privacyIDEA is a modular authentication system that can manage authentication on your network. It’s powerful, it’s flexible, and it can be set up for free on an existing Ubuntu server.

Unlike a lot of authentication systems, privacyIDEA isn’t that hard to install and set up; in fact, you can have your next authentication system up and running in minutes. I’ll use the Ubuntu 16.04 platform to show how to set it up, which might seem like a problem because there isn’t a privacyIDEA release for anything later than 14.04–fortunately, there’s a very easy workaround.

SEE: Information Security Policy (Tech Pro Research)

What you need

You need a Ubuntu server that’s up and running, and that server will need to have a full LAMP stack. You can install privacyIDEA with NGINX, but I’m going to stick with what I know best: Apache.

Installing privacyIDEA

First, you must add the necessary repositories. To do this, open a terminal window and issue the following command:

sudo add-apt-repository ppa:privacyidea/privacyidea

Before you update apt, we have to get around the fact that there are no releases for Xenial (16.04). From the terminal, open the file /etc/apt/sources.list.d/privacyidea-ubuntu-privacy-idea-xenial.list in your favorite editor. Look for the line:

deb xenial main

Change that to:

deb trusty main

Save and close the file.

Now run sudo apt-get update, and the repository updates will succeed. Once that command finishes, install privacyIDEA with the following command:

apt-get install python-privacyidea privacyideaadm privacyidea-apache2

Now that your privacyIDEA system is installed it’s time to set it up for login.

Initial setup

You must set up an admin user via the command line with the following command:

sudo pi-manage admin add admin

You will be prompted to enter and verify a new password for the admin user. You’re ready to log into your privacyIDEA web UI.

Logging in

To log into the web UI, point your browser to https://IP_OF_SERVER/#/login. You will be prompted for the admin credentials you just created. The user will be admin, and the password will be the one you set up with the pi-admin command.

At first login, you’ll be prompted to create a default realm (Figure A). When prompted, click Create Realm, and you’re ready to go.

Figure A

Creating a resolver

Before you start adding users, you must create a resolver. There are four types of resolvers that can be added:

  • Passwdresolver
  • Lpapresolver
  • Sqlresolver
  • Scimresolver

Since I already have MySQL running on the server, I’ll demonstrate how to create a new sqlresolver; this will require you to have an existing database running that includes tables and a primary key. Without the primary key set, the resolver will not connect.

To create the resolver, log into privacyIDEA as the admin, click Users, and then click New sqlresolver. In the resulting window (Figure B), fill out all of the necessary information and make sure to click Edit User Store.

Figure B

You must click one of the types of systems this resolver will be used for (WordPress, OTRS, Tine 2.0, ownCloud, Typo3, Drupal). After you select the system, it will autofill some necessary information. You’ll have to change the table name to reflect an actual table in your database, map the table columns accordingly, and set a limit (the default is 500). With that basic information filled out, click Test SQL Resolver and, if the test passes, click Save Resolver. You can start adding users for your new resolver.

What you can do now

Your privacyIDEA authentication server is ready. With this service up and running, you can use it to create such things as two-step authentication for an ownCloud server.

For more information on rolling out privacyIDEA into your network, check out the official documentation.