I've been playing with privacyidea alongside our development simplesamlphp setup, with a view to using it to provide 2FA on our production IdP. We've got paper based OTP with Active Directory users/passwords working OK, which is a great start. However in getting to this stage I had to tweak a couple of lines in the privacyidea module for simplesamlphp (modules/privacyidea/lib/Auth/Source/privacyidea.php). It appear that my version of php (5.3.3 on CentOS 6.7) doesn't like the syntax of some of the arrays in foreach statements. Replacing them with explicit array functions fixes it.
*** privacyidea.php 2017-04-26 11:09:10.127262689 +0100
--- privacyidea.php.Original 2017-03-02 07:38:07.000000000 +0000
***************
*** 145,158 ****
}
// determine the client IP
$headers = $_SERVER;
! foreach(array("X-Forwarded-For", "HTTP_X_FORWARDED_FOR", "REMOTE_ADDR") as $clientkey) {
if (array_key_exists($clientkey, $headers)) {
$client_ip = urlencode($headers[$clientkey]);
SimpleSAML_Logger::debug("Using IP from " . $clientkey . ": " . $client_ip);
$params = $params . "&client=" . $client_ip;
break;
}
}
// Add some debug so we know what we are doing.
--- 145,157 ----
}
// determine the client IP
$headers = $_SERVER;
! foreach(["X-Forwarded-For", "HTTP_X_FORWARDED_FOR", "REMOTE_ADDR"] as $clientkey) {
if (array_key_exists($clientkey, $headers)) {
$client_ip = urlencode($headers[$clientkey]);
SimpleSAML_Logger::debug("Using IP from " . $clientkey . ": " . $client_ip);
$params = $params . "&client=" . $client_ip;
break;
}
}
// Add some debug so we know what we are doing.
***************
*** 230,236 ****
if ($transaction_id) {
/* If we have a transaction_id, we do challenge response */
SimpleSAML_Logger::debug("Throwing CHALLENGERESPONSE");
! throw new SimpleSAML_Error_Error(array("CHALLENGERESPONSE", $transaction_id, $message, $attributes));
}
SimpleSAML_Logger::debug("Throwing WRONGUSERPASS");
throw new SimpleSAML_Error_Error("WRONGUSERPASS");
--- 229,235 ----
if ($transaction_id) {
/* If we have a transaction_id, we do challenge response */
SimpleSAML_Logger::debug("Throwing CHALLENGERESPONSE");
! throw new SimpleSAML_Error_Error(["CHALLENGERESPONSE", $transaction_id, $message, $attributes]);
}
SimpleSAML_Logger::debug("Throwing WRONGUSERPASS");
throw new SimpleSAML_Error_Error("WRONGUSERPASS");