- PrivacyIDEA (tested with v3.8.1)
- Shibboleth Identity Provider (tested with v4.3.1)
- de.zedat.fudis.shibboleth.idp.plugin.authn.fudiscr (tested with v1.3.0)
The creation of the administrator user for Shibboleth in the PrivacyIDEA database is done throught a command line in the PrivacyIDEA Virtual Environment:
cd /opt/privacyidea
source bin/activate
pi-manage admin add idp-admin
pi-manage api createtoken -r admin -u idp-admin -d 3650
- Go to Config -> Policies
- Open Create new Policy
- Set the value of Policy Name to idp-admin
- Set the value of Scope to admin
- Set the value of Priority to last policy number + 1
- Move on the Condition tab
- Leave the value of Admin-Realm to None Selected to enable policy for all admins' realms.
- Set the value of Admin to idp-admin
- Move on the Action tab
- Search
tokenliston the Filter action... box and check it. - Search
triggerchallengeon the Filter action... box and check it. - Save Policy
By enabling application_tokentype policy, an application can determine via type
parameter which tokens of a user check.
- Go to Config -> Policies
- Open Create new Policy
- Set the value of Policy Name to idp-application-tokentype
- Set the value of Scope to authorization
- Set the value of Priority to last policy number + 1
- Move on the Action tab
- Search
application_tokentypeon the Filter action... box and check it. - Save Policy
sudo su -
/opt/shibboleth-idp/bin/module.sh -e idp.authn.MFA
/opt/shibboleth-idp/bin/module.sh -l
/opt/shibboleth-idp/bin/plugin.sh -i https://identity.fu-berlin.de/downloads/shibboleth/idp/plugins/authn/fudiscr/current/fudis-shibboleth-idp-plugin-authn-fudiscr-current.tar.gz
If you need to install a specific version:
/opt/shibboleth-idp/bin/plugin.sh -i https://identity.fu-berlin.de/downloads/shibboleth/idp/plugins/authn/fudiscr/1.3.0/fudis-shibboleth-idp-plugin-authn-fudiscr-1.3.0.tar.gz
If you need to check the plugins installed into Shibboleth IdP
/opt/shibboleth-idp/bin/plugin.sh -l
If you need to update fudiscr plugin:
/opt/shibboleth-idp/bin/plugin.sh -u de.zedat.fudis.shibboleth.idp.plugin.authn.fudiscr
vim /opt/shibboleth-idp/conf/authn/fudiscr.properties
and set the following lines with the right value:
#...other things...
#####
# PrivacyIDEA
#####
fudiscr.privacyidea.base_uri=<PRIVACYIDEA-URI>
fudiscr.privacyidea.authorization_token=<IDP-ADMIN-AUTHORIZATION-TOKEN>
Replace <PRIVACYIDEA-URI> with an uri likes https://privacyidea.server.url
and <IDP-ADMIN-AUTHORIZATION-TOKEN> with the authorization token created
in the section Create the idp-admin authorization token
Edit
authn.properties:vim /opt/shibboleth-idp/conf/authn/authn.properties
and enable the MFA Flow by setting the
idp.authn.flowsproperty:idp.authn.flows = MFA
and add the missing
supportPrincipalsas follow:#### MFA #### idp.authn.MFA.supportedPrincipals = \ saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol, \ saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \ saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \ saml1/urn:oasis:names:tc:SAML:1.0:am:password, \ saml2/urn:de:zedat:fudis:SAML:2.0:ac:classes:CR, \ saml2/https://refeds.org/profile/mfa #### FUDISCR plugin #### idp.authn.fudiscr.supportedPrincipals = \ saml2/urn:de:zedat:fudis:SAML:2.0:ac:classes:CR, \ saml2/https://refeds.org/profile/mfa
Edit
mfa-authn-config.xml:cd /opt/shibboleth-idp/conf/authn
sed -i 's|authn/Password|authn/fudiscr|g' mfa-authn-config.xml
sed -i 's|authn/IPAddress|authn/Password|g' mfa-authn-config.xml
systemctl restart jetty.service
- Marco Pirovano
- Marco Malavolti