New event handler request

Hi all!

I try configure event handlers for good user support and automatization.
I want user with 0 tokens receive default token (sms or email) during first authentication attempt. User must receive email and sms notification with instructions after successful token creation.
I create two definitions.

  1. Events= “validate_check” ; Handlermodule=Token; Conditions={“logged_in_user”:“user”,“realm”:“myrealm”,“result_value”:“False”,“user_token_number”:“0”}; Action=enroll; Options={ “realm”: “myrealm”, “tokentype”: “sms”, “user”: “1” }
  2. Events= “validate_check” ; Handlermodule=UserNotification; Conditions={“logged_in_user”:“user”,“realm”:“myrealm”,“result_value”:“False”,“user_token_number”:“0”}; Action=sendsms; Options={ “To”: “tokenowner”, “body”: “Hello {username}! Your first token {serial} has been created.”, “smsconfig”: “kannel” }

This definitions not work together. You can see result either with first or with second only. I try create definition for action EVENT validate_check>>Token:enroll (audit log) too but without success.
Is it any chance to add custom EVENT definition for situations like that?

I’ve noticed token_delete parameter in Events not work as expected also.
Events= “token_delete”; Handlermodule=UserNotification; Conditions={“realm”:“myrealm”}; Action=sendmail; Options={ “To”: “tokenowner”, “body”: “Your 2FA token {serial} for user {username} was deleted”, “emailconfig”: “smtp”, “subject”: “Your 2FA token was deleted” }
I do not receive email. So as token_unassign. These Events works properly: token_revoke, token_assign, token_init, token_enable, token_disable. I use AD resolver for realm.


This is a feature. The actions are currently triggered after the event.
token_delete deletes the token. Your event handler defintion then tries to contact the owner of a token, that does not exist anymore -> no email. (Same with unassign -> token no owner -> no email)

Kind regards

Thank you, Cornelius!
I suspect it, now it’s clear for me.

What do you say about user notification during first token creation? It would be really cool if one event definition has two active handler modules. In this case we can trigger two or more different actions. One event condition for some actions.


Maybe, I should do it with a script, which connect via API and do several steps: generate token, send email, send sms.

This is already possible.

Hi ayurlov,

In my previous tests with privacyidea, I was able to do something similar to this:

  • if user has 0 token, an autoenrollment will proceed using Event_handlers and initialize a REGISTRATION token for the user.
  • another Event_handler will do send an eMail/SMS along with the registration token after the initialization of the token.
  • the user uses this information to first login to privacyidea WebUI and will be able to enroll additional token/s
  • Registration token is only valid one time so the user should enroll other token after using the registration token.

so, i think you have to test event_handlers and passthru, and/or maybe other parameters in the policies->auth. If i remember it correctly, i did NOT activate the enrollment wizard in the policies.


1 Like

Thanks for your answers!

I create the next config for event handlers:

  1. Events=[ “validate_check” ]; Handlermodule=Token; Conditions={“realm”:“ad”,“result_value”:“False”,“user_token_number”:“0”}; Action=enroll; Options={ “realm”: “ad”, “tokentype”: “sms”, “user”: “1” }
  2. Events=[ “validate_check” ]; Handlermodule=UserNotification; Conditions={“count_auth”:“0”,“realm”:“ad”,“result_value”:“False”,“user_token_number”:“1”}; Action=sendsms; Options={ “To”: “tokenowner”, “body”: “Hello {username}! Your first token {serial} has been created.”, “smsconfig”: “kannel” }

So, these events go one by one. I tried the same condition {“realm”:“ad”,“result_value”:“False”,“user_token_number”:“0”}
but it was not work.


I think this should create the SMS token. Does this step work for you?
Has the SMS token the right phone number?

I think this will not work, since in this request the user is not the token owner, yet.
“count_auth” is a value of a token. The request failed, since the user had no token. So this request is not associated with the token, and thus there is no {serial} and not {count_auh}. (To my understanding - the events are so flexible, that it is also difficult for me to predict all scenarios! :wink:

It is working for me perfectly)
Of course, user must be in AD with the right phone number.
In my environment, user without tokens start connect, sms-token is created for him and after that he receive sms-notification.
After that he can connect with sms-token.
It is very interesting solution when user want connect to vpn, but he forgot enroll a token before and can’t login to internal PrivacyIDEA GUI now.