The main branch is compatible with IdP Version >=5.0.0. There will always be a separate release for IdP Version 4.x.x in the release section.
- Copy the package to the server:
- Choose the archive type for your system from the release page (.zip, .tar.gz, .tar.bz2).
- Copy it with the corresponding signature data (.asc).
- Place both files somewhere in your Shibboleth server.
- Open the terminal and run:
sudo -ifor the admin rights. - Enable the MFA Module:
$idp_install_path/bin/module.sh -t idp.authn.MFA || $idp_install_path/bin/module.sh -e idp.authn.MFA. - Check if the MFA Module is activated:
$idp_install_path/bin/module.sh -l. - Install the privacyIDEA Plugin:
$idp_install_path/bin/plugin.sh -i path/to/zip/from/step/1 --noCheck
Note: The installer will automatically install and enable the privacyIDEA Module. You can check the state by repeating the step 4. If you need to enable the privacyIDEA module run:$idp_install_path/bin/module.sh -e idp.authn.privacyIDEA.** - Check if the privacyIDEA Plugin is installed correctly:
$idp_install_path/bin/plugin.sh -l
Note: If the org.privacyidea.privacyIDEA is on the list, the plugin was installed successfully!
Otherwise, re-run the command from step 5 with--verbose.
-
Update the privacyidea.properties file (
$idp_install_path/conf/authn/privacyidea.properties) by adding your own configuration data.
Updating the following parameters is required to ensure at least the very basic functionality:privacyidea.server_urlprivacyidea.verify_sslprivacyidea.authentication_flow
-
Add the privacyIDEA subflow to the MFA flow.
- Path to the MFA flow configuration file:
$idp_install_path/conf/authn/mfa-authn-config.xml. - Example of the util:map is located in the privacyidea.properties file (
$idp_install_path/conf/authn/privacyidea.properties). - Remember to activate the MFA flow.
- Path to the MFA flow configuration file:
-
Turn on the MFA Module by updating the following file:
$idp_install_path/conf/authn/authn.properties.
Note: An example of the configuration can be found in privacyidea.properties ($idp_install_path/conf/authn/privacyidea.properties).
The different configuration parameters are explained in the following table:
| Configuration | Explanation |
|---|---|
privacyidea.server_url |
The URL of your privacyIDEA server. This must be reachable from the Shibboleth IdP server. |
privacyidea.realm |
This realm will be appended to all requests to the privacyIDEA. Note: Drop it to use the default realm. |
privacyidea.verify_ssl |
Choose if the Shibboleth should verify the SSL certificate of the privacyIDEA. Note: Always verify the SSL certificate in a productive environment! |
privacyidea.default_message |
Use this parameter to edit the default user message. |
privacyidea.otp_field_hint |
Use this parameter to edit the default placeholder for the OTP input field. |
privacyidea.authentication_flow |
Choose one of three possible options:default - standard authentication flow,triggerChallenge - triggers all challenges beforehand using the provided service account. Required additional parameters: privacyidea.service_name, privacyidea.service_pass (see below),sendStaticPass - performs the privacyIDEA server request automatically beforehand using the provided static password. Required additional parameter: privacyidea.static_pass (see below). |
privacyidea.service_name |
The username of the service account required by the triggerchallenge config option. Note: Please make sure, that the service account has the correct rights. |
privacyidea.service_pass |
The password of your service account, which is required by the triggerchallenge config option. |
privacyidea.service_realm |
Specify a separate service account's realm if needed. Note: If the service account is located in the same realm as the users, it is sufficient to specify the realm in the privacyidea.realm parameter. |
privacyidea.static_pass |
The password which should be used in the sendStaticPass authentication flow. Note: You can also leave it empty to perform the privacyIDEA server request with an empty pass (useful in some scenarios). |
privacyidea.forward_headers |
Set the headers that should be forwarded to the privacyIDEA. Note: If some header doesn't exist or has no value, will be ignored. Note: The header names should be separated by a comma (","). |
privacyidea.otp_length |
If you want to turn on the form-auto-submit function after x number of characters are entered into the OTP input field, set the expected OTP length here. Note: Only digits as the parameter's value are allowed here. |
privacyidea.polling_interval |
Decide after how many seconds the form should be reloaded, to check if the push token was confirmed. Default is 2. |
privacyidea.polling_in_browser |
Enable this to do the polling for accepted push requests in the user's browser. When enabled, the login page does not refresh to confirm the push authentication. CORS settings for privacyidea can be adjusted in etc/apache2/sites-available/privacyidea.conf. |
privacyidea.polling_in_browser_url |
If 'poll in browser' should use a deviating URL, set it here. Otherwise, the general URL will be used. |
privacyidea.debug |
Set this parameter to true to see the debug messages in the idp-process.log. |
- Main log:
$idp_install_path/logs/idp-process.log. - Warn and error log:
$idp_install_path/logs/idp-warn.log.
To update the plugin, repeat the installation process with the new archive data.
If something goes wrong, check if some of the plugin files have their .idpnew copies,
remove the .idpnew copies, and re-run the install process.