privacyIDEA is the Open Source Two Factor solution that runs at a central location in your network and can work as the 2FA instance for all your applications. privacyIDEA provides plugins for several applications directly (like WordPress, ownCloud, TYPO3, django, contao…) but also has plugins to serve standart authentication protocols like PAM, RADIUS, SAML2 and OpenID Connect.

You have the chance to use privacyIDEA everywhere – with every application.

Cornelius will give a talk about how privacyIDEA can be integrated with your preferred application at the Ohio Linuxfest in Columbus, Ohio. Your preferred application can be either connected via the before mentioned protocols or via the privacyIDEA REST API. In this talk you can learn, how this can be achieve to use a secure login with your own or preferred application.

On Sunday February 3rd I will give a talk how you can use privacyIDEA to add enterprise grade multi factor authentication to ownCloud.

privacyIDEA is easy. And flexible. It is probably the most flexible open source multi factor authentication systems around. And some scenarios are easy. So easy that you can add enterprise grade 2FA to owncloud in under 15 minutes.

Take a look at this in Brussels.

FOSDEM is a huge and great event with lots of talks and lots of people to meat. I am looking forward to a crowded room “Ferror” on Sunday!

You should always take a look at the Changelog, but starting with privacyIDEA we added a document READ_BEFORE_UPDATE, which contains important information to consider before upgrade.

New Features: RADIUS integration, VASCO support, Offline Refill and more

With privacyIDEA 2.22 we added the possibility to pass more useful userinformation to a RADIUS client like a VPN. The administrator can add a policy to include the resolver and the realm of a user who authenticated successfully. This response data can then be used in the FreeRADIUS plugin and modified by regular expressions to add any arbitrary RADIUS attribute in the RADIUS response, which then would be sent to the VPN. This additional information can be used by Cisco ASA, Citrix Netscaler or any other enterprise grade VPN to put the user into certain subnets or to assign resource to the user.

VASCO token support

privacyIDEA is Open Source. We love Open Source and open standards. But sometimes you have to communicate with proprietary partners, so that they have the chance to become open. This is why privacyIDEA 2.22 comes with support for the proprietary VASCO Digipass tokens. This way it is easier to run VASCO tokens and open standards tokens like HOTP, TOTP or Yuibkeys in parallel and maybe even one day migrate all VASCO tokens – after the batteries have died – to other devices.

If you want to learn more about migrating your VASCO tokens, please contact NetKnights for professional sevices.

Offline Refill

We are improving the offline capability of privacyIDEA in conjunction with the PAM module and the privacyIDEA Credential Provider. The new offline refill will allow to automatically refill the hashed OTP values on the notebooks, which are available for authentication, if the notebook is offline. This way users or administrators will not have to worry anymore when taking the hardware on a business trip.

Send SMS via SMPP

SMPP (Short Message Peer-to-Peer) is a protocol used by carriers for sending SMS. privacyIDEA 2.22 comes with a new SMS Provider to send SMS via SMPP. This can be used for sending SMS in the SMS token during authentication but also for sending SMS in the notification event handler, to notify users or administrators on certain events.

Use Counter handler for monitoring and statistics

We often see, that the event handler is a mighty tool to cope with many different requirements. In addition to the notification handler, token handler, script handler and federation handler privacyIDEA 2.22 now comes with a simply but very flexible counter handler. Just like every handler it can be attached to any event (API call) and will trigger under defined conditions. The counter handler simply increses a counter in the database for this very event.

These counters can now be used for statistics or monitoring, e.g. when increasing a certain counter on the event failed authentication with HOTP token. This way the administrator could monitor the number of failed authentications per time interval.

Each token has a tokenkind

Many installations use hardware tokens and software tokens at the same time. To be more flexible in distinguishing these tokens when it comes to deleting tokens or deciding giving access, we added an additional class attribute to tokens. The “tokenkind”. In contrast to the tokentype, which is simply the mathematics of the token, the tokenkind defines if this very token object is  hardware token, a software token or a virtual token.

Use arbitrary tokeninfo in authorization policies

Authorization policies are used to decide if an authenticated user should get access or not. As the arbitrary tokeninfo fields are getting used more in more in event handler definitions, the tokeninfo can now also be used in the authorization policies to grant or deny access.

This way event handlers could modify token information and this modified token information can be used for granting access. Event handling and authorization thus get connected more tightly.

Lots of enhancements

There are further enhancements of existing features in privacyIDEA. We improved the token export the PSKC files – we will also export PW token types and the counter values of HOTP and TOTP tokens. The export can now also be used to reencrypt a token database.

The SMS and Email token types can now either use the fixed mobile number or email address in the token data or read the mobile/email dynamically from the user store on each authentication event.

The administrator can define a policy so that the validity of the U2F attestation certificate will be ignored. Some U2F devices come with a attestation certificate with an invalid validity period.

We improved the speed of the LinOTP migration script, so that a database with tens of thousands of tokens can be easily migrated.

The pi-manage script can now generate API tokens with a freely chosen validity time.

The user can now set the description of HOTP and TOTP tokens during enrollment.

The administrator can add a timeout to the SMTP server configuration.

The email tokens can now use a complex html template for sending emails.

The LDAP resolver allows to define each attribute as a multivalue attribute.

The event handler condition can trigger on failed authentication.

For the complete changelog with also contains all the fixes, please take a look a the Github repository.

Enterprise Edition

If you are running large mission critical setups, privacyIDEA is also available as Enterprise Edition with support and warranty/liability.

privacyIDEA at Grazer Linuxtage and Linuxfest Northwest

At the end of April you can hear a talk about privacyIDEA in Austria at the Grazer Linuxtage. You will learn, how you can easily migrate an old, existing, proprietary 2FA system to privacyIDEA. Project member Friedrich Weber will also host a workshop at the Grazer Linuxtage, where you can participate in installing privacyIDEA and configuring to your needs.

At the same time Cornelius Kölbel will give a talk in Bellingham Technical Colleage, U.S.A. At the LinuxFest NorthWest 2018 you can learn about what makes privacyIDEA so unique in regards to workflow integrations using the privacyIDEA Event Handler system automating a lot of individual tasks.

Join the discussion

Join the discussion a community.privacyidea.org.

If you can not attend or if you want to try this at home afterwards, here is what we will do!

Setup

10.0.2.201 ucs.tuebix.intranet (LDAP) Univention Corporate Server 4.2
10.0.2.202 privacyidea.tuebix.intranet, Ubuntu 16.04 LTS
10.0.2.203 wordpress.tuebix.intranet, Ubuntu 16.04 LTS with latest wordpress
10.0.2.204 owncloud.tuebix.intranet, Ubuntu 16.04 LTS with ownCloud 10

LDAP

BaseDN: cn=users,dc=tuebix,dc=intranet

The UCS has the following users:

• admininistrator
• user1
• user2
• user3

ownCloud

ownCloud is connected via LDAP, so the LDAP users can connect to ownCloud.

The ownCloud Administrator is called: admin

WordPress

WordPress only has internal users. Nevertheless the user are also called:

• administrator
• user1
• user2
• user3

What we will do – our Agenda

• We will install privacyIDEA and connect privacyIDEA to the UCS, so that privacyIDEA knows the users from the LDAP directory
• Then we will enroll different kind of tokens to the users.
  • The administrator can enroll a token for the users but
  • users can also login to the webui with their LDAP password an enroll a token for themselves.
• Then we start connecting applications to privacyIDEA to add 2FA to the applications
  • WordPress with “strong authentication” plugin
  • ownCloud with the “privacyIDEA ownCloud App” from the market place
  • SSH login with 2FA for users user1, user2, user3

privacyIDEA

Install

privacyIDEA can be installed in many different ways on different Linux distributions. We will install privacyIDEA on our Ubuntu 16.04 machine 10.0.2.202.

As root:

add-apt-repository ppa:privacyidea/privacyidea

apt update

apt install privacyidea-apache2

privacyidea-apache2 is a meta package which will install MySQL, Apache and set up privacyIDEA. Finally we only need to create the first token administrator.

pi-manage add admin super

Now we have an administrator called “super”

Configure

privacyIDEA can be configured via command line, API or the web UI.

https://10.0.2.202

We need to configure the Resolver tuebix_users as Active Directory. For this we need to fetch the certificate of the UCS server.

• LDAP Resolver to ldaps://ucs.tuebix.intranet
• Base DN cn=users,dc=tuebix,dc=intranet
• Bind DN cn=administrator,cn=users,dc=tuebix,dc=intranet
• Preset AD

And a Realm tuebix with the resolver tuebix_users.

We can also take a look at the policies and configure a policy to use otppin=userstore.

Enroll tokens

Enroll tokens as administrator and as normal user…

• Enroll Smartphone App
• Yubikey
• U2F Token
• Feitian C200 (import File Feitian.csv)

ownCloud with 2FA

For ownCloud X we login as administrator and install the “privacyIDEA ownCloud App” from the Marketplace.

We need to configure the App against privacyIDEA:

• https://privacyidea.tuebix.intranet
• no realm
• no ssl check

Note: The privacyIDEA ownCloud App will authenticate all users with a 2nd factor!

After this, users need to present a 2nd factor against privacyIDEA when they log in.

WordPress with 2FA

Install the “strong authentication” plugin.

We need to configure the Plugin against privacyIDEA:

• https://privacyidea.tuebix.intranet…

Note: Users need to enter both factors in the password field at the same time.

The WordPress plugin authenticates users only against privacyIDEA; while with ownCloud users are authenticated by ownCloud and by privacyIDEA.

SSH with 2FA

On either owncloud machine or wordpress machine we install the privacyIDEA PAM module:

add-apt-repository ppa:privacyidea/privacyidea

apt update

apt install privacyidea-pam

…and configure it accordingly against https://privacyidea.tuebix.intranet.

Note: Users need to match!

privacyIDEA LDAP Proxy

Bonus!

In March we will have a booth at the Chemnitzer Linuxtage (March 11th and 12th). Chemnitzer Linuxtage is the biggest yearly Linux event in Germany with about 3000 visitors.

At the booth we will have a demo installation of privacyIDEA, different token types like Yubikeys, U2F devices, Nitrokeys or OTP-Tokens and Cards to present possible solutions to interested visitors. 

If you also want to get personally involved in the privacyIDEA project and development and act as a stand helper you are welcome to join us at our stand. Please drop me a note via the Google Group. You will get free entrance, catering and saturday night event dinner. At the moment we are three persons at the stand. We are looking forward to your experiences, your questions and you as a real life person.

See you in Chemnitz!

Cornelius

Since the 2nd factors can be managed within privacyIDEA, these can also be used throughout the complete network or your whole company.

privacyIDEA supports a whole lot more authentication devices in addition to TOTP.

So come a listen, what is new in privacyIDEA and how you can e.g. use the migration feature to get rid of your old proprietary two factor systems.

Although the problem is still, that authentication can not be completely passed to the external authentication system. The user has to provide his ownCloud password first and then will be redirected to a 2nd-Factor-App.

Cornelius is talking about the development of such an app in the new framework and what needs to be done. Finally the privacyIDEA App emerged, which at the moment is only available via NetKnights. This App forwards the credentials of the second factor (usually a one time password) to the privacyIDEA backend.

See you in Berlin!

Watch this video on YouTube.

This will be things like:

• Event handler to trigger certain actions depending on events
• Improved certificate support
• Editable user resolvers – even in LDAP
• Improvements in the WebUI and policies
• Easy Migration with RADIUS passthru policy

Tübix is a Linux event in the south of Germany, so the talk will be in German. But much time to discuss things, also in the evening utilizing a cold beer.

The T-Dose has a wide spectrum of talks. At certain times there were 8 (eight!) tracks: talks, discussions, workshops and LPI exams.

See the video of my talk about privacyIDEA.

Watch this video on YouTube.