Enhanced services for privacyIDEA Enterprise Edition

The Open Source Multi Factor Authentication system privacyIDEA is used by many users. NetKnights provides consultancy and support in different kind of subscription levels. Customers now receive more services with the privacyIDEA Enterprise Edition. These will be available by end of June.

Additional, stable packages

With every release the privacyIDEA project releases installation packages for Ubuntu 14.04 LTS and 16.04 LTS on the Ubuntu Launchpad repository. NetKnights’ Support customers will get additional access to an enterprise repository. Those packages will be available a few weeks after the release of the project packages. The enterprise packages contain bug fixes of possible bugs that might have occurred after the official release. The enterprise repository allows customers to easily update to newer versions. Thus support customers have an easy possibility to automatically update to the latest stable version.

The enterprise packages will be available for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and CentOS 7.

Applicance functionalities

Within the enterprise repository customers will also find a tool, that provides several appliance functionalities. This way the administrator does not need to type in any commands to the command line interface and does not need edit any configuration files.

To allow for best robustness and avoid additional attack vectors, the appliance-tool goes without a web interface, a database and configuration file templates. This also allows still the experienced administrator to edit configuration files directly.

The appliance-tool helps the administrator with the usual configuration tasks…

The privacyIDEA appliance-tool covers the following topics:

  • Base configuration of the privacyIDEA service as used in the file pi.cfg,
  • manage administrative realms,
  • manage local token administrators,
  • configuring the RADIUS server and especially the RADIUS clients,
  • configuring the master master replication of the MySQL server,
  • automatic time based backups,
  • manual backups and restore,
  • automatic time based Audit log rotation.

…like configuring RADIUS clients

Using the privacyIDEA appliance-tool the administrator can quickly and reliably fullfil daily tasks.

…or define automatic time based backups.

What customers say

It’s not often that I find an open source package which is truly as well thought and polished as privacyIDEA.

John WhittenSenior Systems Administrator, Network Manager

Support from NetKnights is very good. I received actionable responses in reasonable turnaround times accompanied by code examples and patches when necessary.

Kurt BendlSenior System Analyst

Get in touch

You want to stay up to date? Subscribe to our newsletter!

You want to take a look at privacyIDEA? Register for a test instance!

You want to know more? Get in touch!

privacyIDEA 2.19 – Performance, U2F and secure Smartphone Apps

Today we released privacyIDEA 2.19. Packages are available in the Launchpad-Repos for Ubuntu 14.04LTS and 16.04LTS. You can also install privacyIDEA on any Linux distribution using the python package index.

New Features in privacyIDEA

Authentication performance

privacyIDEA 2.19 is up to 72% faster!

In tests in the lab privacyIDEA 2.19 shows improved performance. Authentication requests are up to 72% faster than in the previous version. This is also due to a new generic user cache. This user cache stores the link between login name and user object in the local SQL database. Thus time consuming requests to the originial user store like LDAP servers or Active Directory get obsolete.

Filter U2F devices for the users

Using policies the administrator can define which type of U2F device the user is allowed to register. In further policies the administrator can also define, which U2F types the users can use to authenticate at certain applications. This way the usage of certain U2F devices can be denied in your company or certain devices from specific vendors can be required for login to sensitive systems.

Secure smartphone apps with privacyIDEA

The classical smartphone app enrollment comes with several problems, which privacyIDEA 2.19 can solve.

In a previous blog post we already pointed out the limitations of the usual smartphone enrollment with the Google Authenticator.  As a company or large organization you want to keep control over the enrollment processes of your users. Thus in version 2.19 of privacyIDEA a better rollout possibility was added. The smartphone and the privacyIDEA server do a mutual key generation. Both create a component, the secret key is generated from both components. This avoids easy copying of the QR-Codes.

Read more details in the privacyIDEA Blog.

More functions

Version 2.19 comes with further detail improvements like using the IP address or the browser user agent in the event handler framework. The date and timeformat was consolidated. Now the complete ISO date with timezone is saved to the database. This heavily eases working across timezones in international setups.

You may want to take a look at the complete Changelog.

Enterprise Edition and Consultancy

NetKnights provides consulting and support with the privacyIDEA Enterprise Edition. Using Open Source you optimize your total cost of ownership this way, that there are no external limitations which dictate how long or short your may use the software. Getting the privacyIDEA Enterprise Edition including an SLA you get the warranty and thus operating safety.

 

You want to stay tuned? Please subscribe to our newsletter!

You want to test the system yourself? Register for a test instance!

You want to know more? Get in touch!

Multi Factor Authentication with privacyIDEA at ownCloud X Event

On May 23rd ownCloud introduces ownCloud X to their customers. ownCloud invites you to their   release event in Cologne. NetKnights will be there, too and preset how you can easily add two factor authentication with privacyIDEA via the new ownCloud Marketplace. This is a great way to protect your data with a centrally managed multi factor authentication system.

Cornelius Kölbel will give a talk to give some first impressions on the possibilities of such a central multi factor solution for your companies employees. In the meeting area we will have a demo point with such a two factor authentication at ownCloud X against privacyIDEA. You can come, ask and try it yourself. Several different devices like Yubikey, U2F, OTP-Token, Smartphones or Smartdisplayer-Cards can be used for authentication.

We are looking forward to your visit.

Register now!

 

privacyIDEA 2.18.1 on RHEL7 / CentOS7

As of today privacyIDEA 2.18.1 is available for RHEL7 and CentOS7 via our package repository. Packaging privacyIDEA for CentOS 7 is a special service for our Enterprise Customers, to ease updates and bug fixes.

Existing customers can easily update to version 2.18.1. We introduced the changelog or privacyIDEA 2.18.1 earlier.

Update to privacyIDEA 2.18.1

It might be that you need to clear or recreate the Yum Cache, if yum does not find the latest version:

yum makecache

Then you can run the update:

yum update

After the update please assure, that MySQL/MariaDB and httpd are restarted:

service mariadb restart
service httpd restart

privacyIDEA 2.18 – authentication and trust

Today privacyIDEA 2.18 was released. Packages are available in the launchpad respository for Ubuntu 14.04LTS and 16.04LTS. Using the Python package index privacyIDEA can be installed on any distribution.

privacyIDEA manages certificate authorities

The flexible Open Source multi-factor-authentication system privacyIDEA comes with new featues in regards to certificate authorities. In addition to OTP tokens, smartphones, email- and SMS-token, Yubikeys and Nitrokeys privacyIDEA has improved the managing capabilites of certificate tokens. The administrator can use a setup wizard to setup a local CA more easily. If a certificate token is revoked, the CRL will be created automatically. Using certificate templates it is easier for administrators and users to enroll the type of certificate which suites the best.

You can get more information from the privacyIDEA blog.

 

Further Enhancements

privacyIDEA 2.18 comes with a lot of further enhancements which will ease the work with your privacyIDEA installation. You should definitively take a look at the complete Changelog.

If your users are located in an LDAP directory you should check the settings of your LDAP resolver. The new version of privacyIDEA relies on a new version of the Python ldap3 module and the privacyIDEA can easily check the validity of the LDAP server certificate thus mitigating the risk of man-in-the-middle attacks.

Enterprise Edition

NetKnights provides consulting and support with the privacyIDEA Enterprise Edition. Using Open Source you optimize your total cost of ownership this way, that there are no external limitations which dictate how long or short your may use the software. Getting the privacyIDEA Enterprise Edition including an SLA you get the warranty and thus operating safety.

Two factor authentication everywhere with privacyIDEA LDAP-Proxy

In order to secure the login process with two factor authentication in an application there are different approaches.

Two-Factor-Authentication via standard protocols and plugins

With privacyIDEA we used standard protocols like RADIUS and SAML. If the application that you need to protect can facilitate RADIUS or SAML, the validate of the second factor can be performed by the privacyIDEA RADIUS Server or by privacyIDEA acting as a SAML Identity Provider. In this case you only need to change the configuration of the application, but you do not need to change the application.

Other applications provide an authentication framework, where the authentication can be extended using plugins. For such scenarios many different plugins are available to connect the application to the privacyIDEA Authentication Server. As of know a long list of plugins is already available for applications like TPYO3, ownCloud, NextCloud, WordPress, dokuwiki, django, OTRS, Apache, NGINX, PAM/OpenVPN and also for authenticating at the Windows Desktop.

But some applications do not support RADIUS or SAML and also do not provide an authentication framework to add 2FA via a plugin. Sometimes simply time is short, to develop a plugin in the corresponding programming language.

privacyIDEA LDAP-Proxy

To also provide strong authentication also for those applications and authenticate the users with two factors against privacyIDEA, we develop the privacyIDEA LDAP-Proxy.

The privacyIDEA LDAP-Proxy can be used, if the application authenticates the users against an LDAP server like OpenLDAP or Microsoft Active Directory. The privacyIDEA LDAP-Proxy is plugged between the application and the originial LDAP server. The application is reconfigured, to not use the LDAP server for authentication anymore, but to authenticate users against the LDAP-Proxy. Now, the privacyIDEA LDAP-Proxy can authenticate the users and verify the the authentication against the privacyIDEA Server and use the original LDAP server to only fetch user data.

The two factor authentication is totally transparent for the user and for the application.

The advantage of the IT department is obvious: The originial LDAP server is not touched or modified. The program code of the application is not modified or exteneded. The application is only reconfigured within the limits of the intended possibilities and supported scenarios. To the application the LDAP-Proxy looks like a normal LDAP server. Thus you will not loose any warranty and support by the vendor of the application.

In contrast to two factor solutions, which are solely based on OpenLDAP, the privacyIDEA LDAP-Proxy has one big advantage. It will work with any kind of originial LDAP server, be it OpenLDAP, Microsoft Active Directory or Samba.

Example Scenario

In our example scenario we look at the login at SuiteCRM. SuiteCRM is an Open Source Customer Relation Management solution. There are no two factor plugins for SuiteCRM. But SuiteCRM authenticates it’s users against LDAP. So we will configure SuiteCRM to authenticate the users against the privacyIDEA LDAP-Proxy to add transparent two factor authentication to SuiteCRM.

We could also look at any other application, which authenticates users against an LDAP server. But SuiteCRM suites us well. We install SuiteCRM on the Univention Corporate Server. The installation of the application works like a charm, SuiteCRM is nicely configured against the Univention Corporate Server Domain Controller – the original LDAP server. This is just to have the test scenario up and runing in a few minutes.

We can install the privacyIDEA Authentication Server on any Linux distribution or we can also install the privacyIDEA Server on the Univention Corporate Server. privacyIDEA is also contained in the Univention App Center and can be installed on the UCS within a few minutes. Then privacyIDEA is setup against the users in the Univention LDAP server automatically and the administrator only needs to enroll or assign tokens like Yubikeys, OTP tokens or smartphone apps to the users.

SuiteCRM will be configured this way, that it does not connect to the UCS LDAP server but to the privacyIDEA LDAP-Proxy.

If needed several of the components can be installed on one single system.

Integration

LDAP-Proxy installieren und konfigurieren

The privacyIDEA LDAP-Proxy is currently available via Github in a beta version. It is developed based on Python and Twisted. Thus there are many different ways for the deployment. All necessary configurations are done in configuration file once.

The administrator needs to tell, were the original (UCS) LDAP server and the privacyIDEA instance are located. In the SuiteCRM setup an additional LDAP service account is needed, which the administrator also adds to the configuration file.

For more detailed information see the file README.md.

To start the LDAP proxy run

twistd -n ldap-proxy -c config.ini

In a productive environment you would start the LDAP proxy automatically as a service via systemd. The configuration file config.ini can be stored at the location of your choice. The file example-proxy.ini contains a lot of comments, which explain all possible configuration settings.

The configuration file

The administrator needs to adapt the following configuration settings:

The parameter instance in the section privacyidea determines, where the LDAP proxy can contact the privacyIDEA Authentication Server.

The administrator needs to define the connection to the original LDAP server in the section ldap-backend including IP address or FQDN and the protocal being LDAP, LDAPS or LDAP+STARTTLS

The parameter endpoint in the ldap-proxy section also contains the information on which port the original LDAP server is listening.

Finally the administrator needs to configure the LDAP attribute which contains the loginname. This can be done using the paramter attribute in the sections user-mapping.

The service account allows common LDAP searches

Simple applications, which only verify the user with a user bind do not need any additional settings. However, SuiteCRM uses an additional service account for common LDAP searches. The administrator needs to add this service account in the section ldap-proxy with the parameter passthrough-binds and in the section service-account.

Configure SuiteCRM

In SuiteCRM the administrator only needs to reconfigure the LDAP server. Go to the Admin-Menu which can be reached in the upper right corner.

Choose Password Managemant.

Here you can configure the LDAP server. Enter the FQDN or IP address of the new LDAP proxy.

Done.

Conclusion

The SuiteCRM user is now authenticated via the LDAP proxy against privacyIDEA. The complete password entry is sent to privacyIDEA for validation. The user has to enter his static (probably LDAP password) and the OTP value. Thus you can also do smooth migrations since this looks the same to the user.

Which device (2nd factor) the user has to use for authentication is completely centrally defined by privacyIDEA. The administrator can also assign different device types to the users. Some users can authenticate with Yubikeys, others with OTP tokens or OTP cards, some with a smartphone app like the Google Authenticator and some users may get their login code via SMS or Email.

We will continue developing the LDAP-Proxy and we are looking forward to any feedback. If you want to stay updated watch the Github repository or subscribe to our newsletter.

 

privacyIDEA 2.17 on Univention Coporate Server

As of now privacyIDEA 2.17 is available on the Univention Coporate Server. We already wrote about the new features in privacyIDEA 2.17. Customers who rely on the Univention Corporate Server can now update to version 2.17 easily out of the Univention App Center.

privacyIDEA Enterprise Edition Subscription

privcayIDEA 4 UCS has the same feature set as the native privacyIDEA. NetKnights provides the usual Enterprise Subscription Levels but also simple Update-Subscriptions.

privacyIDEA 2.17 – Improve Event Handling. Flexible triggering of SMS

privacyIDEA was released in version 2.17.

As always NetKnights provides consultancy and service level agreements for the privacyIDEA Enterprise Edition.

For more details on version 2.17 see the privacyIDEA blog.

NetKnights is sponsor at Chemnitzer Linux days 2017

Chemnitzer Linux-Tage Logo

In 2017 NetKnights again will be sponsor of the Chemnitzer Linuxtage.  We are happy and grateful that so many people organize very interesting open source events on a voluntary basis!

The Chemnitzer Linuxtage take place on March 11th and 12th, 2017 in Chemnitz.

We will present news about privacyIDEA. We applied with two talks about “two factor authentication with ownCloud” and “Experiences, tips and tricks with a rollout of 35,000 users”. In the past Cornelius Kölbel already held several talks at the Chemnitzer Linuxtage.

We are looking forward to your visit in Chemnitz.

privacyIDEA 2.16 available on the Univention Corporate Server

privacyIDEA 2.16.1 is available on the Univention Corporate Server. Now customers with a UCS subscription can also update to version 2.16 and use the improve Event Handler and Web UI. In privacyIDEA4UCS we released a patch level 2.16.1, which – in comparison to 2.16 – also comes with a few LDAP improvements concerning redundancy and timeouts.

Different versions of subscription

There are two versions of subscription. The privacyIDEA Enterprise Edition also allows to run privacyIDEA on the Univention Corporate Server with an unlimited number of users. The second version is the privacyIDEA4UCS Update Subscription, which allows the user to receive updates of privacyIDEA on the UCS. The privacyIDEA4UCS Update Subscription is only recommended for up to 50 users.