Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
User Attributes #680
Hi to everyone!
My privacyIDEA server should perform the 2FA (TOTP/EMAIL) of Users through the ssh plug-in.
What did you try to do?
Policy-1 ## this is for every PI Authentication from users within my_realm
Policy-2 ## this is for PI Authentication of admins listed admin_auth > User
Policy for WebUI
This works in my setup. The admins are able to login with their credentials and prompted with the "tokenwizard" to enroll the first token. After this, the user will be forced to log out and log in again but with the 2FA (default email) as the token for challenge response.
What outcome did you expect?
Can we possibly add a Checkbox/enable-disable Option for a user-parameter like "auto_enroll" to enable or disable autoenroll? Since my privacyidea server always authenticates against itself (not userstore) this Option will make it easier for me to enable access for Users who applies for 2FA in my_realm and disable per Default the 2FA for users who does not have tokens and is not enabled for auto_enroll/token enrollment.
Hm, I am not sure, if I understand your expected outcome.
You configured a webui policy that defines, that a user should login by authenticating against privacyIDEA.
If you want to authenticate users, who have no token, yet, against the user store, you can configure a passthru policy.
Oh I forgot, I've configured the "otppin" to use the userstore. Sorry for the confusion, I was thinking about my script after the pam_python.so privacyidea_pam.so. I was talking about the tokenwizard. Yes, it does this already. The user, who has no token, authenticates with his userstore password and is directed to the Tokenwizard to enroll his first token. By default, the users can only enroll e-mail tokens after which will be logged out. The User will have log in again and will be required to input the e-mail otp sent to the users e-mail.
To limit the users who are configured to have the tokenwizard after authenticating against the privacyidea server with their userstore password, I listed them admin1, admin2, admin3 for example in the User under the admin_auth Policy-2 which has passthru:userstore (i forgot to paste this above Policy-2). This setting will only affect the following users in the User list.
--The expected outcome--
This would be an additional option for the user, who is not stored or managed in privacyIDEA.
So we would need an additional table like
Then we need policies or event handler to interact with the values in this
Here is another thing:
The tokenwizard is displayed under certain conditions, if the user logs in to the webui. So there is no difference between the webUI and the tokenwizard.
Is it OK, if - for simplicity - I speak of the webui?
So your requirement would be:
Only allow users access to the web UI, if they contacted you and you granted them access.
If you are using LDAP or Active Directory, this is already possible today:
Now to the privacyIDEA part:
This should(TM) have the expected effect: Only if the user is member of the group he can login to the webui. Normal users can not log in.
Thoughts about user attributes
User attributes should be attached to users. At the place where the user is managed - in the IdM. This would be the Active Directory or LDAP.
So I am a bit reluctant to add user attributes to privacyIDEA. I can understand your requirement, but I am not sure about, what is the best solution.
Another thought: Maybe instead of adding attributes to the users, we could group the users manually (well in fact this would be the attribute
So to take the next step, I need some more of your input!
I commented a topic related to this in the community site here:
However, if the relevance and importance is too vague, you can close this ticket. Thank you.