From 81e1b7daa4c5e90adcca15219d3fa4dd8ca3df65 Mon Sep 17 00:00:00 2001
From: lukasmatusiewicz <77617779+lukasmatusiewicz@users.noreply.github.com>
Date: Mon, 23 Oct 2023 10:16:50 +0200
Subject: [PATCH 01/12] rename the TriggerChallenge class
---
...Challenge.java => AlternativeAuthenticationFlows.java} | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
rename privacyIDEA-impl/src/main/java/org/privacyidea/action/{TriggerChallenge.java => AlternativeAuthenticationFlows.java} (90%)
diff --git a/privacyIDEA-impl/src/main/java/org/privacyidea/action/TriggerChallenge.java b/privacyIDEA-impl/src/main/java/org/privacyidea/action/AlternativeAuthenticationFlows.java
similarity index 90%
rename from privacyIDEA-impl/src/main/java/org/privacyidea/action/TriggerChallenge.java
rename to privacyIDEA-impl/src/main/java/org/privacyidea/action/AlternativeAuthenticationFlows.java
index 76c4829..c7e48b9 100644
--- a/privacyIDEA-impl/src/main/java/org/privacyidea/action/TriggerChallenge.java
+++ b/privacyIDEA-impl/src/main/java/org/privacyidea/action/AlternativeAuthenticationFlows.java
@@ -12,15 +12,17 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-public class TriggerChallenge extends AbstractChallengeResponseAction
+public class AlternativeAuthenticationFlows extends AbstractChallengeResponseAction
{
- private static final Logger LOGGER = LoggerFactory.getLogger(PrivacyIDEAAuthenticator.class);
+ private static final Logger LOGGER = LoggerFactory.getLogger(AlternativeAuthenticationFlows.class);
- public TriggerChallenge() {}
+ public AlternativeAuthenticationFlows() {}
@Override
protected final void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull PIContext piContext, @Nonnull PIServerConfigContext piServerConfigContext)
{
+ //todo check the authentication flow and perform the choosed one
+
if (piServerConfigContext.getConfigParams().getTriggerChallenge())
{
if (debug)
From d1419e0865acd6e3facc26c7b3bc8103f7d8ebe8 Mon Sep 17 00:00:00 2001
From: lukasmatusiewicz <77617779+lukasmatusiewicz@users.noreply.github.com>
Date: Mon, 23 Oct 2023 10:17:50 +0200
Subject: [PATCH 02/12] update config options
---
.../action/InitializePIContext.java | 4 +--
.../flows/authn/privacyIDEA/plugin-beans.xml | 6 ++--
.../org/privacyidea/privacyidea.properties | 36 ++++++++++++-------
3 files changed, 29 insertions(+), 17 deletions(-)
diff --git a/privacyIDEA-impl/src/main/java/org/privacyidea/action/InitializePIContext.java b/privacyIDEA-impl/src/main/java/org/privacyidea/action/InitializePIContext.java
index a66a1b5..aaa1d7c 100644
--- a/privacyIDEA-impl/src/main/java/org/privacyidea/action/InitializePIContext.java
+++ b/privacyIDEA-impl/src/main/java/org/privacyidea/action/InitializePIContext.java
@@ -28,7 +28,7 @@ public class InitializePIContext extends AbstractAuthenticationAction
private boolean verifySSL;
@Nullable
private String defaultMessage;
- private boolean triggerChallenge;
+ private boolean authenticationFlow;
@Nullable
private String serviceName;
@Nullable
@@ -122,7 +122,7 @@ private User getUser(@Nonnull ProfileRequestContext profileRequestContext)
public void setOtpFieldHint(@Nullable String otpFieldHint) {this.otpFieldHint = otpFieldHint;}
- public void setTriggerChallenge(boolean triggerChallenge) {this.triggerChallenge = triggerChallenge;}
+ public void setAuthenticationFlow(boolean authenticationFlow) {this.authenticationFlow = authenticationFlow;}
public void setServiceName(@Nullable String serviceName) {this.serviceName = serviceName;}
diff --git a/privacyIDEA-impl/src/main/resources/META-INF/net/shibboleth/idp/flows/authn/privacyIDEA/plugin-beans.xml b/privacyIDEA-impl/src/main/resources/META-INF/net/shibboleth/idp/flows/authn/privacyIDEA/plugin-beans.xml
index 6bdff97..1b54fbc 100644
--- a/privacyIDEA-impl/src/main/resources/META-INF/net/shibboleth/idp/flows/authn/privacyIDEA/plugin-beans.xml
+++ b/privacyIDEA-impl/src/main/resources/META-INF/net/shibboleth/idp/flows/authn/privacyIDEA/plugin-beans.xml
@@ -23,12 +23,12 @@
p:verifySSL="%{privacyidea.verify_ssl:true}"
p:defaultMessage="%{privacyidea.default_message:#{null}}"
p:otpFieldHint="%{privacyidea.otp_field_hint:#{null}}"
- p:triggerChallenge="%{privacyidea.triggerchallenge:false}"
+ p:otpLength="%{privacyidea.otp_length:#{null}}"
+ p:authenticationFlow="%{privacyidea.authentication_flow:#{null}}"
p:serviceName="%{privacyidea.service_name:#{null}}"
p:servicePass="%{privacyidea.service_pass:#{null}}"
p:serviceRealm="%{privacyidea.service_realm:#{null}}"
p:forwardHeaders="%{privacyidea.forward_headers:#{null}}"
- p:otpLength="%{privacyidea.otp_length:#{null}}"
p:pollingInterval="%{privacyidea.polling_interval:#{null}}"
p:pluginVersion="%{privacyidea.plugin_version:#{null}}"
p:debug="%{privacyidea.debug:false}"/>
@@ -36,6 +36,6 @@
-
\ No newline at end of file
diff --git a/privacyIDEA-impl/src/main/resources/org/privacyidea/privacyidea.properties b/privacyIDEA-impl/src/main/resources/org/privacyidea/privacyidea.properties
index b3d3221..4b96e04 100644
--- a/privacyIDEA-impl/src/main/resources/org/privacyidea/privacyidea.properties
+++ b/privacyIDEA-impl/src/main/resources/org/privacyidea/privacyidea.properties
@@ -2,35 +2,47 @@
# PrivacyIDEA configuration #
###############################
-## Plugin version ##
+## PLUGIN VERSION ##
+
privacyidea.plugin_version=0.3.0
-## Server config ##
+## SERVER CONFIG ##
+
+# Required.
privacyidea.server_url=https://localhost
privacyidea.realm=defrealm
-# Only true/false allowed here:
+# Required. Only true/false allowed:
privacyidea.verify_ssl=true
-## UI config ##
+## UI CONFIG ##
+
#privacyidea.default_message=fix
#privacyidea.otp_field_hint=fix
+#privacyidea.otp_length=fix
+
+## AUTHENTICATION FLOW CONFIG ##
-## Trigger challenge config ##
-# Only true/false allowed here:
-privacyidea.triggerchallenge=false
+# Required. Allowed values are: default, triggerChallenge and sendStaticPass
+privacyidea.authentication_flow=default
+
+# Additional triggerChallenge config #
#privacyidea.service_name=fix
#privacyidea.service_pass=fix
# Optional:
#privacyidea.service_realm=fix
-## Push token config ##
-# Only digits allowed here:
+# Additional sendStaticPass config #
+#privacyidea.static_pass=fix
+
+## PUSH TOKEN CONFIG ##
+
+# Only digits allowed:
#privacyidea.polling_interval=fix
-## Other config options ##
+## OTHER CONFIGURATION OPTIONS ##
+
#privacyidea.forward_headers=fix
-#privacyidea.otp_length=fix
-# Only true/false allowed here:
+# Only true/false allowed:
privacyidea.debug=false
From df2be68911b1d0fef59761b235d2dd2c4d84f996 Mon Sep 17 00:00:00 2001
From: lukasmatusiewicz <77617779+lukasmatusiewicz@users.noreply.github.com>
Date: Mon, 23 Oct 2023 10:18:00 +0200
Subject: [PATCH 03/12] Update plugin-flow.xml
---
.../shibboleth/idp/flows/authn/privacyIDEA/plugin-flow.xml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/privacyIDEA-impl/src/main/resources/META-INF/net/shibboleth/idp/flows/authn/privacyIDEA/plugin-flow.xml b/privacyIDEA-impl/src/main/resources/META-INF/net/shibboleth/idp/flows/authn/privacyIDEA/plugin-flow.xml
index fbf1f23..4541f7d 100644
--- a/privacyIDEA-impl/src/main/resources/META-INF/net/shibboleth/idp/flows/authn/privacyIDEA/plugin-flow.xml
+++ b/privacyIDEA-impl/src/main/resources/META-INF/net/shibboleth/idp/flows/authn/privacyIDEA/plugin-flow.xml
@@ -6,11 +6,11 @@
-
+
-
-
+
+
From ec8b2752a3918d9cf3f3dff9e0f6a732de0301d5 Mon Sep 17 00:00:00 2001
From: lukasmatusiewicz <77617779+lukasmatusiewicz@users.noreply.github.com>
Date: Mon, 23 Oct 2023 11:45:16 +0200
Subject: [PATCH 04/12] Update plugin-flow.xml
---
.../net/shibboleth/idp/flows/authn/privacyIDEA/plugin-flow.xml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/privacyIDEA-impl/src/main/resources/META-INF/net/shibboleth/idp/flows/authn/privacyIDEA/plugin-flow.xml b/privacyIDEA-impl/src/main/resources/META-INF/net/shibboleth/idp/flows/authn/privacyIDEA/plugin-flow.xml
index 4541f7d..88c1263 100644
--- a/privacyIDEA-impl/src/main/resources/META-INF/net/shibboleth/idp/flows/authn/privacyIDEA/plugin-flow.xml
+++ b/privacyIDEA-impl/src/main/resources/META-INF/net/shibboleth/idp/flows/authn/privacyIDEA/plugin-flow.xml
@@ -6,13 +6,16 @@
+
+
+
From 672f34f6f142503949cfe8a541de051b433a1110 Mon Sep 17 00:00:00 2001
From: lukasmatusiewicz <77617779+lukasmatusiewicz@users.noreply.github.com>
Date: Mon, 23 Oct 2023 11:45:34 +0200
Subject: [PATCH 05/12] Update plugin-beans.xml
---
.../shibboleth/idp/flows/authn/privacyIDEA/plugin-beans.xml | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/privacyIDEA-impl/src/main/resources/META-INF/net/shibboleth/idp/flows/authn/privacyIDEA/plugin-beans.xml b/privacyIDEA-impl/src/main/resources/META-INF/net/shibboleth/idp/flows/authn/privacyIDEA/plugin-beans.xml
index 1b54fbc..2b9977a 100644
--- a/privacyIDEA-impl/src/main/resources/META-INF/net/shibboleth/idp/flows/authn/privacyIDEA/plugin-beans.xml
+++ b/privacyIDEA-impl/src/main/resources/META-INF/net/shibboleth/idp/flows/authn/privacyIDEA/plugin-beans.xml
@@ -24,10 +24,11 @@
p:defaultMessage="%{privacyidea.default_message:#{null}}"
p:otpFieldHint="%{privacyidea.otp_field_hint:#{null}}"
p:otpLength="%{privacyidea.otp_length:#{null}}"
- p:authenticationFlow="%{privacyidea.authentication_flow:#{null}}"
+ p:authenticationFlow="%{privacyidea.authentication_flow:#{'default'}}"
p:serviceName="%{privacyidea.service_name:#{null}}"
p:servicePass="%{privacyidea.service_pass:#{null}}"
p:serviceRealm="%{privacyidea.service_realm:#{null}}"
+ p:staticPass="%{privacyidea.static_pass:#{null}}"
p:forwardHeaders="%{privacyidea.forward_headers:#{null}}"
p:pollingInterval="%{privacyidea.polling_interval:#{null}}"
p:pluginVersion="%{privacyidea.plugin_version:#{null}}"
From 555c158f6f9009bc577c3560e6cf0c9344eefa75 Mon Sep 17 00:00:00 2001
From: lukasmatusiewicz <77617779+lukasmatusiewicz@users.noreply.github.com>
Date: Mon, 23 Oct 2023 11:45:50 +0200
Subject: [PATCH 06/12] Update privacyidea.properties
---
.../src/main/resources/org/privacyidea/privacyidea.properties | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/privacyIDEA-impl/src/main/resources/org/privacyidea/privacyidea.properties b/privacyIDEA-impl/src/main/resources/org/privacyidea/privacyidea.properties
index 4b96e04..e7d11d0 100644
--- a/privacyIDEA-impl/src/main/resources/org/privacyidea/privacyidea.properties
+++ b/privacyIDEA-impl/src/main/resources/org/privacyidea/privacyidea.properties
@@ -25,13 +25,13 @@ privacyidea.verify_ssl=true
# Required. Allowed values are: default, triggerChallenge and sendStaticPass
privacyidea.authentication_flow=default
-# Additional triggerChallenge config #
+# Required for triggerChallenge flow #
#privacyidea.service_name=fix
#privacyidea.service_pass=fix
# Optional:
#privacyidea.service_realm=fix
-# Additional sendStaticPass config #
+# Required for sendStaticPass flow #
#privacyidea.static_pass=fix
## PUSH TOKEN CONFIG ##
From 8b4827ca2f4acb108dc7b128f7ceee4b57c6a4dd Mon Sep 17 00:00:00 2001
From: lukasmatusiewicz <77617779+lukasmatusiewicz@users.noreply.github.com>
Date: Mon, 23 Oct 2023 11:46:08 +0200
Subject: [PATCH 07/12] Update Config.java
---
.../java/org/privacyidea/context/Config.java | 23 +++++++++++++++----
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/privacyIDEA-impl/src/main/java/org/privacyidea/context/Config.java b/privacyIDEA-impl/src/main/java/org/privacyidea/context/Config.java
index 48ff8b6..c42d3ef 100644
--- a/privacyIDEA-impl/src/main/java/org/privacyidea/context/Config.java
+++ b/privacyIDEA-impl/src/main/java/org/privacyidea/context/Config.java
@@ -11,7 +11,8 @@ public class Config
private final String realm;
private final boolean verifySSL;
private final boolean debug;
- private final boolean triggerChallenge;
+ @Nonnull
+ private final String authenticationFlow;
@Nullable
private final String serviceName;
@Nullable
@@ -19,19 +20,24 @@ public class Config
@Nullable
private final String serviceRealm;
@Nullable
+ private final String staticPass;
+ @Nullable
private final String forwardHeaders;
@Nullable
private final String otpLength;
- public Config(@Nonnull String serverURL, @Nullable String realm, boolean verifySSL, boolean triggerChallenge, @Nullable String serviceName, @Nullable String servicePass, @Nullable String serviceRealm, @Nullable String forwardHeaders, @Nullable String otpLength, boolean debug)
+ public Config(@Nonnull String serverURL, @Nullable String realm, boolean verifySSL, @Nonnull String authenticationFlow,
+ @Nullable String serviceName, @Nullable String servicePass, @Nullable String serviceRealm,
+ @Nullable String staticPass, @Nullable String forwardHeaders, @Nullable String otpLength, boolean debug)
{
this.serverURL = serverURL;
this.realm = realm;
this.verifySSL = verifySSL;
- this.triggerChallenge = triggerChallenge;
+ this.authenticationFlow = authenticationFlow;
this.serviceName = serviceName;
this.servicePass = servicePass;
this.serviceRealm = serviceRealm;
+ this.staticPass = staticPass;
this.forwardHeaders = forwardHeaders;
this.otpLength = otpLength;
this.debug = debug;
@@ -55,9 +61,10 @@ public boolean getVerifySSL()
return verifySSL;
}
- public boolean getTriggerChallenge()
+ @Nonnull
+ public String getAuthenticationFlow()
{
- return triggerChallenge;
+ return authenticationFlow;
}
@Nullable
@@ -78,6 +85,12 @@ public String getServiceRealm()
return serviceRealm;
}
+ @Nullable
+ public String getStaticPass()
+ {
+ return staticPass;
+ }
+
@Nullable
public String getForwardHeaders()
{
From fa4ee81f7e87eda32d4e8f1650f26699b28caff0 Mon Sep 17 00:00:00 2001
From: lukasmatusiewicz <77617779+lukasmatusiewicz@users.noreply.github.com>
Date: Mon, 23 Oct 2023 11:46:37 +0200
Subject: [PATCH 08/12] Update InitializePIContext.java
---
.../action/InitializePIContext.java | 36 ++++++++++++++++---
1 file changed, 32 insertions(+), 4 deletions(-)
diff --git a/privacyIDEA-impl/src/main/java/org/privacyidea/action/InitializePIContext.java b/privacyIDEA-impl/src/main/java/org/privacyidea/action/InitializePIContext.java
index aaa1d7c..0ccec7b 100644
--- a/privacyIDEA-impl/src/main/java/org/privacyidea/action/InitializePIContext.java
+++ b/privacyIDEA-impl/src/main/java/org/privacyidea/action/InitializePIContext.java
@@ -28,7 +28,7 @@ public class InitializePIContext extends AbstractAuthenticationAction
private boolean verifySSL;
@Nullable
private String defaultMessage;
- private boolean authenticationFlow;
+ private String authenticationFlow;
@Nullable
private String serviceName;
@Nullable
@@ -36,6 +36,8 @@ public class InitializePIContext extends AbstractAuthenticationAction
@Nullable
private String serviceRealm;
@Nullable
+ private String staticPass;
+ @Nullable
private String forwardHeaders;
@Nullable
private String otpFieldHint;
@@ -65,8 +67,7 @@ protected void doExecute(@NotNull ProfileRequestContext profileRequestContext, @
}
else
{
- Config configParams = new Config(serverURL, realm, verifySSL, triggerChallenge, serviceName, servicePass, serviceRealm, forwardHeaders, otpLength, debug);
- PIServerConfigContext piServerConfigContext = new PIServerConfigContext(configParams);
+ PIServerConfigContext piServerConfigContext = getConfigBaseContext();
log.info("{} Create PIServerConfigContext {}", this.getLogPrefix(), piServerConfigContext);
authenticationContext.addSubcontext(piServerConfigContext);
@@ -111,6 +112,31 @@ private User getUser(@Nonnull ProfileRequestContext profileRequestContext)
}
}
+ @NotNull
+ private PIServerConfigContext getConfigBaseContext()
+ {
+ String authenticationFlow;
+ String staticPass = null;
+ if (this.authenticationFlow.equals("triggerChallenge"))
+ {
+ authenticationFlow = "triggerChallenge";
+ }
+ else if (this.authenticationFlow.equals("sendStaticPass"))
+ {
+ authenticationFlow = "sendStaticPass";
+ if (this.staticPass != null)
+ {
+ staticPass = this.staticPass;
+ }
+ }
+ else
+ {
+ authenticationFlow = "default";
+ }
+ Config configParams = new Config(serverURL, realm, verifySSL, authenticationFlow, serviceName, servicePass, serviceRealm, staticPass, forwardHeaders, otpLength, debug);
+ return new PIServerConfigContext(configParams);
+ }
+
// Spring bean property setters
public void setServerURL(@Nonnull String serverURL) {this.serverURL = serverURL;}
@@ -122,7 +148,7 @@ private User getUser(@Nonnull ProfileRequestContext profileRequestContext)
public void setOtpFieldHint(@Nullable String otpFieldHint) {this.otpFieldHint = otpFieldHint;}
- public void setAuthenticationFlow(boolean authenticationFlow) {this.authenticationFlow = authenticationFlow;}
+ public void setAuthenticationFlow(@Nonnull String authenticationFlow) {this.authenticationFlow = authenticationFlow;}
public void setServiceName(@Nullable String serviceName) {this.serviceName = serviceName;}
@@ -130,6 +156,8 @@ private User getUser(@Nonnull ProfileRequestContext profileRequestContext)
public void setServiceRealm(@Nullable String serviceRealm) {this.serviceRealm = serviceRealm;}
+ public void setStaticPass(@Nullable String staticPass) {this.staticPass = staticPass;}
+
public void setForwardHeaders(@Nullable String forwardHeaders) {this.forwardHeaders = forwardHeaders;}
public void setOtpLength(@Nullable String otpLength) {this.otpLength = otpLength;}
From c5d723633a83cb9ceddf5d689e8ce7b002de80a2 Mon Sep 17 00:00:00 2001
From: lukasmatusiewicz <77617779+lukasmatusiewicz@users.noreply.github.com>
Date: Mon, 23 Oct 2023 11:47:28 +0200
Subject: [PATCH 09/12] add static pass flow logic
---
.../AlternativeAuthenticationFlows.java | 69 +++++++++++++++----
1 file changed, 57 insertions(+), 12 deletions(-)
diff --git a/privacyIDEA-impl/src/main/java/org/privacyidea/action/AlternativeAuthenticationFlows.java b/privacyIDEA-impl/src/main/java/org/privacyidea/action/AlternativeAuthenticationFlows.java
index c7e48b9..96df888 100644
--- a/privacyIDEA-impl/src/main/java/org/privacyidea/action/AlternativeAuthenticationFlows.java
+++ b/privacyIDEA-impl/src/main/java/org/privacyidea/action/AlternativeAuthenticationFlows.java
@@ -21,35 +21,33 @@ public AlternativeAuthenticationFlows() {}
@Override
protected final void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull PIContext piContext, @Nonnull PIServerConfigContext piServerConfigContext)
{
- //todo check the authentication flow and perform the choosed one
-
- if (piServerConfigContext.getConfigParams().getTriggerChallenge())
+ if (piServerConfigContext.getConfigParams().getAuthenticationFlow().equals("triggerChallenge"))
{
if (debug)
{
- LOGGER.info("{} Triggering challenges...", this.getLogPrefix());
+ LOGGER.info("{} Authentication flow: triggerChallenge.", this.getLogPrefix());
}
HttpServletRequest request = Objects.requireNonNull(this.getHttpServletRequestSupplier()).get();
Map headers = this.getHeadersToForward(request);
- PIResponse triggeredResponse = privacyIDEA.triggerChallenges(piContext.getUsername(), headers);
+ PIResponse piResponse = privacyIDEA.triggerChallenges(piContext.getUsername(), headers);
- if (triggeredResponse != null)
+ if (piResponse != null)
{
- if (triggeredResponse.error != null)
+ if (piResponse.error != null)
{
- LOGGER.error("{} privacyIDEA server error: {}!", this.getLogPrefix(), triggeredResponse.error.message);
+ LOGGER.error("{} privacyIDEA server error: {}!", this.getLogPrefix(), piResponse.error.message);
ActionSupport.buildEvent(profileRequestContext, "AuthenticationException");
return;
}
- if (!triggeredResponse.multichallenge.isEmpty())
+ if (!piResponse.multichallenge.isEmpty())
{
if (debug)
{
LOGGER.info("{} Extracting the form data from triggered challenges...", this.getLogPrefix());
}
- extractChallengeData(triggeredResponse);
+ extractChallengeData(piResponse);
}
}
else
@@ -57,12 +55,59 @@ protected final void doExecute(@Nonnull ProfileRequestContext profileRequestCont
LOGGER.error("{} triggerChallenge failed. Response was null. Fallback to standard procedure.", this.getLogPrefix());
}
}
+ else if (piServerConfigContext.getConfigParams().getAuthenticationFlow().equals("sendStaticPass"))
+ {
+ if (debug)
+ {
+ LOGGER.info("{} Authentication flow: sendStaticPass.", this.getLogPrefix());
+ }
+
+ if (piServerConfigContext.getConfigParams().getStaticPass() == null)
+ {
+ LOGGER.error("{} Static pass isn't set. Fallback to default authentication flow...", this.getLogPrefix());
+ }
+ else
+ {
+ // Call /validate/check with a static pass from the configuration
+ // This could already end up the authentication if the "passOnNoToken" policy is set.
+ // Otherwise, it triggers the challenges.
+ HttpServletRequest request = Objects.requireNonNull(this.getHttpServletRequestSupplier()).get();
+ Map headers = this.getHeadersToForward(request);
+ PIResponse piResponse = privacyIDEA.validateCheck(piContext.getUsername(), piServerConfigContext.getConfigParams().getStaticPass(), headers);
+
+ if (piResponse != null)
+ {
+ if (piResponse.error != null)
+ {
+ LOGGER.error("{} privacyIDEA server error: {}!", this.getLogPrefix(), piResponse.error.message);
+ ActionSupport.buildEvent(profileRequestContext, "AuthenticationException");
+ return;
+ }
+
+ if (!piResponse.multichallenge.isEmpty())
+ {
+ if (piResponse.value)
+ {
+ if (debug)
+ {
+ LOGGER.info("{} Authentication succeeded!", this.getLogPrefix());
+ }
+ ActionSupport.buildEvent(profileRequestContext, "success");
+ }
+ else
+ {
+ extractChallengeData(piResponse);
+ }
+ }
+ }
+ }
+ }
else
{
if (debug)
{
- LOGGER.info("{} triggerchallenge not enabled.", this.getLogPrefix());
+ LOGGER.info("{} Authentication flow: default.", this.getLogPrefix());
}
}
}
-}
+}
\ No newline at end of file
From a88d44979309415ad8972324ae12f5d7ff35364f Mon Sep 17 00:00:00 2001
From: lukasmatusiewicz <77617779+lukasmatusiewicz@users.noreply.github.com>
Date: Mon, 23 Oct 2023 13:06:14 +0200
Subject: [PATCH 10/12] Update AlternativeAuthenticationFlows.java
---
.../AlternativeAuthenticationFlows.java | 24 +++++++++----------
1 file changed, 11 insertions(+), 13 deletions(-)
diff --git a/privacyIDEA-impl/src/main/java/org/privacyidea/action/AlternativeAuthenticationFlows.java b/privacyIDEA-impl/src/main/java/org/privacyidea/action/AlternativeAuthenticationFlows.java
index 96df888..cee980e 100644
--- a/privacyIDEA-impl/src/main/java/org/privacyidea/action/AlternativeAuthenticationFlows.java
+++ b/privacyIDEA-impl/src/main/java/org/privacyidea/action/AlternativeAuthenticationFlows.java
@@ -25,7 +25,7 @@ protected final void doExecute(@Nonnull ProfileRequestContext profileRequestCont
{
if (debug)
{
- LOGGER.info("{} Authentication flow: triggerChallenge.", this.getLogPrefix());
+ LOGGER.info("{} Authentication flow - triggerChallenge.", this.getLogPrefix());
}
HttpServletRequest request = Objects.requireNonNull(this.getHttpServletRequestSupplier()).get();
@@ -59,7 +59,7 @@ else if (piServerConfigContext.getConfigParams().getAuthenticationFlow().equals(
{
if (debug)
{
- LOGGER.info("{} Authentication flow: sendStaticPass.", this.getLogPrefix());
+ LOGGER.info("{} Authentication flow - sendStaticPass.", this.getLogPrefix());
}
if (piServerConfigContext.getConfigParams().getStaticPass() == null)
@@ -84,20 +84,18 @@ else if (piServerConfigContext.getConfigParams().getAuthenticationFlow().equals(
return;
}
- if (!piResponse.multichallenge.isEmpty())
+ if (piResponse.value)
{
- if (piResponse.value)
- {
- if (debug)
- {
- LOGGER.info("{} Authentication succeeded!", this.getLogPrefix());
- }
- ActionSupport.buildEvent(profileRequestContext, "success");
- }
- else
+ if (debug)
{
- extractChallengeData(piResponse);
+ LOGGER.info("{} Authentication succeeded!", this.getLogPrefix());
}
+ ActionSupport.buildEvent(profileRequestContext, "success");
+ }
+
+ if (!piResponse.multichallenge.isEmpty())
+ {
+ extractChallengeData(piResponse);
}
}
}
From aa58f96a9fb8aa2ce212b82e672adc9b1540163e Mon Sep 17 00:00:00 2001
From: lukasmatusiewicz <77617779+lukasmatusiewicz@users.noreply.github.com>
Date: Tue, 24 Oct 2023 10:50:56 +0200
Subject: [PATCH 11/12] Update README.md
---
README.md | 34 ++++++++++++++++++----------------
1 file changed, 18 insertions(+), 16 deletions(-)
diff --git a/README.md b/README.md
index 5182b44..e0c99be 100644
--- a/README.md
+++ b/README.md
@@ -23,6 +23,7 @@ Updating following parameters is required to ensure at least the very basic func
- `privacyidea.plugin_version`
- `privacyidea.server_url`
- `privacyidea.verify_ssl`
+ - `privacyidea.authentication_flow`
2. **Add the privacyIDEA subflow to the MFA flow.**
- Path to the MFA flow configuration file: `$idp_install_path/conf/authn/mfa-authn-config.xml`.
@@ -34,22 +35,23 @@ Note: Example of this configuration contains the *privacyidea.properties* file (
The different configuration parameters are explained in the following table:
-| Configuration | Explanation |
-|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `privacyidea.plugin_version` | The actual plugin version which will be forwarded to the privacyIDEA. |
-| `privacyidea.server_url` | The URL of your privacyIDEA server. This must to be reachable from the Shibboleth IdP server. |
-| `privacyidea.realm` | This realm will be appended to all requests to the privacyIDEA.
Note: Drop it to use the default realm. |
-| `privacyidea.verify_ssl` | Choose if the Shibboleth should verify the SSL certificate of the privacyIDEA.
Note: Always verify the SSL certificate in a productive environment! |
-| `privacyidea.default_message` | Use this parameter to edit the default user message. |
-| `privacyidea.otp_field_hint` | Use this parameter to edit the default placeholder for the OTP input field. |
-| `privacyidea.triggerchallenge` | Set this to true, if all challenges should be triggered beforehand using the provided service account.
Note: This config option require to update the `privacyidea.service_name` and `privacyidea.service_pass` parameters. |
-| `privacyidea.service_name` | The username of the service account required by the `triggerchallenge` config option.
Note: Please make sure, that the service account has the correct rights. |
-| `privacyidea.service_pass` | The password of your service account required by the `triggerchallenge` config option. |
-| `privacyidea.service_realm` | Specify a separate service account's realm if needed.
Note: If the service account is located in the same realm as the users, it is sufficient to specify the realm in the `privacyidea.realm` parameter. |
-| `privacyidea.forward_headers` | Set the headers that should be forwarded to the privacyIDEA.
Note: If some header doesn't exist or has no value, will be ignored.
Note: The header names should be separated by a comma (","). |
-| `privacyidea.otp_length` | If you want to turn on the form-auto-submit function after x number of characters are entered into the OTP input field, set the expected OTP length here.
Note: Only digits as the parameter's value allowed here. |
-| `privacyidea.polling_interval` | Decide after how many seconds the form should be reloaded, to check if the push token was confirmed. Default is 2. |
-| `privacyidea.debug` | Set this parameter to true to see the debug messages in the `idp-process.log`. |
+| Configuration | Explanation |
+|-----------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `privacyidea.plugin_version` | The actual plugin version which will be forwarded to the privacyIDEA. |
+| `privacyidea.server_url` | The URL of your privacyIDEA server. This must to be reachable from the Shibboleth IdP server. |
+| `privacyidea.realm` | This realm will be appended to all requests to the privacyIDEA.
Note: Drop it to use the default realm. |
+| `privacyidea.verify_ssl` | Choose if the Shibboleth should verify the SSL certificate of the privacyIDEA.
Note: Always verify the SSL certificate in a productive environment! |
+| `privacyidea.default_message` | Use this parameter to edit the default user message. |
+| `privacyidea.otp_field_hint` | Use this parameter to edit the default placeholder for the OTP input field. |
+| `privacyidea.authentication_flow` | Choose one of three possible options:
`default` - standard authentication flow,
`triggerChallenge` - triggers all challenges beforehand using the provided service account. Required additional parameters: *privacyidea.service_name*, *privacyidea.service_pass* (see below),
`sendStaticPass` - performs the privacyIDEA server request automatically beforehand using the provided static password. Required additional parameter: *privacyidea.static_pass* (see below). |
+| `privacyidea.service_name` | The username of the service account required by the `triggerchallenge` config option.
Note: Please make sure, that the service account has the correct rights. |
+| `privacyidea.service_pass` | The password of your service account required by the `triggerchallenge` config option. |
+| `privacyidea.service_realm` | Specify a separate service account's realm if needed.
Note: If the service account is located in the same realm as the users, it is sufficient to specify the realm in the `privacyidea.realm` parameter. |
+| `privacyidea.static_pass` | The password which should be use in the `sendStaticPass` authentication flow.
Note: You can also leave it empty to perform the privacyIDEA server request with empty pass (useful in some scenarios). |
+| `privacyidea.forward_headers` | Set the headers that should be forwarded to the privacyIDEA.
Note: If some header doesn't exist or has no value, will be ignored.
Note: The header names should be separated by a comma (","). |
+| `privacyidea.otp_length` | If you want to turn on the form-auto-submit function after x number of characters are entered into the OTP input field, set the expected OTP length here.
Note: Only digits as the parameter's value allowed here. |
+| `privacyidea.polling_interval` | Decide after how many seconds the form should be reloaded, to check if the push token was confirmed. Default is 2. |
+| `privacyidea.debug` | Set this parameter to true to see the debug messages in the `idp-process.log`. |
### Log check:
- **Main log: `$idp_install_path/logs/idp-process.log`.**
From 0ac83d628abc9bf58fb120fb3c93d9e8a0dfb4e3 Mon Sep 17 00:00:00 2001
From: lukasmatusiewicz <77617779+lukasmatusiewicz@users.noreply.github.com>
Date: Tue, 24 Oct 2023 13:02:13 +0200
Subject: [PATCH 12/12] Update AlternativeAuthenticationFlows.java
---
.../privacyidea/action/AlternativeAuthenticationFlows.java | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/privacyIDEA-impl/src/main/java/org/privacyidea/action/AlternativeAuthenticationFlows.java b/privacyIDEA-impl/src/main/java/org/privacyidea/action/AlternativeAuthenticationFlows.java
index cee980e..023da9c 100644
--- a/privacyIDEA-impl/src/main/java/org/privacyidea/action/AlternativeAuthenticationFlows.java
+++ b/privacyIDEA-impl/src/main/java/org/privacyidea/action/AlternativeAuthenticationFlows.java
@@ -69,8 +69,8 @@ else if (piServerConfigContext.getConfigParams().getAuthenticationFlow().equals(
else
{
// Call /validate/check with a static pass from the configuration
- // This could already end up the authentication if the "passOnNoToken" policy is set.
- // Otherwise, it triggers the challenges.
+ // This could already end the authentication if the "passOnNoToken" policy is set.
+ // Otherwise, it might trigger the challenges.
HttpServletRequest request = Objects.requireNonNull(this.getHttpServletRequestSupplier()).get();
Map headers = this.getHeadersToForward(request);
PIResponse piResponse = privacyIDEA.validateCheck(piContext.getUsername(), piServerConfigContext.getConfigParams().getStaticPass(), headers);