Hi
We’ve activated policy for users
enroll_via_multichallenge - EMAIL
passthru - userstore
When user authenticates with the login and password on citrix netscaler gateway, then token is being created automaticaly with property dynamic_email - true and PI asks “Please enter your new email addrees!”
If user refreshes page (F5) token saved with property dynamic_email
If user enters correct address, token change email address and sends OTP
But when user enters incorrect adress - blank or without @, after timeout citrix gateway authenticates user without OTP and all next attempts will be succeded.
Can you
Add new policy which disables request for new email (manual input), only dynamic
If user enters blank adress, token saved as dynamic
Checking correction of email address for @ sign presence
Also there is a bug: when policies “challenge_text”, “challenge_text_footer”, “challenge_text_header” are actvated, then message “Please enter your new email addrees!” is being replaced with values of these policies.
I think there is little misunderstanding. I mean that if a user logins for the first time and doesn’t have any tokens yet instead of hard coded “Please enter your email address!”, header challenge text + footer challenge text are displayed (which should be displayed when asking for OTP).
“dynamic” emails are these, when the user can not enter any email address. The email address is fetched dymically from the user store.
The store has controll over the email address. It can change during the lifetime of the token.
Usually the user has no controll over this one.
There is a misunderstanding.
I was wondering what kind of users you have.
Like: Are these students or rather kind of employees. This would determine how restricted you would handle the choosing of email addresses.
Do you have controll over user email adresses like all in one domain (employees) or do you have no control over the email adresses or do you only know a part of the email addresses.
If so — maybe you would need to know or wish to know all email adresses…
No, I don’t try to control them I just trying to improve functionality of the soft by proposing useful feature to create dynamic email if user doesn’t enter email himself.
Right - I am just trying to understand your scenario.
Because when understanding the scenario it is easier to implement sensible things (not calling it feature on purpose)
With privacyIDEA we do not want to implement a long list of “features”, we are usually trying to implement “concepts”. And this is why we do not like listening to people what we should implement. But we rather try to listen to people how they want to use privacyIDEA and why they want to use it the way, they think they want to use it.
And this is why I like to understand the scenario and the question about the users.
When the “enroll_via_multichallenge: EMAIL\SMS” policy is active and the PI asks “Please enter your new phone number/email!” the user gets an sms\email token with dynamic_phone/email: True. If the user closes or refreshes the browser page, this token will be saved with dynamic data
