Paul Lettich

We need to check at login if the authentication came from an SSO provider. We also need to check if we can add a policy condition for SSO login.

This shouldn't be a problem using `ec` from the `cryptography` module: https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/ The Question is: how do we handle old keys or systems that don't support ECDSA.

Can we access the SSL-Cert of privacyIDEA? I think the webserver handles the SSL-Stuff..

There is an unnecessary hexlification here: https://github.com/privacyidea/privacyidea/blob/00da9e4ee3a813ed5a992530f7ba1351209cb4c5/privacyidea/lib/tokens/webauthntoken.py#L869 https://github.com/privacyidea/privacyidea/blob/00da9e4ee3a813ed5a992530f7ba1351209cb4c5/privacyidea/lib/tokens/webauthntoken.py#L793 By removing this, we could increase the possible size of the `credential_id` to 511 bytes due to another hexlification during our internal...

If we remove the additional hexlification in the code we won't be able to use older WebAuthn tokens since we would get a wrong `credential_id` from the token. We would...

Currently the `key_enc` column is set to 1024 chars: https://github.com/privacyidea/privacyidea/blob/be99398a8793dcea786f00322d242024d5e704aa/privacyidea/models.py#L187 If we want to support a `credentialId` length of 1023 (https://w3c.github.io/webauthn/#credential-id) we would need to increase the `key_enc` column to...

Hi @nilsbehlen Did You revoke the token/certificate before deleting it? Usually certificates should be revoked, not deleted. Maybe we should automatically revoke the certificate before deleting the token in privacyIDEA.

> I didn't revoke, just delete, so that was the mistake. Could You enroll another certificate token for the user when the other cert-token is revoked?

Actually i can confirm this behavior. Enrolling a new cert-token for a user after deleting the old one fails with `ERROR:There is already a certificate for /CN=...` since the certificate...

Closing in favor of #3280