Enroll via Multichallenge seems to ignore tokenlabel/tokenissuer in enrollment-policy


my name is Manuel and I’m new to PrivacyIDEA.
I’ve setup a PrivacyIDEA-Instance now and have integrated the Keycloak-Provider to Keycloak.
All is working very well (auto-enroll E-Mail or SMS OTP via Events, Multi-Challenge Enroll,…)
But one strange thing I’m experiencing now:

I set “tokenlabel” and “issuer” via enroll-policy:

This policy is global (with out any conditions) and work’s fine when rolling out a PUSH-Token via PrivacyIDEA WebUI.

If enrollment is done via multichallenge (Keycloak in this case), the enrollment works, but the label and the issuer isn’t set. The default (token-serial as label and “privacyIDEA” as issuer) is applied.
After some debugging i saw in the audit log, that it seems that the enroll-policy isn’t matching.

As I’m now debugging since a few days, I would like to know if I miss something, or if this is a limitation in enrolling via multichallenge? As I saw, the used API endpoints are different.
Enrolling via PrivacyIDEA WebUI uses the /token/init API, which uses my above described enrollment-policy. Multichallenge via /validate/check seems not to do so…

Edit: Using TOTP for Multi-Challenge Enroll, tokenlabel and tokenissuer are applied.

Any help would be appreciated.

Thanks in advance.


Hello Manuel,
you are right. This has not been implemented.
It is already fixed

and will be released with version 3.10.

Happy Authenticating!

Hi Cornelius,

I’m sorry, I didn’t see this Github-Issue.
Thank you very much!

1 Like

Hi all,

just a short information if someone else needs this functionality:
The above mentioned fix also works with PrivacyIDEA v3.9 (in my case v3.9.3).
Thank you very much!

1 Like