Hello John,
in order for the autoenrollment feature to work the token must exist.
A token always has two components: The server side representation within
privacyIDEA and the user-side which is possessed by the user.
Usually the autoenrollment feature is to be used with hardware tokens.
I.e. the server-side part is the token object in the token database (as
always) and the user-side is the hardware piece, the key fob or the OTP
card…
Then you can easily hand any of those 500 cards to the users, not caring
about which card was handed to which user. (Without this you would have
to assign the token to the user via the serial number or the user would
have to do this)
If you are using soft tokens or smartphone apps, the parallel scenario
would be that you have 500 smartphons with an initialized Google
Authenticator or OTP Authenticator and just distribute these smartphones
randomly to the user.
But I assume that the users already possess their smartphones 
What kind of tokens are you going to use?
Hardware, smartphone App, text messages, emails?
The two parts (client-side and user-side) correspond to the shared OTP
secret key. I.e. with smartphone Apps the secret key usually is
generated by the server and needs to be passed to the user-side (the
smartphone).
This can be done by sending the QR Code for the Google Authenticator or
a compatible smartphone app to the user. This QR code/Token can either
be already assigned to a user (personalized) or not.
But caution has to be taken, since the QR code contains the unencrypted
secret key. So this QR code should not be shown to any other user than
the assigned one.
These are the basic conditions for enrollment. But enrollment is always
very specific to each installation. It tells something about your
network and is usually part of consulting and installation services. So
I would like to take this discussion off-list.
Kind regards
CorneliusAm Mittwoch, den 20.01.2016, 21:36 -0800 schrieb John Whitten:
Hello, I’ve been reading though the documentation, specifically about
Rolling Out new unassigned tokens in the FAQ section…
One of the strategies discussed is to use the “autoenrollment”
feature, which says:
“Users can assign a token just by using this token. The user can take
a token from a pool of unassigned tokens. When this policy is set, and
the user has no token assigned, autoassignment will be done: The user
authenticates with a new PIN or his userstore password and an OTP
value from the token. If the OTP value is correct the token gets
assigned to the user and the given PIN is set as the OTP PIN.”
My question is, How can I generate, say 500-600 unassigned tokens in
order to establish this initial pool?
Thanks for assistance!
John
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/a8fbc78b-f1c3-4192-a655-b92e9f92d7ec%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)