Email 2FA with keycloak and PrivacyIdea

Is there any guide or explanation on how to use PrivacyIdea email 2FA with keycloak?

I have already tried to install privacyidea with keycloak but in enrollment token type appears only Totp and Hotp , is there anything missing?

Hello Rasha,

welcome to the community. Sure there is such a guide. See for example this guide:

But your problem may be related to the privacyIDEA policies you have set?

Best regards,

Henning Hollermann

I have added the privacy and policy URL to keycloak config , also i created email policy in privacyIdea , also keycloak and privacyIdea connected with the same database and stmp configs configured in privacyIdea
what is missed ?Screenshot from 2020-09-02 16-19-00 (1)


enrolling email token by the keycloak plugin is not implemented. You will have to enroll the token using privacyidea.

Thank you Nils! Rasha, in case you have the email addresses of your users somewhere available to privacyIDEA, you may think about using some event-handler to automate the rollout for you.



I’m not sure i understand this right.
We use Keycloak as IDP.
The customer requests to have three alternatives for the 2nd factor: [HT]OTP via mobile app, via SMS and via eMail.
Following Keycloak - ExtensionsHow to use Keycloak with privacyIDEA - Howtos - privacyIDEA community i had an understanding this Extension would fullfil these needs.
Am i wrong?
Else, are there any ideas how to fullfil these requirmenents?

Hi, are you using version 0.5.1 of the keycloak provider? says “version=0.5.1”

please give the previous version a try: Release v0.5 · privacyidea/keycloak-provider · GitHub
in 0.5.1 there is a bug that the transaction id is not sent in the second step which results in failed authentication requests.

still the same. I have to enter the OTP from the app.
In general, does PrivacyIDEA-Provider support alle three options, OTP via app, SMS and eMail?
Is there a guide how to configure?

In the keycloak configuration form for the privacyIDEA module i can select the “Enrollment Token type” HOTP or TOTP, not SMS nor eMail.

To clarify:

A user can have an HOTP token and and SMS token (and a lot of other tokens).
If the user already has these tokens, he can use them to authenticate at keycloak (against privacyIDEA).

But enrolling an SMS token or an EMail token during the keycloak login is not supported.

Imho enrolling a token during the keycloak login is a crap idea in the first place. In 99% of the cases you should enroll the token “somehwere else”, before using it to log in to keycloak.

Hope this helps.

@W11T You Can Enroll token automatically by creating new event handler in PrivacyIdea , this event will enroll an email token for each user will authenticate from keycloak
and if you have configured an SMTP server , then the user will receive an email with OTP


if you still confused about Event Handlers in privacyIdea , i think this video will help you to understand the idea.

Hope this helps

1 Like

Thank you!
Maybe there is a misunderstanding.
By “token” i meant an OTP / PIN Code to be delivered via app or SMS or eMail.
The customer expects a selection box so the user can select the way of delivery - app or SMS or eMail.
Can this be set up with the keycloak-provider? How?

No, this is not possible.
If your customer “expects” this, this is great, you can sell some development time. :wink: