🔐 multi factor authentication system (2FA, MFA, OTP Server)
Switch branches/tags
360_event_handler 512/UI_Menus 541/limit_audit_log 542/resolver_in_audit 543/deny-policy 543/deny_policy 594/registration 627/smartphone-API 638/ldap-machine-resolver 644/datepicker 648/U2F 654/multiple-challenge-response 655/configurable-schema-calls 670/user-cache 683/user-cache-cleanup 691/tokeninfo-api 692/token-janitor-filters 694/improve_get_token 696/pi-manage-crashes 703/validate-radiuscheck 711/federation 715/refresh-button 715/reload-with-broadcast 729/auth_cache 738/ldap-umlaute 753/non-ascii-otp-pin 754/unicode-issues-3 754/unicode-issues 771/multipleCR 787/hsm_reinit 797/2step 802/configurable-serverpool 817/nonexistent-resources 820/supply-keysize 827/optimize-policies 840/offline-otp-2 840/offline-otp 850/title-ng-idle 874/log-activated-policies 874/triggered_policy_in_audit_log 878/smpp_provider 914/migration 919/smtpserver-timeout 940/db-reencryption 992/tasks-docs 1037/shorten-audit-log 1066/token_import 1069/hsm-reinit 1072/audit_file 1093/pi-bootstrap 1096/challenge-text 1140/idea_1_sharing_engine_between_threads 1224/optimize_for_one_token 1239/audit-rotate 1253/cache_token_types 1268/retry-on-deadlock 1271/hide-ldap-password 1290/queue-poc 1322/token-janitor-chunksize SAML UCS4.2 auth_failure_ui autofix/wrapped2_to3_fix-0 autofix/wrapped2_to3_fix-1 autofix/wrapped2_to3_fix branch-1.2 branch-1.4 branch-1.5 branch-2.0 branch-2.2 branch-2.3 branch-2.5 branch-2.6 branch-2.8 branch-2.10 branch-2.11 branch-2.12 branch-2.13 branch-2.16 branch-2.18 branch-2.20 branch-2.21 branch-2.22 branch-2.23 cko_offline debian-packaging example-kerberos-resolver fixing_circleci freeradius-docs master migration_run multiple-versions objectGUID performance python3_compat python3_migrate_base python3_migrate_unicode python3_test_db_1 redis-cache test-build-issue-postgres travis u2f_182 umlaut_filename version2
Nothing to show
Clone or download
Latest commit c71da1d Dec 12, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
.circleci Update to CircleCI 2.0 from 1.0 Sep 4, 2018
.github/ISSUE_TEMPLATE fix a typo in the issue template Nov 15, 2018
adminclient @ d1de483 set version of adminclient Mar 29, 2016
authmodules remove console.log Jan 24, 2018
contrib Allow to build python-croniter for trusty and xenial Jul 31, 2018
deploy Set development version 3.0dev1 Nov 21, 2018
doc Merge pull request #1334 from privacyidea/1325/base58 Dec 10, 2018
migrations Add policy truncation Oct 31, 2018
po Base58 für die Erzeugung von losttoken verwenden Dec 9, 2018
privacyidea Remove TODO comment Dec 12, 2018
tests Augment get_module_class test Dec 12, 2018
tools Fix invocation of ``execute_task`` Dec 10, 2018
.gitignore temporarily remove submodules May 12, 2017
.gitmodules remove owncloud submodule Jul 7, 2016
.travis.yml Fixed creation of search dictionary Nov 21, 2018
AUTHORS.md Added Rene to Authors file Aug 27, 2018
CONTRIBUTING.rst Add information about security vulnerability and disclosure. Aug 20, 2018
Changelog Fix typo Oct 26, 2018
Gruntfile.js Code Cleanup and translation Oct 1, 2015
LICENSE init: code cleanup Jun 3, 2014
MANIFEST.in rename README.md to README.rst Mar 15, 2016
Makefile Set development version 3.0dev1 Nov 21, 2018
Procfile Add HerokuConfig May 29, 2015
README.rst Add information about security vulnerability and disclosure. Aug 20, 2018
READ_BEFORE_UPDATE.md Fix typo in update notes Aug 27, 2018
coveragerc The flask based privacyidea 2.0 branch Jan 13, 2015
pi-manage Audit rotation: Allow deletion in chunks to avoid deadlocks Oct 15, 2018
requirements.txt Remove audit based stats Nov 21, 2018
setup.py Set development version 3.0dev1 Nov 21, 2018



Build Status CircleCI https://codecov.io/github/privacyidea/privacyidea/coverage.svg?branch=master Latest Version License Documentation Codacy Badge

privacyIDEA on twitter

privacyIDEA is an open solution for strong two-factor authentication like OTP tokens, SMS, smartphones or SSH keys. Using privacyIDEA you can enhance your existing applications like local login (PAM, Windows Credential Provider), VPN, remote access, SSH connections, access to web sites or web portals with a second factor during authentication. Thus boosting the security of your existing applications.


privacyIDEA runs as an additional service in your network and you can connect different applications to privacyIDEA.

privacyIDEA Integration

privacyIDEA does not bind you to any decision of the authentication protocol or it does not dictate you where your user information should be stored. This is achieved by its totally modular architecture. privacyIDEA is not only open as far as its modular architecture is concerned. But privacyIDEA is completely licensed under the AGPLv3.

It supports a wide variety of authentication devices like OTP tokens (HMAC, HOTP, TOTP, OCRA, mOTP), Yubikey (HOTP, TOTP, AES), FIDO U2F devices like Yubikey and Plug-Up, smartphone Apps like Google Authenticator, FreeOTP, Token2 or TiQR, SMS, Email, SSH keys, x509 certificates and Registration Codes for easy deployment.

privacyIDEA is based on Flask and SQLAlchemy as the python backend. The web UI is based on angularJS and bootstrap. A MachineToken design lets you assign tokens to machines. Thus you can use your Yubikey to unlock LUKS, assign SSH keys to SSH servers or use Offline OTP with PAM.

You may join the discourse discussion forum to give feedback, help other users, discuss questions and ideas: https://community.privacyidea.org


For setting up the system to run it, please read install instructions at http://privacyidea.readthedocs.io.

If you want to setup a development environment start like this:

git clone https://github.com/privacyidea/privacyidea.git
cd privacyidea
virtualenv venv
source venv/bin/activate
pip install -r requirements.txt

You may also want to read the blog post about development and debugging at https://www.privacyidea.org/privacyidea-development-howto/

Getting and updating submodules

Some authentication modules and the admin client are located in git submodules. To fetch the latest release of these run:

git submodule init
git submodule update

Later you can update the submodules like this:

git pull --recurse-submodules

Running it

Create the database and encryption key:

./pi-manage createdb
./pi-manage create_enckey

Create the key for the audit log:

./pi-manage create_audit_keys

Create the first administrator:

./pi-manage admin add <username>

Run it:

./pi-manage runserver

Now you can connect to http://localhost:5000 with your browser and login as administrator.

Run tests

nosetests -v --with-coverage --cover-package=privacyidea --cover-html


There are a lot of different way to contribute to privacyIDEA, even if you are not a developer.

If you found a security vulnerability please report it to security@privacyidea.org.

You can find detailed information about contributing here: https://github.com/privacyidea/privacyidea/blob/master/CONTRIBUTING.rst

Code structure

The database models are defined in models.py and tested in tests/test_db_model.py.

Based on the database models there are the libraries lib/config.py which is responsible for basic configuration in the database table config. And the library lib/resolver.py which provides functions for the database table resolver. This is tested in tests/test_lib_resolver.py.

Based on the resolver there is the library lib/realm.py which provides functions for the database table realm. Several resolvers are combined into a realm.

Based on the realm there is the library lib/user.py which provides functions for users. There is no database table user, since users are dynamically read from the user sources like SQL, LDAP, SCIM or flat files.


privacyIDEA adheres to Semantic Versioning.