https://github.com/privacyidea/shibboleth-plugin
Plugin for shibboleth MFA with privacyidea
https://github.com/privacyidea/shibboleth-plugin
2fa 2factor authentication java mfa shibboleth shibboleth-authentication shibboleth-identity-provider shibboleth-idp
Last synced: 12 months ago
JSON representation
Plugin for shibboleth MFA with privacyidea
- Host: GitHub
- URL: https://github.com/privacyidea/shibboleth-plugin
- Owner: privacyidea
- License: agpl-3.0
- Created: 2023-08-03T05:22:11.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2024-02-26T14:26:34.000Z (about 2 years ago)
- Last Synced: 2024-04-24T06:22:56.252Z (about 2 years ago)
- Topics: 2fa, 2factor, authentication, java, mfa, shibboleth, shibboleth-authentication, shibboleth-identity-provider, shibboleth-idp
- Language: Java
- Homepage: https://privacyidea.org
- Size: 18.2 MB
- Stars: 8
- Watchers: 10
- Forks: 0
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- Changelog: changelog.md
- License: LICENSE
Awesome Lists containing this project
README
# shibboleth-plugin
### Shibboleth Version
The main branch is compatible with IdP Version >=5.0.0.
There will always be a separate release for IdP Version 4.x.x in the release section.
### Installation:
1. **Copy the package to the server:**
- Choose the archive type for your system from the release page (.zip, .tar.gz, .tar.bz2).
- Copy it with the corresponding signature data (.asc).
- Place both files somewhere in your Shibboleth server.
2. **Open the terminal and run: `sudo -i` for the admin rights.**
3. **Enable the MFA Module: `$idp_install_path/bin/module.sh -t idp.authn.MFA || $idp_install_path/bin/module.sh -e idp.authn.MFA`.**
4. **Check if the MFA Module is activated: `$idp_install_path/bin/module.sh -l`.**
5. **Install the privacyIDEA Plugin: `$idp_install_path/bin/plugin.sh -i path/to/zip/from/step/1 --noCheck`**
Note: The installer will automatically install and enable the privacyIDEA Module. You can check the state by repeating the step 4.
If you need to enable the privacyIDEA module run: `$idp_install_path/bin/module.sh -e idp.authn.privacyIDEA`.**
7. **Check if the privacyIDEA Plugin is installed correctly: `$idp_install_path/bin/plugin.sh -l`**
Note: If the *org.privacyidea.privacyIDEA* is on the list, the plugin was installed successfully!
Otherwise, re-run the command from step 5 with `--verbose`.
### Configuration:
1. **Update the *privacyidea.properties* file (`$idp_install_path/conf/authn/privacyidea.properties`) by adding your own configuration data.**
Updating the following parameters is required to ensure at least the very basic functionality:
- `privacyidea.server_url`
- `privacyidea.verify_ssl`
- `privacyidea.authentication_flow`
2. **Add the privacyIDEA subflow to the MFA flow.**
- Path to the MFA flow configuration file: `$idp_install_path/conf/authn/mfa-authn-config.xml`.
- Example of the *util:map* is located in the *privacyidea.properties* file (`$idp_install_path/conf/authn/privacyidea.properties`).
- Remember to activate the MFA flow.
3. **Turn on the MFA Module by updating the following file: `$idp_install_path/conf/authn/authn.properties`.**
Note: An example of the configuration can be found in *privacyidea.properties* (`$idp_install_path/conf/authn/privacyidea.properties`).
The different configuration parameters are explained in the following table:
| Configuration | Explanation |
|--------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `privacyidea.server_url` | The URL of your privacyIDEA server. This must be reachable from the Shibboleth IdP server. |
| `privacyidea.realm` | This realm will be appended to all requests to the privacyIDEA.
Note: Drop it to use the default realm. |
| `privacyidea.verify_ssl` | Choose if the Shibboleth should verify the SSL certificate of the privacyIDEA.
Note: Always verify the SSL certificate in a productive environment! |
| `privacyidea.default_message` | Use this parameter to edit the default user message. |
| `privacyidea.otp_field_hint` | Use this parameter to edit the default placeholder for the OTP input field. |
| `privacyidea.authentication_flow` | Choose one of three possible options:
`default` - standard authentication flow,
`triggerChallenge` - triggers all challenges beforehand using the provided service account. Required additional parameters: *privacyidea.service_name*, *privacyidea.service_pass* (see below),
`sendStaticPass` - performs the privacyIDEA server request automatically beforehand using the provided static password. Required additional parameter: *privacyidea.static_pass* (see below). |
| `privacyidea.service_name` | The username of the service account required by the `triggerchallenge` config option.
Note: Please make sure, that the service account has the correct rights. |
| `privacyidea.service_pass` | The password of your service account, which is required by the `triggerchallenge` config option. |
| `privacyidea.service_realm` | Specify a separate service account's realm if needed.
Note: If the service account is located in the same realm as the users, it is sufficient to specify the realm in the `privacyidea.realm` parameter. |
| `privacyidea.static_pass` | The password which should be used in the `sendStaticPass` authentication flow.
Note: You can also leave it empty to perform the privacyIDEA server request with an empty pass (useful in some scenarios). |
| `privacyidea.forward_headers` | Set the headers that should be forwarded to the privacyIDEA.
Note: If some header doesn't exist or has no value, will be ignored.
Note: The header names should be separated by a comma (","). |
| `privacyidea.otp_length` | If you want to turn on the form-auto-submit function after x number of characters are entered into the OTP input field, set the expected OTP length here.
Note: Only digits as the parameter's value are allowed here. |
| `privacyidea.polling_interval` | Decide after how many seconds the form should be reloaded, to check if the push token was confirmed. Default is 2. |
| `privacyidea.polling_in_browser` | Enable this to do the polling for accepted push requests in the user's browser. When enabled, the login page does not refresh to confirm the push authentication. CORS settings for privacyidea can be adjusted in etc/apache2/sites-available/privacyidea.conf. |
| `privacyidea.polling_in_browser_url` | If 'poll in browser' should use a deviating URL, set it here. Otherwise, the general URL will be used. |
| `privacyidea.debug` | Set this parameter to true to see the debug messages in the `idp-process.log`. |
### Log check:
- **Main log: `$idp_install_path/logs/idp-process.log`.**
- **Warn and error log: `$idp_install_path/logs/idp-warn.log`.**
### Plugin update:
**To update the plugin, repeat the installation process with the new archive data.
If something goes wrong, check if some of the plugin files have their .idpnew copies,
remove the .idpnew copies, and re-run the install process.**