Hello, here’s what I’d like to do. If the user is getting a token for the first time, validate_check will check the user_token_number. If it’s 0, a new token will be assigned, and the SMS OTP will be sent to the user. I can do this. However, there’s another option: if the user enters an incorrect SMS OTP five times, I’ll send them a notification: “You entered the wrong SMS OTP five times, please try again in 5 minutes.” Frankly, I haven’t figured out what I need to do. I’d like your help with this. I also want the user to obtain a token with validate_check, and I’d like to fill in the token description field with the user’s first and last name. The event handler and log output I created are attached.
[2025-10-14 14:12:36,552][2153][140526581347904][INFO][privacyidea.lib.user:277] userid resolved to ‘6c0d0ffc-9873-4328-aca4-523754d7de76’
[2025-10-14 14:12:36,688][2153][140526581347904][INFO][privacyidea.lib.user:454] User yr505205 from realm testrealm tries to authenticate
[2025-10-14 14:12:42,273][2153][140526472242752][INFO][privacyidea.lib.user:275] user ‘yr505205’ found in resolver ‘TestLDAP’
[2025-10-14 14:12:42,273][2153][140526472242752][INFO][privacyidea.lib.user:277] userid resolved to ‘6c0d0ffc-9873-4328-aca4-523754d7de76’
[2025-10-14 14:12:47,556][2153][140526581347904][INFO][privacyidea.lib.user:275] user ‘yr505205’ found in resolver ‘TestLDAP’
[2025-10-14 14:12:47,557][2153][140526581347904][INFO][privacyidea.lib.user:277] userid resolved to ‘6c0d0ffc-9873-4328-aca4-523754d7de76’
[2025-10-14 14:12:47,677][2153][140526581347904][INFO][privacyidea.lib.user:454] User yr505205 from realm testrealm tries to authenticate
[2025-10-14 14:12:55,269][2153][140526472242752][INFO][privacyidea.lib.user:275] user ‘yr505205’ found in resolver ‘TestLDAP’
[2025-10-14 14:12:55,269][2153][140526472242752][INFO][privacyidea.lib.user:277] userid resolved to ‘6c0d0ffc-9873-4328-aca4-523754d7de76’
[2025-10-14 14:12:55,444][2153][140526472242752][WARNING][privacyidea.lib.eventhandler.base:946] There is more than one challenge for token PISM0001AA6F and transaction_id None.
Hi, in the /validate/check request, there is usually no token serial available. That might be the reason the event handler does not work. However, in 3.12.1 the token serial is also retrieved from the user. As long as the user has only one token assigned, the event handler should work using this version.
Hello, first of all, thank you for your response. Could you explain how to implement the policy with enroll_via_multichallenge? I’ve tried, but I can’t seem to get it to work. I get this error in the logs: “The user has no tokens assigned”. Thank you.
As described in the docs, this policy requires a successful authentication first. For example, you can use the passthru policy ( 8.3. Authentication policies — privacyIDEA 0.0+gbbfd727c1 documentation ). This allows the user to authenticate only with the userstore password as long as he has no tokens assigned. In combination with the enroll_via_multichallenge policy, after entering the user store password, the defined token is enrolled.
Hello, I did it as you said, but the result is still the same. Frankly, it seems like the rule is not triggered. I just couldn’t get over this. The rule I wrote and the log output are attached. Please help me solve it. I would also like to point out this. The rule works when the token is created manually. But it doesn’t work when there is no token. In the attached image, there’s no SMS type in the challenge response section. I don’t know why it’s not there. How am I supposed to get it? Do I need to use it in the rule?
@jelinaunger is right, you could use the enroll via multichallenge, in this case, the user can even choose, which phone number the SMS should be sent to.
However, the pre-event handler should work. dynamic_phone will read the information from your user source, so everything is there. You simple need to dig into your logs and probably increase your log level.
You can take a look here, how to use pre-event handling for enrolling tokens. In this video we do it with email tokens, but it is the same with SMS. Maybe this gives some backgroud.
You may also take a look into the scripts repo, where we also have some scripts to automate things.Here is a script to simply enroll “all” SMS tokens for all users.
As far as your other thing is concerned: Come back in 5 minutes. This can not be configured easily. You would have e.g. to have a script handler, that sets the validity period 5 minutes in the future, to actually ensure, that the token can not be used for the next five minutes.
