Open Source One-Time Password with PrivacyIDEA (and tips)

Very good open source software to build your own OTP solution. It is called PrivacyIDEA. This product offers a lot of features :

Authentication via a REST API with easy authentication with JWT.
Returns easy parsable JSON output
Can act as a SAML Identity Provider in conjunction with SimpleSAMLphp
Plugins available for
- FreeRADIUS,
- PAM (supporting Offline OTP)
- Apache2,
- OTRS,
- Django,
- ownCloud,
- WordPress,
- TYPO3,
- Contao,
- dokuwiki…

There are two useful tutorials to help you to install and configure PrivacyIDEA :

I have tested this solution for both Owncloud and WordPress. It is working well but be careful. There are several steps/configuration details that are not provided :

for Owncloud : you will not be able to use PrivacyIDEA if you use Owncloud encryption module. The Owncloud encryption module uses your password : with PrivacyIDEA the password changes continuously. If you want to use PrivacyIDEA with Owncloud, you will have to decrypt and/or disable the server side encryption
for both WordPress/Owncloud : keep a standard user/password. You can configure on both environment an OTP exclusion for one or several specific accounts. It is important because if a PrivacyIDEA is not available you will not be able to login anymore.
- for WordPress :
- for Owncloud :

Another tips for Owncloud : when you installed the PrivacyIDEA Owncloud app, unselect and select the tick “Use privacyIDEA to authenticate the users”. By default, just after you enable the app, this option is selected but the app will appear as disabled in the log file. Unselect/select this option enable properly the app.

Regarding the Apache configuration to host the privacyIDEA Web UI, you will have to adapt your configuration if you use virtual hosts. This is a vhost configuration example you can use to make it work properly:

################
# PRIVACY ID3A #
################
<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        ServerName privacyidea.domain.local

        DocumentRoot /var/www/privacyidea
        <Directory />
                Options FollowSymLinks
                AllowOverride None
                Require all denied
		# restrict the access of the privacyidea admin console to limited ip address list
                require ip 10.0.0.1 10.0.0.2 10.0.0.3
        </Directory>

	# I have added this section to make it work properly
        <Directory /etc/privacyidea>
                Order allow,deny
                Allow from all
                Require all granted
        </Directory>

        WSGIScriptAlias /      /etc/privacyidea/privacyideaapp.wsgi
        WSGIDaemonProcess privacyidea processes=1 threads=15 display-name=%{GROUP} user=privacyidea
        WSGIProcessGroup privacyidea
        WSGIPassAuthorization On

        ErrorLog /var/log/apache2/error.log

        LogLevel warn

        LogFormat "%h %l %u %t %>s \"%m %U %H\"  %b \"%{Referer}i\" \"%{User-agent}i\"" privacyIDEA
        CustomLog /var/log/apache2/ssl_access.log privacyIDEA

        SSLEngine on
        SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 -SSLv2 -SSLv3
        SSLHonorCipherOrder on
        SSLCipherSuite "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

        SSLCertificateFile    /cert/yourcert.crt
        SSLCertificateKeyFile  /cert/yourcert.key

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch ".*MSIE.*" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
</VirtualHost>

Last information, if you are using iptables/ip6tables rules with the default policy set to DROP, do not forget to add/permit the localhost communication with the mySQL database server:

ip6tables -I INPUT -i lo -p tcp -m tcp --sport 3306 -j ACCEPT
ip6tables -I INPUT -i lo -p tcp -m tcp --dport 3306 -j ACCEPT
iptables -I INPUT -i lo -j ACCEPT
iptables -I OUTPUT -o lo -j ACCEPT

Do not hesitate to leave a comment if you have any questions or see something wrong in this article.