Email OTP without pin


I recently installed PrivacyIDEA on our premise and integrated it with Keycloak following this blog post How to use Keycloak with privacyIDEA

I am using an SQL resolver to fetch Keycloak realm specific users from the Keycloak user table, have a working SMTP connection set up, and enrolled a test user with an email token.

Here is what I observed:

  1. No pin set in token conf:
    User provides PW → User is asked for otp code, but no email was sent

  2. A pin is set in token conf:
    User provides PW → User is asked for pin → User provides pin → User is asked for otp code which has been sent by email

Why is this happening? Are pins mandatory for this token type?

The Email-Token requires to be triggered.
This does not happen in your scenario 1, since the PW seems to be checked by Keycloak itself.

In your scenario 2 the PIN triggers the sending of the Email. This is the default behaviour, the PIN triggers sending the Email.

So everything works as expected. If you want an Email in your scenario 1, you explicitly need to tell keycloak to trigger the sending of an email without a PIN, you need to tell keycloak, that it should communicated with privacyIDEA before the user has entered anything.

Use “enable trigger challenge”: keycloak-provider/ at master · privacyidea/keycloak-provider · GitHub

1 Like

Hey, thank you very much for pointing me to that setting, I was unsure what it is for so I left it disabled. But it makes sense after hearing your explanation. I’m after all not sending the PW to trigger the challenge.

That leaves me with another question however. How do I create a service account in privacyIDEA to enable this functionality?

I have set up the privacyIDEA realms to reflect the Keycloak realms via a different read-only SQL resolver per realm, which read out the necessary user attributes (email, id, fname, lname). Other than the local admin account, privacyIDEA is not aware of any credentials and has no means to create users.

I tried using pi-manage admin add some-service-account but contrary to the realm shown in the UI some-service-account @ (admin) “admin” is not actually a valid realm I can specify in the PI plugin inside Keycloak.

Assuming that I need to create an editable user store somewhere for the purpose of storing this one account, would it be advisable to create a new DB with a single table just for this or is there another solution?

You could do it this way.
Or read one special user out of e.g. LDAP and put this one in a resolver and realm.

1 Like