Login to Self-Service portal login_mode
40 views
Skip to first unread message
tbi
Mar 4, 2017, 9:40:06 AM3/4/17
to privacyidea
Hi all
I have a question about the privaceIDEA portal login for users (self service portal).
It is possible to change the login_mode to privacyIDEA which forces the user to use a Token to login instead of his userstore password.
What I would like to achieve is, that as long as the user has no Token assigned, he is allowed to login with his userstore password. As soon as he has a Token he needs the Token to login.
From a security point of view it makes no sense to let him login if he has a token. Assuming that an attacker gets his credentials, he can just login to the portal and enroll a token himself.
Any idea if this is possible?
Best regards
tbi
Jochen Hein
Mar 4, 2017, 9:54:40 AM3/4/17
to tbi, privacyidea
tbi <tbal...@gmail.com> writes:
> It is possible to change the login_mode to privacyIDEA which forces the
> user to use a Token to login instead of his userstore password.
Let's see.
> It is possible to change the login_mode to privacyIDEA which forces the
> user to use a Token to login instead of his userstore password.
> What I would like to achieve is, that as long as the user has no Token
> assigned, he is allowed to login with his userstore password.
"passthru" and set it to "userstore". Documencation says:
If set, the user in this realm will be authenticated against the
userstore or against the given RADIUS config, if the user has no tokens
assigned.
> As soon as he has a Token he needs the Token to login.
Enable "otppin" in the authentication policy and select what you like.
> From a security point of view it makes no sense to let him login if he has
> a token. Assuming that an attacker gets his credentials, he can just login
Hope that helps.
Jochen
tbi
Mar 4, 2017, 10:10:33 AM3/4/17
to privacyidea, tbal...@gmail.com
Hi Jochen
Thanks for the reply. The passthrough option really did the trick. But this gives me another problem, now all users without a token can login.
What I really want is, that users without a token can only login to the web ui to enroll a token. But they should not be able to login without a token via SAML.
Regards
Tobias
Jochen Hein
Mar 4, 2017, 11:11:45 AM3/4/17
to tbi, privacyidea
tbi <tbal...@gmail.com> writes:
> Thanks for the reply. The passthrough option really did the trick. But this
> gives me another problem, now all users without a token can login.
>
> What I really want is, that users without a token can only login to the web
> ui to enroll a token. But they should not be able to login without a token
> via SAML.
There's also a "webui" policy, which has "login_mode" to handle logins
> Thanks for the reply. The passthrough option really did the trick. But this
> gives me another problem, now all users without a token can login.
>
> What I really want is, that users without a token can only login to the web
> ui to enroll a token. But they should not be able to login without a token
> via SAML.
to the webui.
You could possibly add a special policy for your SAML server with the
"client" option in the policy. Would that work?
Jochen
tbi
Mar 4, 2017, 11:48:11 AM3/4/17
to privacyidea, tbal...@gmail.com
Hi Jochen
Yes, I have configured that now. I guess what I would need is a passthrough policy for the webui scope.
Anyway, thanks for the help.
Best regards
Tobias
Reply all
Reply to author
Forward
0 new messages