• Stars
    star
    1,499
  • Rank 31,304 (Top 0.7 %)
  • Language
    Python
  • License
    GNU Affero Genera...
  • Created over 10 years ago
  • Updated 23 days ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

πŸ” multi factor authentication system (2FA, MFA, OTP Server)

privacyIDEA

Build Status https://codecov.io/gh/privacyidea/privacyidea/coverage.svg?branch=master Latest Version PyPI - Python Version License Documentation Codacy Badge

privacyIDEA on twitter

privacyIDEA is an open solution for strong two-factor authentication like OTP tokens, SMS, smartphones or SSH keys. Using privacyIDEA you can enhance your existing applications like local login (PAM, Windows Credential Provider), VPN, remote access, SSH connections, access to web sites or web portals with a second factor during authentication. Thus boosting the security of your existing applications.

Overview

privacyIDEA runs as an additional service in your network and you can connect different applications to privacyIDEA.

privacyIDEA Integration

privacyIDEA does not bind you to any decision of the authentication protocol, nor does it dictate you where your user information should be stored. This is achieved by its totally modular architecture. privacyIDEA is not only open as far as its modular architecture is concerned. But privacyIDEA is completely licensed under the AGPLv3.

It supports a wide variety of authentication devices like OTP tokens (HMAC, HOTP, TOTP, OCRA, mOTP), Yubikey (HOTP, TOTP, AES), FIDO U2F, as well as FIDO2 WebAuthn devices like Yubikey and Plug-Up, smartphone Apps like Google Authenticator, FreeOTP, Token2 or TiQR, SMS, Email, SSH keys, x509 certificates and Registration Codes for easy deployment.

privacyIDEA is based on Flask and SQLAlchemy as the python backend. The web UI is based on angularJS and bootstrap. A MachineToken design lets you assign tokens to machines. Thus you can use your Yubikey to unlock LUKS, assign SSH keys to SSH servers or use Offline OTP with PAM.

You may join the discourse discussion forum to give feedback, help other users, discuss questions and ideas: https://community.privacyidea.org

Setup

For setting up the system to run it, please read install instructions at privacyidea.readthedocs.io.

If you want to setup a development environment start like this:

git clone https://github.com/privacyidea/privacyidea.git
cd privacyidea
virtualenv venv
source venv/bin/activate
pip install -r requirements.txt

You may additionally want to set up your environment for testing, by adding the additional dependencies:

pip install -r tests/requirements.txt

You may also want to read the blog post about development and debugging at https://www.privacyidea.org/privacyidea-development-howto/

Getting and updating submodules

The client-side library for the registering and signing of WebAuthn-Credentials resides in a submodule.

To fetch all submodules for this repository, run:

git submodule update --init --recursive

When pulling changes from upstream later, you can automatically update any outdated submodules, by running:

git pull --recurse-submodules

Running it

First You need to create a config-file.

Then create the database tables and the encryption key:

./pi-manage create_tables
./pi-manage create_enckey

If You want to keep the development database upgradable, You should stamp it to simplify updates:

./pi-manage db stamp head -d migrations/

Create the key for the audit log:

./pi-manage create_audit_keys

Create the first administrator:

./pi-manage admin add <username>

Run it:

./pi-manage runserver

Now you can connect to http://localhost:5000 with your browser and login as administrator.

Run tests

If you have followed the steps above to set up your environment for testing, running the test suite should be as easy as running pytest with the following options:

python -m pytest -v --cov=privacyidea --cov-report=html tests/

Contributing

There are a lot of different ways to contribute to privacyIDEA, even if you are not a developer.

If you found a security vulnerability please report it to [email protected].

You can find detailed information about contributing here: https://github.com/privacyidea/privacyidea/blob/master/CONTRIBUTING.md

Code structure

The database models are defined in models.py and tested in tests/test_db_model.py.

Based on the database models there are the libraries lib/config.py which is responsible for basic configuration in the database table config. And the library lib/resolver.py which provides functions for the database table resolver. This is tested in tests/test_lib_resolver.py.

Based on the resolver there is the library lib/realm.py which provides functions for the database table realm. Several resolvers are combined into a realm.

Based on the realm there is the library lib/user.py which provides functions for users. There is no database table user, since users are dynamically read from the user sources like SQL, LDAP, SCIM or flat files.

Plugins

The privacyIDEA project also provides several plugins for 3rd party applications like SSO Identity Providers or Windows Login.

Subscriptions

Plugins can be limited in the number of users. I.e. the plugin will complain, if the total number of users in privacyIDEA with an active token exceeds a certain limit. There is a certain base number of users, with which the plugin will work. To enhance this number, you will need a subscription. In some cases an additional demo subscription can be found in the release list of the corresponding github plugin repository, you can get a subscription from the company NetKnights or if you have a very good understanding of this Open Source code, you could create a subscription on your own.

Plugin Number of users
Name contained in demo subscription
Keycloak 10000 N/A
SimpleSAMLphp 10000 N/A
ADFS 50 50
Credential Provider 50 50
OwnCloud 50 N/A
LDAP proxy 50 N/A

Versioning

privacyIDEA adheres to Semantic Versioning.

More Repositories

1

keycloak-provider

πŸ”’ OTP Two Factor Authentication Provider for Keycloak to run with privacyIDEA
Java
78
star
2

privacyidea-credential-provider

Credential Provider to enchance the Windows login with a second factor
C++
46
star
3

pi-authenticator

OTP Authenticator App for privacyIDEA Authentication Server
Dart
39
star
4

privacyideaadm

πŸ’» This is a command line client to manage the privacyIDEA server.
Python
32
star
5

simplesamlphp-module-privacyidea

🐟 OTP Two Factor Authentication Module for simpleSAMLphp to run with privacyIDEA
PHP
22
star
6

adfs-provider

Authentication provider for Microsoft AD FS to use with privacyIDEA.
C#
20
star
7

FreeRADIUS

Add two factor authentication to FreeRADIUS via privacyIDEA
Perl
19
star
8

privacyidea-ldap-proxy

🌲 LDAP Proxy to intercept LDAP binds and authenticate against privacyIDEA
Python
19
star
9

pam_python

Add two factor authentication to PAM via privacyIDEA
Python
18
star
10

privacyidea-authenticator

Android OTP Authenticator App for privacyIDEA Authentication Server
Java
13
star
11

shibboleth-plugin

Plugin for shibboleth MFA with privacyidea
Java
9
star
12

scripts

Example scritps to be used with the Script Event Handler of privacyIDEA
Python
6
star
13

jitsi-mod-auth-privacyidea

privacyIDEA 2FA Plugin for Jitsi Meet / Prosody
Lua
6
star
14

privacyidea-owncloud-app

Add enterprise grade two factor authentication to ownCloud using privacyIDEA
JavaScript
6
star
15

mysqlparser

python parser for the mysqld configuration file
Python
6
star
16

docker

Build environment for privacyIDEA docker image
Shell
5
star
17

networkparser

Python parser for parsing /etc/network/interfaces
Python
5
star
18

privacyidea-pam

Module for Linux PAM stack to authenticate users against privacyIDEA
C++
5
star
19

smartcard-client-windows

Windows tool to enroll certificates to PIV devices
C#
5
star
20

check_privacyidea

πŸ” Nagios/Icinga check to verify the authentication workflow of privacyIDEA
Shell
4
star
21

ms-ca-service

Windows service to execute certificate operations on behalf of privacyIDEA
C#
3
star
22

privacyidea-benno-mailarchive

two factor authentication for the benno mailarchive
Python
3
star
23

privacyidea-authenticator-ios

iOS OTP Authenticator App for privacyIDEA Authentication Server
Swift
3
star
24

java-client

Java client to help with development of plugins for the privacyIDEA authentication server
Java
3
star
25

privacyidea-nextcloud-app

☁️ Nextcloud app to perform MFA against privacyIDEA
PHP
3
star
26

csharp-client

C#
2
star
27

otrs

OTRS Plugin that adds 2nd factor authentication against privacyIDEA Server
Perl
2
star
28

AuthModuleRequirements

Requirements for a Web Application Authentication Module
2
star
29

php-client

PHP client to help with development of plugins for the privacyIDEA authentication server
PHP
2
star
30

policy-templates

‼️ Templates for privacyIDEA policies
Python
2
star
31

tincparser

python parser for the tinc configuration file
Python
2
star
32

webauthn-client

Javascript client for plugins to authenticate with WebAuthn against privacyIDEA
JavaScript
2
star
33

freeradiusparser

python parser for the freeradius configuration file
Python
2
star
34

gluu

Authentication script for Gluu
Python
1
star
35

u2f-example

Authentication Example for privacyIDEA
HTML
1
star
36

webauthn-demo

Example project, showing how to authenticate against privacyIDEA using WebAuthn
JavaScript
1
star
37

migrate-2.23.5-to-3.0

Tools to offline migrate privacyIDEA 2.23.5 to privacyIDEA 3.0
Python
1
star
38

webapp-privacyidea

Zarafa WebApp plugin to integrate 2FA with privacyIDEA
PHP
1
star