Hi,
my name is Manuel and I’m new to PrivacyIDEA.
I’ve setup a PrivacyIDEA-Instance now and have integrated the Keycloak-Provider to Keycloak.
All is working very well (auto-enroll E-Mail or SMS OTP via Events, Multi-Challenge Enroll,…)
But one strange thing I’m experiencing now:
I set “tokenlabel” and “issuer” via enroll-policy:
This policy is global (with out any conditions) and work’s fine when rolling out a PUSH-Token via PrivacyIDEA WebUI.
If enrollment is done via multichallenge (Keycloak in this case), the enrollment works, but the label and the issuer isn’t set. The default (token-serial as label and “privacyIDEA” as issuer) is applied.
After some debugging i saw in the audit log, that it seems that the enroll-policy isn’t matching.
As I’m now debugging since a few days, I would like to know if I miss something, or if this is a limitation in enrolling via multichallenge? As I saw, the used API endpoints are different.
Enrolling via PrivacyIDEA WebUI uses the /token/init API, which uses my above described enrollment-policy. Multichallenge via /validate/check seems not to do so…
Edit: Using TOTP for Multi-Challenge Enroll, tokenlabel and tokenissuer are applied.
Any help would be appreciated.
Thanks in advance.
Manuel