I successfully installed PI and integrated it with a Citrix gateway. I am currently struggling with the process of enrolling tokens to new users, since I do not want to publish the PI’s webinterface to public internet due to security reasons.
I would like to implement the logic “allow the first X login attempts without second password”. The policy action passOnNoToken almost does what I want, except that if a user doesn’t enroll its token, he/she would be able to login without MFA forever.
I thought, one way to solve this would be a custom user attribute: on the first login, attach this attribute to the user. But for some reasons, there is no event handler userinfo.
I also noticed that there is a counter module. But if I understood the documentation correctly, these counters are global and not bound to a user-object. I have found no way to attach a counter to a user…
Does anybody have a solution to my problem / is able to point me into the correct direction?
Thanks in advance!