Enroll via multichallenge (EMAIL)

We’ve activated policy for users
enroll_via_multichallenge - EMAIL
passthru - userstore

When user authenticates with the login and password on citrix netscaler gateway, then token is being created automaticaly with property dynamic_email - true and PI asks “Please enter your new email addrees!”

If user refreshes page (F5) token saved with property dynamic_email
If user enters correct address, token change email address and sends OTP
But when user enters incorrect adress - blank or without @, after timeout citrix gateway authenticates user without OTP and all next attempts will be succeded.

Can you

  1. Add new policy which disables request for new email (manual input), only dynamic
  2. If user enters blank adress, token saved as dynamic
  3. Checking correction of email address for @ sign presence

Also there is a bug: when policies “challenge_text”, “challenge_text_footer”, “challenge_text_header” are actvated, then message “Please enter your new email addrees!” is being replaced with values of these policies.


No. Use an event handler to do this. This is not done via multichallenge enroll.

Please open an issue at github for this request.

This works as intended.

I think there is little misunderstanding. I mean that if a user logins for the first time and doesn’t have any tokens yet instead of hard coded “Please enter your email address!”, header challenge text + footer challenge text are displayed (which should be displayed when asking for OTP).

Hm, interesting.
I am not sure about this. Would you please also open an issue at github.

In regards to the dynamic email address.

So your intended behaviour is:

  • users could have an email address in the user store
  • users are asked if they want to enroll an email token with a destinct email address or…
  • …enter nothing an then use the dynamic email address?

Would you really want to let users choose between new/destinct email and dynamic email?

What kind of user base is this?


why not if the email token with dynamic property is created first anyway


I think there is a misunderstanding.

“dynamic” emails are these, when the user can not enter any email address. The email address is fetched dymically from the user store.
The store has controll over the email address. It can change during the lifetime of the token.
Usually the user has no controll over this one.

There is an alternative way to enroll email tokens, if you only want to use dynamic emails.
You could use the token handler with the action “enroll”.

There is a misunderstanding.
I was wondering what kind of users you have.
Like: Are these students or rather kind of employees. This would determine how restricted you would handle the choosing of email addresses.
Do you have controll over user email adresses like all in one domain (employees) or do you have no control over the email adresses or do you only know a part of the email addresses.
If so — maybe you would need to know or wish to know all email adresses…

Yes, I know about this functionality.

No, I don’t try to control them I just trying to improve functionality of the soft by proposing useful feature to create dynamic email if user doesn’t enter email himself.

Right - I am just trying to understand your scenario.
Because when understanding the scenario it is easier to implement sensible things (not calling it feature on purpose)

With privacyIDEA we do not want to implement a long list of “features”, we are usually trying to implement “concepts”. And this is why we do not like listening to people what we should implement. But we rather try to listen to people how they want to use privacyIDEA and why they want to use it the way, they think they want to use it.
And this is why I like to understand the scenario and the question about the users.

Anyways. Thanks for opening this issue:

which already has a pull request and
this issue

which we gave some enhanced thoughts.