MFA integration in didmos2-auth
Activate the microservice
Please refer to the Microservice subsection in the Operations section to learn how to activate a microservice in didmos2-auth.
Note: This requires privacyIDEA running and cofigured (see below).
Configure privacyIDEA admin user name and password
Set these environment variables in the .env file:
SATOSA_MFA_PI_USERNAME=#user_name#
SATOSA_MFA_PI_PASSWORD=#password#
This user name and password will also be used to initialize the privacyIDEA component.
Set challenge token types
If you need token challenges you may configure token types using this environment variable in the .env file:
SATOSA_MFA_PI_CHALLENGE_TOKENTYPES="sms"
If you need more than one token type separate the values by space.
Sample configuration snippet
SATOSA_MFA_PRIVACYIDEA_ACTIVE=Yes
SATOSA_MFA_PI_USERNAME=admin
SATOSA_MFA_PI_PASSWORD=secret
SATOSA_MFA_PI_CHALLENGE_TOKENTYPES="sms"
PrivacyIDEA configuration
After the initial startup of the environment connect to https://{PRIVACYIDEA_HOST} and login to the PrivacyIDEA Admin UI using the aforementioned credentials.
Refer to the privacyIDEA documentation for further information about the initial configuration of resolvers and realms: https://privacyidea.readthedocs.io/en/latest/firststeps/realm.html
Configure LDAPResolver for didmos2-openldap
In order to use MFA tokens with didmos2 the didmos2-openldap has to be integrated into an LDAPResolver in privacyIDEA.
Navigate to Configuration > Users and click on the button "New ldapresolver".
Enter the following data:
| Attribute | Value |
|---|---|
| Resolver Name | didmos2-LDAP |
| Server URI | ldap://ldap |
| STARTTLS | false |
| Base DN | ou=people,ou=data,ou=root-tenant,dc=didmos,dc=de |
| Scope | SUBTREE |
| Bind DN | cn=manager,dc=didmos,dc=de |
| Bind Password | retrieve from .env |
| Bind Type | Simple |
| Timeout (seconds) | 5 |
| Cache Timeout (seconds) | 120 |
| Size Limit | 500 |
| Server pool retry rounds | 2 |
| Server pool skip timeout (seconds) | 30 |
| Per-process server pool | false |
| Edit user store | false |
Below these basic settings the attribute settings are to be set. Use these values:
| Attribute | Value |
|---|---|
| Loginname Attribute | uid |
| Search Filter | (uid=*)(objectClass=inetOrgPerson)(didmosActivationStatus=TRUE) |
| Attribute Mapping | { "phone" : "telephoneNumber", "mobile" : "mobile", "email" : "mail", "surname" : "sn", "givenname" : "givenName" } |
| Multivalue Attributes | blank |
| UID Type | entryUUID |
| No anonymous referral chasing | true |
| No retrieval of schema information | false |
Finally, test the configuration using the button "Test LDAP Resolver". Errors will be shown as red pop-ups. If there are no errors save the resolver.
Create new realm
Navigate to Configuration > Realms and create a new realm:
- enter the name didmos2 in the column Realm name.
- select the newly configured LDAP resolver didmos2-LDAP in the column resolver.
- Click the button Create realm on the right.
Enroll tokens
Login to https://{PRIVACYIDEA_HOST} with your didmos2-User and navigate to Tokens. Proceed with these steps:
- Click "Enroll Token" in the navigation area on the left.
- Select token type, e. g. "HOTP: Event based One Time Password".
- Enter a description and a PIN for the token.
- Click "Enroll token"
- Scan the QR code using an authentication app.
During the next login in didmos2 you will be asked to enter the token additionally to entering the password.
Configure SMTP Server
- Konfiguration > SMTP-Server klicken
- Neuer SMTP-Server anlegen
- Daten eintragen
- Host: smtp://email.daasi.de
- Absender: mfademo@daasi.de
- Benutzer: applications@daasi.de
- PW: siehe syspass
- Speichern
- Konfiguration > Token > Email klicken
- Unter SMTP-Server Konfiguration den konfigurierten SMTP Server auswählen