Force enroll TOTP on user login

Question
1

Hi, I just installed privacyIDEA+FreeRADIUS and started struggling enormous amount of available policies. All users came from configured ldapresolver (freeipa)

I configured some base-level policies like:

  • hide_welcome - default policy
  • default_without_2fa - let users auth with only password if no 2fa configured
  • pass_and_otp_enabled - ask <password+otp> as password
  • force_enroll - can’t figure out how to do it right way

image
image2088×606 82.3 KB

Problem is that last policy doesn’t work as I want. I want to force users to enroll TOTP/HOTP token when they first login into privacyIDEA’s WebUI
Can anyone suggest what combination of policies should I use?

2

The policy you configured simply means, that the user is allowed to enroll a TOTP token. See

By naming the policy “force” you can not cahnge the action :wink:

When the user logs in to the selfservice (aka privacyIDEA WebUI) you can not “force” the user to do anything. However, you can take a look at the token wizard. But the user could still cancel this.

See “tokenwizard” policy