8.6.5. Federation Handler Module¶
The federation event handler can be used to configure relations between several privacyIDEA instances. Requests can be forwarded to child privacyIDEA instances.
Note
The federation event handler can modify the original response.
If the response was modified a new field origin
will be added to the
detail
section in the response. The origin will contain the URL of
the privacyIDEA server that finally handled the request.
8.6.5.1. Possible Actions¶
8.6.5.1.1. forward¶
A request (usually an authentication request validate_check) can be forwarded to another privacyIDEA instance. The administrator can define privacyIDEA instances centrally at config -> privacyIDEA servers.
In addition to the privacyIDEA instance the action forward
takes the
following parameters:
client_ip The originial client IP will be passed to the child privacyIDEA server. Otherwise the child privacyIDEA server will use the parent privacyIDEA server as client.
Note
You need to configure the allow override client in the child privacyIDEA server.
- realm The forwarding request will change the realm to the specified realm.
This might be necessary since the child privacyIDEA server could have different realms than the parent privacyIDEA server.
- resolver The forwarding request will change the resolver to the specified
resolver. This might be necessary since the child privacyIDEA server could have different resolvers than the parent privacyIDEA server.
One simple possibility would be, that a user has a token in the parent
privacyIDEA server and in the child privacyIDEA server. Configuring a forward
event handler on the parent with the condition result_value = False
would
have the effect, that the user can either authenticate with the parent’s
token or with the child’s token on the parent privacyIDEA server.
Federation can be used, if privacyIDEA was introduced in a subdivision of a larger company. When privacyIDEA should be enrolled to the complete company you can use federation. Instead of dropping the privacyIDEA instance in the subdivision and installing on single central privacyIDEA, the subdivision can still go on using the original privacyIDEA system (child) and the company will install a new top level privacyIDEA system (parent).
Using the federation handler you can setup many other, different scenarios we can not think of, yet.
8.6.5.2. Code¶
This is the event handler module for privacyIDEA federations. Requests can be forwarded to other privacyIDEA servers.
-
class
privacyidea.lib.eventhandler.federationhandler.
ACTION_TYPE
[source]¶ Allowed actions
-
FORWARD
= 'forward'¶
-
-
class
privacyidea.lib.eventhandler.federationhandler.
FederationEventHandler
[source]¶ An Eventhandler needs to return a list of actions, which it can handle.
It also returns a list of allowed action and conditions
It returns an identifier, which can be used in the eventhandlig definitions
-
property
actions
¶ This method returns a dictionary of allowed actions and possible options in this handler module.
- Returns
dict with actions
-
description
= 'This event handler can forward the request to other privacyIDEA servers'¶
-
do
(action, options=None)[source]¶ This method executes the defined action in the given event.
- Parameters
action –
options (dict) – Contains the flask parameters g, request, response and the handler_def configuration
- Returns
-
identifier
= 'Federation'¶
-
property