2 steps enrollment not work (PI v 3.5.1)

I followed below link trying to register new TOTP token with 2 steps enrollment

1st call was like this
HttpResponse response = Unirest.post(“https://{URL}/token/init?realm=defrealm&genkey=1&type=totp&user={username}&2stepinit=1”)
.header(“Authorization”, “{token}”)

I got a respond 200 and token including base64 image. I use Google Authenticator to scan the QR code.

Then, user has enter the code back getting from Client/App.

So I use /validate/check to validate if the code correct before calling 2nd step to enroll the token.

If success with matching token, I register 2nd step with the following
HttpResponse response = Unirest.post(“https://{URL}/token/init?type=totp&serial={serial got from 1st called}&otpkey={code from client app}”)
.header(“Authorization”, “{token}”)

I get 200 respond but I cannot login with that code from client app.

If I use /validate/check to validate code from client app; it’s not matching anymore. respond with 200 but “wrong otp value”.

Anything I did wrong here?


Your understanding of 2step enrollment does not match the way privacyIDEA uses it. Re-read the documentation!
For privacyIDEA 2 step enrollment you need the privacyIDEA Authenticator!

The way you think of “2 step enrollment” like simply verifying one OTP value after enrollment, you need to do 1-step-enrollment in privacyIDEA. Again: What you are doing is one-step-enrollment for privacyIDEA. Omit stepinit=1 and omit all 2step policies!

@cornelinux I don’t have issue with 1 step enrollment and it works fine; I want to test with 2 step enrollment.
I tried to test with privacyIDEA Authenticator too with 2 step enrollment but not working; I cannot work out what I’m missing. Could you shed some light what step I missed? or what step would you performance if you want to test 2 step enrollment?

I have tried to read these doc again but still don’t know what I’m missing.