We are proud to release the privacyIDEA simpleSAMLphp Plugin 2.1. We added a new feature, that allows the administrator to configure real Single Sign-On or secure 2FA requirement.

In Single Sign-On mode, the user is asked for the second factor only once. In the secure 2FA requirement, the user is required to provide his second factor for each application where he wants to log in.

The administrator can configure this behavirour in the config file with the parameter “SSO”.

The new version of the privacyIDEA simpleSAMLphp plugin is available via Github. You can download the code there and add it to your installation.

Here you can see, how it is working.
This how-to shows only the basics. To get further information follow the links below.

Installing privacyIDEA

You should install privacyIDEA on a different server, than sipmleSAMLphp and Nextcloud.
In this case, we use the Apache2 setup on a fresh installed Ubuntu 16.04.
During the installation, you will be asked for a mysql root password.

• Adding the repository apt-add-repository ppa:privacyidea/privacyidea
• Update with apt update
• Installing privacyIDEA for apache2 apt install privacyidea-apache2
• Create administrator account with pi-manage admin add <username>

Congratulations you installed privacyIDEA successfully.

Now privacyIDEA needs to know, where your users are stored. Please check our documentation for more information about this.

Installing simpleSAMLphp as an identity provider

Please follow the instructions from simpleSAMLphp

Installing the privacyIDEA module for simpleSAMLphp

First of all you need to install the module privacyIDEA. You can get the current version on GitHub.

Put the files in the directory modules/privacyidea.

The privacyIDEA module can be used in two different ways:
Method 1: The user’s first and second factor will be authenticated against privacyIDEA
Method 2: Only the second factor will be authenticated against privacyIDEA

In this how-to, we only show the simplest way to configure. Especially the method 2 can be configured way more.

Method 1

We will install privacyIDEA as an authentication source.
To do that, we have to append the configuration to config/authsources.php

This is the basic configuration

'example-privacyidea' => array(
    'privacyidea:privacyidea',
    'privacyideaserver' => 'https://your.server.com/pi',
),

If you want to edit more details, please check the documentation on GitHub.

After editing the configuration, please enable the authentication source in the metadata metadate/saml20-idp-hosted.php
Add 'auth' => 'example-privacyidea'

Method 2

If you want to use the second method, you have to use another authentication source (e.g. LDAP)
After that, activate privacyIDEA as an authentication processing filter.
Append in the array in your metadata metadata/saml20-idp-hosted.php the following lines.

This is the basic configuration

'authproc.idp' => array(
    20 => array(
        'class'             => 'privacyidea:serverconfig',
        'privacyideaserver' => 'https://your.server.com/pi',
    )
    25 => array(
        'class'             => 'privacyidea:privacyidea',
    ),
),

If you want to configure the authentication processing filter in more details, please check the documentation on GitHub.

Installing Nextcloud

Please follow the instructions from Nextcloud

Install and configure the app ‘SSO & SAML authentication’

This app can be installed via the marketplace.

After installing the app, it has to be configured like it is done in the following.

Attribute to map the UID to.
This depends on the authentication source.
If you use method 1 (privacyIDEA as an authentication source) and you did not change the attribute map, enter username

Identifier of the IdP entity (must be a URI)
https://your.server.com/simplesamlphp/saml2/idp/metadata.php

URL Target of the IdP where the SP will send the Authentication Request Message
https://your.server.com/simplesamlphp/saml2/idp/SSOService.php

URL Location of the IdP where the SP will send the SLO Request
https://your.server.com/simplesamlphp/saml2/idp/SingleLogoutService.php

Public X.509 certificate of the IdP
You can get it from https://your.server.com/simplesamlphp/module.php/saml/idp/certs.php/idp.crt

If you want to, you can add additional attribute mappings or security settings, but for this how-to it should be enough.

When everything is configured, you can click on ‘Download metadata XML’. To add this is your saml20-sp-remote.php, you need to parse it. Use https://your.server.com/simplesamlphp/admin/metadata-converter.php to do so.

You can copy the result in your metadata/saml20-sp-remote.php.

That’s it

privacyIDEA, simpleSAMLphp and Nextcloud are now configured in the correct way.
You and your users will be able to authenticate now!

Challenge Response

The response of the administrative triggerchallenge call is now consistent with a user triggered challenge. This makes it easier for plugins to handle triggered challenges and also allow multiple challenges at a time. E.g. in the ownCloud or simpleSAMLphp plugin the user would now be able to have several challenge response tokens at the same time and login with either of them.

IE and LDAP

The Internet Explorer sometimes does not provide a usual expected-language header. So even if it looks like the IE would expect a German web site, the privacyIDEA web UI would still be displayed in English. This issue was fixed.

Last but not least, a minor change in the event handler code now avoids an additional LDAP request to the LDAP server, thus speeding up the responses and decreasing the load on the LDAP server.

A complete changelog can be found here.

Update

privacyIDEA can be updated from the usual sources like the launchpad repository or the Python package index.