Testing privacyIDEA Push Token

Today we released version 2.0 of our privacyIDEA Authenticator to the beta test program.

In Version 2.0 the privacyIDEA Authenticator implementes the Push Token. During Rollout the Push Token exchanges assymmetric keys between the privacyIDEA Server and the privacyIDEA Authenticator.

During authentication the privacyIDEA Server sends a cryptographic challenge via Firebase to the smartphone. The privacyIDEA Authenticator verifies the signature of the privacyIDEA Server and asks the user to confirm the login request. The App then signs the challenge and sends it back to the privacyIDEA Server.

The internals are described at our github wiki page.

Join the Beta Test

The privacyIDEA Authenticator 2.0 is available for Android phones at the moment. iOS will follow shortly.

We are happy if you want to participate in the public beta test. Simply go to this site and follow the steps to join the beta test. You can install the privacyIDEA Authenticator 2.0 on your Android device (Minimum version “kitkat” – we do not recommend this! 😉

Set up for your tests

In this blog post we want to give you an overview to get started. For a deeper understanding you can read more about the push token in the online documentation and at github.

Get components

Get privacyIDEA 3.0 and the privacyIDEA Authenticator 2.0.

Network connectivity

Assure, that your smartphone can reach your privacyIDEA server, e.g. by placing your smartphone in the same Wireless LAN like your privacyIDEA Server. The smartphone needs to connect to privacyIDEA during enrollment and during authentication.

Firebase project

In the Firebase console you need to create your own Firebase Cloud Messaging project.

From the console you can download the relevant project information.

The relevant information is the “Web API Key”, “App ID”, “Project ID” and the project number, which is the number part of the “Public-facing name”. Copy these values to create a new provider in privacyIDEA.

Download the file google-services.json an fetch the values “project_number”, “project_id”, “mobilesdk_app_id” and “api_key” from this file.

In addition you need to create a new service account for your Firebase project:

You can download the settings of this service account in a JSON file, which you need to copy to the privacyIDEA machine and later add in your privacyIDEA SMS Provider in the next step.

Firebase SMS Provider

In privacyIDEA you need to create an “SMS Gateway” of type “Firebase” with the Firebase project you created in the previous step. The privacyIDEA Server will connect to Firebase with this project.

Enter the data and json file, you downloaded from the Firebase console. E.g. the JSON config file needs to be copied to the privacyIDEA Server and you need to specify a local path on the privacyIDEA Server.

Finally you also need to enter the registration URL. This is the URL of the privacyIDEA Server which the privacyIDEA Authenticator contacts during the enrollment process. So you need to be sure, that this URL is in a format (FQDN, IP), which the smartphone can connect to. Unless you know otherwise the path or the URL should be /ttype/push.

Policies

Now you need to configure your privacyIDEA system. You need to create two policies, one for the enrollment and the other one for the authentication.

The enrollment policy contains the name of the Firebase SMS Provider you created in the previous step.

The authentication policy can contain the text, that should be displayed in the notification:

Testing

You can now test you setup by

  1. Enroll a new Push token and assign it to a user. Give the Push token a PIN.
  2. In your browser you can simply issue an authentication request using the API https://your.privacyidea.server/validate/check?user=testuser&pass=yourpin
  3. You should receive a notification on your enrolled smartphone, which you can confirm.

Your help and feedback

The missing link currently is the Application that is supposed to poll for the confirmed authentication.

We need your feedback, to know on which application we should start working first. As an alternative we are also planning to add a delayed response.

Start the discussion at community.privacyidea.org