Posts

, ,

privacyIDEA 2.19.1 on Univention Corporate Server

The Enterprise Version 2.19.1 of privacyIDEA is now available on the Univention Corporate Server. With version 2.19.1 privacyIDEA is now available on the Univention Corporate Server 4.2. Customers can easily upgrade from UCS 4.1 with privacyIDEA 2.18.1 to UCS 4.2 with privaccyIDEA 2.19.1.

Besides the improvements in Univention Corporate Server 4.2 privacyIDEA 2.19.1 also comes with interesting improvements. These are the generic user cache, which can reduce the authentication time dramatically. Using policies the administrator can define which U2F devices may be registered and used by the users. A Token Janitor allows the administrator to find orphaned tokens and either disable or delete these. We already blogged about the complete new features in privacyIDEA 2.19.

Service Level Agreement and Subscription

privacyIDEA4UCS can be installed on the Univention Corporate Server quickly and easily via the Univention App Center. You can find further details on privacyIDEA4UCS on the product page and also get a test subscription. The normal service level agreement for privacyIDEA also entitles the customer to use privacyIDEA on the Univention Corporate Server.

, , ,

Two factor authentication everywhere with privacyIDEA LDAP-Proxy

In order to secure the login process with two factor authentication in an application there are different approaches.

Two-Factor-Authentication via standard protocols and plugins

With privacyIDEA we used standard protocols like RADIUS and SAML. If the application that you need to protect can facilitate RADIUS or SAML, the validate of the second factor can be performed by the privacyIDEA RADIUS Server or by privacyIDEA acting as a SAML Identity Provider. In this case you only need to change the configuration of the application, but you do not need to change the application.

Other applications provide an authentication framework, where the authentication can be extended using plugins. For such scenarios many different plugins are available to connect the application to the privacyIDEA Authentication Server. As of know a long list of plugins is already available for applications like TPYO3, ownCloud, NextCloud, WordPress, dokuwiki, django, OTRS, Apache, NGINX, PAM/OpenVPN and also for authenticating at the Windows Desktop.

But some applications do not support RADIUS or SAML and also do not provide an authentication framework to add 2FA via a plugin. Sometimes simply time is short, to develop a plugin in the corresponding programming language.

privacyIDEA LDAP-Proxy

To also provide strong authentication also for those applications and authenticate the users with two factors against privacyIDEA, we develop the privacyIDEA LDAP-Proxy.

The privacyIDEA LDAP-Proxy can be used, if the application authenticates the users against an LDAP server like OpenLDAP or Microsoft Active Directory. The privacyIDEA LDAP-Proxy is plugged between the application and the originial LDAP server. The application is reconfigured, to not use the LDAP server for authentication anymore, but to authenticate users against the LDAP-Proxy. Now, the privacyIDEA LDAP-Proxy can authenticate the users and verify the the authentication against the privacyIDEA Server and use the original LDAP server to only fetch user data.

The two factor authentication is totally transparent for the user and for the application.

The advantage of the IT department is obvious: The originial LDAP server is not touched or modified. The program code of the application is not modified or exteneded. The application is only reconfigured within the limits of the intended possibilities and supported scenarios. To the application the LDAP-Proxy looks like a normal LDAP server. Thus you will not loose any warranty and support by the vendor of the application.

In contrast to two factor solutions, which are solely based on OpenLDAP, the privacyIDEA LDAP-Proxy has one big advantage. It will work with any kind of originial LDAP server, be it OpenLDAP, Microsoft Active Directory or Samba.

Example Scenario

In our example scenario we look at the login at SuiteCRM. SuiteCRM is an Open Source Customer Relation Management solution. There are no two factor plugins for SuiteCRM. But SuiteCRM authenticates it’s users against LDAP. So we will configure SuiteCRM to authenticate the users against the privacyIDEA LDAP-Proxy to add transparent two factor authentication to SuiteCRM.

We could also look at any other application, which authenticates users against an LDAP server. But SuiteCRM suites us well. We install SuiteCRM on the Univention Corporate Server. The installation of the application works like a charm, SuiteCRM is nicely configured against the Univention Corporate Server Domain Controller – the original LDAP server. This is just to have the test scenario up and runing in a few minutes.

We can install the privacyIDEA Authentication Server on any Linux distribution or we can also install the privacyIDEA Server on the Univention Corporate Server. privacyIDEA is also contained in the Univention App Center and can be installed on the UCS within a few minutes. Then privacyIDEA is setup against the users in the Univention LDAP server automatically and the administrator only needs to enroll or assign tokens like Yubikeys, OTP tokens or smartphone apps to the users.

SuiteCRM will be configured this way, that it does not connect to the UCS LDAP server but to the privacyIDEA LDAP-Proxy.

If needed several of the components can be installed on one single system.

Integration

LDAP-Proxy installieren und konfigurieren

The privacyIDEA LDAP-Proxy is currently available via Github in a beta version. It is developed based on Python and Twisted. Thus there are many different ways for the deployment. All necessary configurations are done in configuration file once.

The administrator needs to tell, were the original (UCS) LDAP server and the privacyIDEA instance are located. In the SuiteCRM setup an additional LDAP service account is needed, which the administrator also adds to the configuration file.

For more detailed information see the file README.md.

To start the LDAP proxy run

twistd -n ldap-proxy -c config.ini

In a productive environment you would start the LDAP proxy automatically as a service via systemd. The configuration file config.ini can be stored at the location of your choice. The file example-proxy.ini contains a lot of comments, which explain all possible configuration settings.

The configuration file

The administrator needs to adapt the following configuration settings:

The parameter instance in the section privacyidea determines, where the LDAP proxy can contact the privacyIDEA Authentication Server.

The administrator needs to define the connection to the original LDAP server in the section ldap-backend including IP address or FQDN and the protocal being LDAP, LDAPS or LDAP+STARTTLS

The parameter endpoint in the ldap-proxy section also contains the information on which port the original LDAP server is listening.

Finally the administrator needs to configure the LDAP attribute which contains the loginname. This can be done using the paramter attribute in the sections user-mapping.

The service account allows common LDAP searches

Simple applications, which only verify the user with a user bind do not need any additional settings. However, SuiteCRM uses an additional service account for common LDAP searches. The administrator needs to add this service account in the section ldap-proxy with the parameter passthrough-binds and in the section service-account.

Configure SuiteCRM

In SuiteCRM the administrator only needs to reconfigure the LDAP server. Go to the Admin-Menu which can be reached in the upper right corner.

Choose Password Managemant.

Here you can configure the LDAP server. Enter the FQDN or IP address of the new LDAP proxy.

Done.

Conclusion

The SuiteCRM user is now authenticated via the LDAP proxy against privacyIDEA. The complete password entry is sent to privacyIDEA for validation. The user has to enter his static (probably LDAP password) and the OTP value. Thus you can also do smooth migrations since this looks the same to the user.

Which device (2nd factor) the user has to use for authentication is completely centrally defined by privacyIDEA. The administrator can also assign different device types to the users. Some users can authenticate with Yubikeys, others with OTP tokens or OTP cards, some with a smartphone app like the Google Authenticator and some users may get their login code via SMS or Email.

We will continue developing the LDAP-Proxy and we are looking forward to any feedback. If you want to stay updated watch the Github repository or subscribe to our newsletter.

 

, ,

privacyIDEA 2.17 on Univention Coporate Server

As of now privacyIDEA 2.17 is available on the Univention Coporate Server. We already wrote about the new features in privacyIDEA 2.17. Customers who rely on the Univention Corporate Server can now update to version 2.17 easily out of the Univention App Center.

privacyIDEA Enterprise Edition Subscription

privcayIDEA 4 UCS has the same feature set as the native privacyIDEA. NetKnights provides the usual Enterprise Subscription Levels but also simple Update-Subscriptions.

,

Two-Factor-Authentication privacyIDEA 2.14 on Univention Corporate Server

privacyIDEA on Univention Corporate ServerLogo_UCS_certified

privacyIDEA 2.14 is available on the Univention Corporate Server via the AppCenter. With 2.14 the Event-Handler-Framework was improved. Administrators can now import encrypted seed files – protecting the secret seeds even better. Performance for slow LDAP and Active Directory connections was improved.

Subscription and Testlicense

You can get a subscription for privacyIDEA4UCS or request your test license.

 

privacyIDEA and Univention Corporate Server, Online Shop

Dear reader,
privacyIDEA 2.11 is available on the Univention Corporate Server. A new online shop eases the ordering process. Give us your feedback regarding new features for privacyIDEA 2.12!
Your NetKnights

Survey for new features in privacyIDEA 2.12

There are ideas for new functions in privacyIDEA 2.12. We are curious for your opinion. We plan to add time to the user policies allowing for new functionalities. Please join the survey.
Moreover there is the brand new idea of user notificationson events regarding the tokens of the user. You are welcome to give any feedback.

privacyIDEA 2.11 on the Univention Corporate Server

privacyIDEA 2.11 is now available on the Univention Corporate Server. The Univention Corporate Server is a Linux based system that can provide a complete Active Directory or simple run as the robust basis for further applications like privacyIDEA. It integrates well with the SAML components of privacyIDEA.

New online shop

Especially for non German companies it is sometimes difficult to order, pay and receive NetKnights’ services. This is why we decided to provide an online shop to ease the ordering and payment process for both sides. The payment methods will be improved soon.
But still we are happy to talk to you, discuss your needs and provide you with your personalized quote!

,

privacyIDEA 2.11 with RADIUS Migration on Univention Corporate Server

privacyIDEA on Univention Corporate Server

privacyIDEA 2.11 is now available on the Univention Corporate Server. Using authentication policies privacyIDEA can conditionally forward authentication requests to external RADIUS servers. This way you can setup easy migration scenarios of old, EOL OTP systems.Logo_UCS_certified

You can find more on the RADIUS forwarding in the release notes.

SLA and Subscription

Already for a while privacyIDEA is available in the AppCenter of the Univention Corporate Server. This plattform provides an easy installation, maintenance and update. For running privacyIDEA on the Univention Corporate Server you need a valid service level aggreement. You may get your personal test subscription here.

privacyIDEA SAML with U2F on Univention Corporate Server

The privacyIDEA SAML Component for Univention Corporate Server is now available in a new version.

Two-Factor Authentication with U2F

Using privacyIDEA SAML you can do Single Sign On at the Univention Corporate Server with Two Factors. In addition you can use U2F tokens to authenticate against the SAML IdP.

privacyIDEA 2.7 with U2F available for Univention Corporate Server

Logo_UCS_certifiedprivacyIDEA version 2.7 is now available for Univention Corporate Server.

The two new big enhancements are support for U2F Token like the Daplug or the Yubikey and the signing of the JSON API.

You can register a U2F token for any user. Then the user or the administrator is able to authenticate with the U2F token easily and securely at the Web UI of privacyIDEA.

Some of the many new enhancements are:

When importing tokens you can choose a realm. This way all imported tokens get assigned to this realm immediately.

The audit log contains information, if a OTP value was used again. This helps the support members to identify problems with the login process of users and to solve this problems quickly and reliably.

You can easily install privacyIDEA from the Univention App Center.

,

Two Factor Authentication and SSO with privacyIDEA and SAML

privacyIDEA works well with the Univention Corporate Server. In a guest blog article on the Univention Blog Cornelius Kölbel describes how privacyIDEA increases Single Sign On Security with Two Factor Authentication.