Support for privacyIDEA 3.13 features:
- push_code_to_phone
- enroll_via_multichallenge_optional
- enroll_via_multichallenge for smartphone containers
Secret handling:
- The
service_passis now encrypted at rest with Windows DPAPI. Existing plaintext values (and values typed directly into the registry) are migrated to encrypted storage automatically the first time the provider reads them, with a one-time warning written to the event log. - The installer hardens the ACL on the configuration registry key so the
service_passis no longer readable by non-admin users on the machine.
Security hardening:
- New
forward_client_ipandforward_client_user_agentsettings forward the client IP (as theclientparameter) and the clientUser-Agentheader (as theclient_user_agentparameter) to privacyIDEA for server-side policy decisions. When forwarding the client IP, set the newtrusted_proxiessetting to the IP(s)/CIDR(s) of your reverse proxy so a spoofedX-Forwarded-Forfrom a client reaching AD FS directly cannot bypass IP-based policies. - When SSL/TLS certificate validation is disabled (
disable_ssl=1), the provider now writes a warning to the Windows Application event log on every service start, so this insecure state can be audited. - Deprecated TLS versions requested via
tls_version(tls11and older) are now rejected: the provider logs a warning and falls back to the system-default negotiation (TLS 1.2/1.3) instead of downgrading.
Other changes:
- Added more German-speaking LCIDs (de-AT, de-CH, de-LI, de-LU).
- Updated the event log location this application writes to. It now writes to the general Windows Application log with the source "privacyIDEAProvider" (if an earlier version registered the source under a different log, it is moved to Application automatically). The event source is removed on uninstall.
- The installer now checks for .NET Framework 4.8 and aborts with instructions if it is missing.
- The service password field in the installer is masked.
- The debug log location is now configurable via the
log_pathregistry setting (defaults to the previousC:\PrivacyIDEA-ADFS log.txt).