Auto Enroll and Assign Users a token upon creation of a new user


I have created a PrivacyIdea server that automatically imports users via LDAP when the users are put in a specific group. This works great!

However, to make it as simple as possible for the end users I’ve basically decided I never want them to login to the PrivacyIDEA portal.

I would like to:

  • add the users by putting them in my aforementioned LDAP group
  • The users get put into PrivacyIDEA(henceforth referred to as “PI”) automatically because of the sync
  • PI then enrolls a TOTP token
  • Then it assigns that token to the user
  • User then gets an email with the QR Code needed to add the token to their device

This way, the admin can entirely manage everything. And first-time enrollment is pretty much handled automatically.

I have played around with some of the event handlers and policies, but cannot seem to figure out how to get this working? Is it even possible?

privacyIDEA does not actively sync the users from LDAP.
It searches users in LDAP each time you request or search a useri in privacyIDEA.

So there is no “event” to hook your enrollment to. You need to come up which event would actually work out for you.

Then you can use the script handler and write your own script to enroll and mail the token.

Thanks! I decided on assigning the tokens myself and using that event to send the email!