8.6.5. Federation Handler Module

The federation event handler can be used to configure relations between several privacyIDEA instances. Requests can be forwarded to child privacyIDEA instances.

Note

The federation event handler can modify the original response. If the response was modified a new field origin will be added to the detail section in the response. The origin will contain the URL of the privacyIDEA server that finally handled the request.

8.6.5.1. Possible Actions

8.6.5.1.1. forward

A request (usually an authentication request validate_check) can be forwarded to another privacyIDEA instance. The administrator can define privacyIDEA instances centrally at config -> privacyIDEA servers.

In addition to the privacyIDEA instance the action forward takes the following parameters:

client_ip The original client IP will be passed to the child privacyIDEA server. Otherwise the child privacyIDEA server will use the parent privacyIDEA server as client.

Note

You need to configure the allow override client in the child privacyIDEA server.

realm The forwarding request will change the realm to the specified realm.

This might be necessary since the child privacyIDEA server could have different realms than the parent privacyIDEA server.

resolver The forwarding request will change the resolver to the specified

resolver. This might be necessary since the child privacyIDEA server could have different resolvers than the parent privacyIDEA server.

One simple possibility would be, that a user has a token in the parent privacyIDEA server and in the child privacyIDEA server. Configuring a forward event handler on the parent with the condition result_value = False would have the effect, that the user can either authenticate with the parent’s token or with the child’s token on the parent privacyIDEA server.

Federation can be used, if privacyIDEA was introduced in a subdivision of a larger company. When privacyIDEA should be enrolled to the complete company you can use federation. Instead of dropping the privacyIDEA instance in the subdivision and installing on single central privacyIDEA, the subdivision can still go on using the original privacyIDEA system (child) and the company will install a new top level privacyIDEA system (parent).

Using the federation handler you can setup many other, different scenarios we can not think of, yet.

8.6.5.2. Code

This is the event handler module for privacyIDEA federations. Requests can be forwarded to other privacyIDEA servers.

class privacyidea.lib.eventhandler.federationhandler.ACTION_TYPE[source]

Allowed actions

FORWARD = 'forward'
class privacyidea.lib.eventhandler.federationhandler.FederationEventHandler[source]

An Eventhandler needs to return a list of actions, which it can handle.

It also returns a list of allowed action and conditions

It returns an identifier, which can be used in the eventhandling definitions

property actions

This method returns a dictionary of allowed actions and possible options in this handler module.

Returns

dict with actions

description = 'This event handler can forward the request to other privacyIDEA servers'
do(action, options=None)[source]

This method executes the defined action in the given event.

Parameters
  • action

  • options (dict) – Contains the flask parameters g, request, response and the handler_def configuration

Returns

identifier = 'Federation'