>Add import of Aladdin/SafeNet XML file.</li>
<li>Add import of password encrypted PSKC files.</li>
<li>Add import of key encrypted PSKC files.</li>
</ul>
<h3>Fixes</h3>
<ul>
<li>Support LDAP passwords with special non-ascii characters.</li>
<li>Support LDAP BIND with special non-ascii characters.</li>
<li>Fix problem with encrypted encryption key.</li>
<li>Fix upgrading DB Schema for postgresql+psycopg2.</li>
<li>Fix UI displaying of saved SMS Provider.</li>
<li>Do not start challenge response with a locked/disabled token.</li>
</ul>
]]></content:encoded>
					
					<wfw:commentRss>https://www.privacyidea.org/privacyidea-2-10-released-all-for-the-user/feed/</wfw:commentRss>
			<slash:comments>1</slash:comments>
		
		
			</item>
		<item>
		<title>OTP Authentication Mangling</title>
		<link>https://www.privacyidea.org/otp-authentication-mangling/</link>
					<comments>https://www.privacyidea.org/otp-authentication-mangling/#respond</comments>
		
		<dc:creator><![CDATA[Cornelius Kölbel]]></dc:creator>
		<pubDate>Mon, 29 Jun 2015 11:52:28 +0000</pubDate>
				<category><![CDATA[Uncategorized]]></category>
		<category><![CDATA[Whatsup]]></category>
		<category><![CDATA[Authentication]]></category>
		<category><![CDATA[Policy]]></category>
		<guid isPermaLink="false">https://www.privacyidea.org/?p=661</guid>

					<description><![CDATA[privacyIDEA provides the possibility to verify credentials that arrive via a REST API. You can attach arbitrary applications to privacyIDEA. But this could also result in arbitrary data being sent. This is why we just pushed a new feature for the next release 2.5 of privacyIDEA. Authentication Data Mangling Just like many other features this [&#8230;]]]></description>
										<content:encoded><![CDATA[<p><figure id="attachment_662" aria-describedby="caption-attachment-662" style="width: 300px" class="wp-caption alignleft"><a href="https://www.privacyidea.org/wp-content/uploads/2015/06/arrows-709731_640.png"><img loading="lazy" decoding="async" class="size-medium wp-image-662" src="https://www.privacyidea.org/wp-content/uploads/2015/06/arrows-709731_640-300x150.png" alt="badalyanrazmik @pixabay" width="300" height="150" srcset="https://www.privacyidea.org/wp-content/uploads/2015/06/arrows-709731_640-300x150.png 300w, https://www.privacyidea.org/wp-content/uploads/2015/06/arrows-709731_640.png 640w" sizes="auto, (max-width: 300px) 100vw, 300px" /></a><figcaption id="caption-attachment-662" class="wp-caption-text">by badalyanrazmik @pixabay</figcaption></figure></p>
<p>privacyIDEA provides the possibility to verify credentials that arrive via a REST API. You can attach arbitrary applications to privacyIDEA. But this could also result in arbitrary data being sent. This is why we just pushed a new feature for the next release 2.5 of privacyIDEA.</p>
<h2>Authentication Data Mangling</h2>
<p>Just like many other features this can be configured flexibly via an <em>authentication policy</em>. The Authentication Data Mangling allows you to modify incoming authentication data, before these data are processed by privacyIDEA. Thus you can modify the username, the password or the realm sent in the authentication request.</p>
<p>Imagine a system, that sends malformed usernames. You can strip all whitespaces or only use a certain part of the sent username to find the user within privacyIDEA. You can use regular expressions to transform the sent username into a the username to be found in privacyIDEA.</p>
<p>You can also do funny things by modifying the password. A policy action like:</p>
<pre>mangle=pass/.*(.{6})$/otppin\\1/</pre>
<p>will only use the last 6 characters of the sent password (probably the OTP value) and put the fixed string &#8220;otppin&#8221; in front of it. Ok &#8211; no matter which OTP PIN the user enters, the authentication request will always use &#8220;otppin&#8221;.</p>
<p>Or you could change the order of OTP PIN and OTP values like this:</p>
<pre>mangle=pass/(.*)(.{6})$/\\2\\1/</pre>
<p>As you can also define these mangling-policies for certain clients, you can define &#8211; for which reason ever &#8211; clients where the &lt;OTP PIN&gt;+&lt;OTP Value&gt; are to be entered and other clients with &lt;OTP value&gt;+&lt;OTP PIN&gt;.</p>
<p>Authentication Data Mangling seems a mighty and flexible feature to me. I can not see all possible use cases, yet. So tell us what you think!</p>
<p>&nbsp;</p>
<p>&nbsp;</p>
]]></content:encoded>
					
					<wfw:commentRss>https://www.privacyidea.org/otp-authentication-mangling/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
	</channel>
</rss>
