![]() ![]() ![]() This is what privacyIDEA exactly does in the /validate/check API. The U2F token is also a challenge response token, just like you said: ask for username/password and then send the challenge. User sents his username and static password to this API and privacyIDEA starts the challenge response process. But it wouldn’t give you the benefit of using third-party identity providers like those I listed. Integrating U2F authentication directly into passbolt would probably be simpler, both to code and for sites to deploy, as passbolt would remain self-contained and standalone. It’s just think that this is a rather bigger change than you expect. To do this today, I put passbolt behind an Apache reverse proxy running mod_auth_openidc (details posted in another thread). I’m not saying that’s a bad thing, quite the opposite: for example, it would allow passbolt to authenticate directly against an identity provider like Google, Github or Office365. PrivacyIDEA says it supports U2F, although it has only minimal documentation, My suspicion is that it only works if you are using privacyIDEA as an identity provider: that is, you use U2F to identify yourself to privacyIDEA, and then it gives you a SAML or OpenID Connect token to identify you to the end application.Įnabling passbolt to use third-party identity providers would be a very big change. Furthermore, U2F tokens don’t have serial numbers so you first have to identify the user from username/password, then send the challenge. The /validate/check endpoint is for validating One Time Passwords only U2F is a cryptographic challenge-response. Adding a plugin to connect 2FA to privacyIDEA is usually rather simple due to a simple REST API. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |