Multiple Email Addresses EventHandlerFramework

mr307 · May 23, 2024, 11:12am

Hi,

Is it possible to work with multiple email addresses in the event handler framework?

In our ldap we have configured multiple email addresses, a first for the company and a second (private) one for recovery actions.

In PrivacyIdea we have configured a fallback process in which the user can delete their token if they have lost it or whatever…
After deleting they get a qrcode with a temporary (3 days) totp token. This totp token should be sent to the private email address but how can we use this attribute in the framework? Do we need this to be done by scripting?

Thanks.

AAuer · May 28, 2024, 8:49am

Hi,
you can configure your LDAP-resolver to map the second emailaddress into another attribute.

best regards
Andreas

mr307 · May 28, 2024, 9:11am

Hi,

we have configured the ldap resolver to map the private email attribute.

{ “email” : “mail”, “surname” : “sn”, “givenname” : “givenName”, “groups” : “eduPersonAffiliation”, “pmail” : “homeEmailAddress” }

Our problem or question is: how to use the private email address in the UserNotificationHandler? In this, the possibilities are preselected, like token_owner or admin…

AAuer · May 28, 2024, 2:55pm

Hi,
do you use the primary email for anything (login)?
If not, you could map the private address to the email-attribute.

cornelinux · May 28, 2024, 3:05pm

The UserNotificationHandler users the users email attribute or mobile phone…

You can map any attribute like you did with “pmail”. However, you can not use it in the UserNotHand.
If you want to use pmail, you can use the ScriptHandler and create your own notification script.

mr307 · May 30, 2024, 6:45am

Hi,

thanks for answering. I am a fan of the ScriptHandler but if more scripts are needed, the maintainability becomes more complicated.

Could it be a solution to address the user attributes by tags like in the email body of the UserNotificationHandler?
For example {user.email} or if you have an array {user.group[0]}.

maybe for a future release…

cornelinux · June 1, 2024, 5:19am

In your case, is the user the acting user or the tokenowner?

Would happen here:

github.com

privacyidea/privacyidea/blob/662774047d37fdfe335fcf523892eff11ca5f881/privacyidea/lib/eventhandler/usernotification.py#L403


      
          tokendescription = None
          if serial:
              tokens = get_tokens(serial=serial)
              if tokens:
                  tokentype = tokens[0].get_tokentype()
                  tokendescription = tokens[0].token.description
          else:
              token_objects = get_tokens(user=tokenowner)
              serial = ','.join([tok.get_serial() for tok in token_objects])
          
          tags = create_tag_dict(logged_in_user=logged_in_user,
                                 request=request,
                                 client_ip=g.client_ip,
                                 pin=pin,
                                 googleurl_value=googleurl_value,
                                 recipient=recipient,
                                 tokenowner=tokenowner,
                                 serial=serial,
                                 tokentype=tokentype,
                                 tokendescription=tokendescription,
                                 registrationcode=registrationcode,

mr307 · June 3, 2024, 7:43am

Hi,

the acting user will be the token. If he/she disables the token (in the gui) they will receive an email with the fallback token to their private email address.

For this process, I wanted to use the provided event handler framework.
1.) User login in to gui and disables the token
2.) Script is called → creating the totp token
3.) An email ist send with the qrcode to the user

We integrated the privacyidea system with our ldap. In the ldap we have configured 2 email addresses for the users (1x company and 1x private). The private one is for the recovery process if something happens with the login data.

A good comment or question of @AAuer was/is: Do we use the company email address in the privacyidea? At the moment NO but what will be in the future?!

I see the tags dict. But the dict is only used in the email block. It would be nice to use it in html select list of the “to” option.

cornelinux · June 3, 2024, 2:13pm

Interesting. So the point would be

Actions: sendmail

And then you would want to have s.th. like

To: Userattribute

and then be able to choose a user attribute that contains an alternate email address.

(So this again would be s.th. different then before).

mr307 · June 3, 2024, 2:30pm

Yes, something like this. If this wasn’t clear before, it is my English that is to blame.

cornelinux · June 3, 2024, 9:56pm

Opened and issue.

github.com/privacyidea/privacyidea

New action for notification handler

opened 09:55PM - 03 Jun 24 UTC

cornelinux

Type: Feature request Topic: Events

**Is your feature request related to a problem? Please describe.** A user may… have several different email addresses mapped, that can be used to send notifications to using the event handler. These email addresses can not be reached by the destination "To Email" of the event handler. **Describe the solution you'd like** We need a "To" mechanism like "To: Attribute", since the other email address is mapped to a different user attribute. Then the additional user attribute needs to be specified. **Additional context** See https://community.privacyidea.org/t/multiple-email-addresses-eventhandlerframework/3395/9 # Top level requirements and scenarios TBD *Describe what needs to be achieved and how the scenario looks like* *If sensible use a checklist to check, which requirements have been covered by your implementation!* * [ ] We need to ensure that... * [ ] Administrators must be able to... # Implementation *Describe your implementation plans - what you are exactly going to implement. Use references/link to the existing code* *Cover the following aspects:* ## Database Describe the database table that will be added. Define the `name` of the table and the `names of the columns`. Define, if you need to add a DB migration script. ## Library and API Describe what needs to be implemented, preferably also in which files. Use example code of what you plan to implement: ~~~~Python new_feature = [ x.name for x in some_return_values if x.id > 0 ] ~~~~ # TODOs *In the TODO section you can add all steps that need to be implemented* **USE CHECKLISTS, THESE WILL BE VISIBLE AS TASKS!** * [ ] add DB table `name` in `models.py` * [ ] create above mentioned migration script. * ~~[ ] there might be an aspect that is not relevant anymore~~ * [ ] e.g. Add util function to... * [ ] e.g. add REST API... * [ ] e.g. we need to add policy and implement it in e.g. `prepolicy` - scope: admin - action: new_action_name - ... Use further checkboxes for * [ ] add documentation * [ ] implement tests

You are welcome to participate.
Thanks.