we got some problems regarding the self-service of our admins. At first something about our topology:
We defined different groups of admins: Superusers, Managers and Helpdesk. Beneath them a defined group of users, i will call them “externals”.
- Superusers can do everything
- Managers can create new externals and enroll registration tokens for them
- Helpdesk can see all externals do some janitor-stuff like resetting locked tokens
For the externals everything is working fine - they get their registration token and then can enroll a TOTP token for them, with which they can login too.
After hours of crawling through the policies and the forums, we were not able to get some self-service working for our admins, especially they cannot enroll a token for themselves if they don’t already own one.
We only got policies in a functioning state, if the realm is removed from the SUPERUSER_REALM in the cfg file.
For example the goal is, that the Managers are forced on the first login (LDAP based) to enroll a TOTP token and after that, they only can login with their password+OTP.
We got the PW+OTP login for the Managers working, but only if the token is created and assigned by an superuser.
Is this a non foreseen functionality for admins?
Greets from Wiesbaden, DE