Auto Enroll TOTP Token

Kasper · November 15, 2021, 3:00pm

HI

First of all we like how privacyidea is funktioning but we might need a little help with the issue listed below

We are in the procces of deploying TOTP token’s automaticly when a created user is loging in without a token, we have created a Policy with Pre-event useing a Response Mangler Handler 8.6.2. Token Handler Module — privacyIDEA 3.6.2 documentation and the token is created when the user tries to logon via the Credential Provider

Another policy witch is sending a mail with the QR code when a token is enrolled is only working via the WebGUI as a token_init is triggered in the audit log

But our auto enroll policy is not working it seems like a token init is not trigged in the audit log

Thanks in advance

Have a nice day

cornelinux · November 15, 2021, 8:02pm

Welcome to privacyIDEA.
You should explain in more detail how you are using the event handler.

Please note (for logic reasons) a response mangler can not work in a pre-event handler, since at this point there is no resposnse available.
In case you are German speaking, listing to this podcast about enrollment strategies:

Kasper · November 17, 2021, 3:29pm

Hi Cornelius

Sorry for the confusion we have tried a couple of things, in the current setup we are trying the events listed below.

Event 1

Name : TOTP_Test

Events : “validate_check”, “validate_triggerchallenge”

Handlermodule : Token

Position : pre

Conditions : “user_token_number”:“0”

Action : enroll

Options : “To”: “tokenowner”, “additional_params” “hashlib”: “SHA1”, “type”: “totp” , “genkey”: 1 “attach_qrcode”: “True”

Event 2

Name : TOTP_Mail

Events : “token_init”

Handlermodule : UserNotification

Position : post

Conditions : “token_has_owner”:“True”,“tokentype”:“totp”,“user_token_number”:“1”

Action : sendmail

Options :

“To”: “tokenowner”, “attach_qrcode”: “True”, “body”: “Hi …”, “emailconfig”: “Mailcow”, “mimetype”: “html”, “reply_to”: “privacyidea@xxxxx.com”, “subject”: “new Token for {username}@{userrealm}” }

The 2 listed events works

Event 1 generates a TOTP Token if the user dont have one with a login attempt from the PI Cred Provider but dosent send an email

Event 2 only send an email if the token is enrolled in the GUI , therefore we have tried with the parameter genkey:1 in event 1

We appreciate all the help we can get trying to fix the puzzle.

cornelinux · November 23, 2021, 8:19am

This is not possible.

Please take a look here in the pimped documentation, if it helps you understand this: