simplesamlPHP doEnrollToken

Porfirio_Trincheiras · July 5, 2023, 8:45am

Good morning.
I have simplesaml setup as AuthProc
My config is this
39 => array(

'class'             => 'privacyidea:PrivacyideaAuthProc',
'privacyideaServerURL' => 'https://privacyideaserver',
'realm'             => 'realm',
'uidKey'            => 'sAMAccountName',
'sslverifyhost'     => false,
'sslverifypeer'     => false,
'serviceAccount'  => 'idp',
'servicePass'     => '**********',
'SSO' => 'true',
 'otpFieldHint' => 'Codigo de Segurança Adicional!',
'doEnrollToken' => 'true',
'typeOfTokenToEnroll' => 'totp',

),

The authetication is working fine, but if i make ‘doEnrollToken’ => ‘true’, the user is pro,pted to enroll a toke every time it logins, creating a infinty number of tokens.
If i read it correctly, that should only happen if the user doesnt have a toke already .
What i’m i doing wrong ?

Sory for my English, it’s not my native language

nilsbehlen · July 5, 2023, 10:38am

Hi, this seems to be a bug. However, i would advise you to use the enroll via challenge-response feature from the server to enroll token for users on login.
policy:
scope: authentication
misc: enroll_via_multichallenge
This requires a successful authentication beforehand, so for users that do not have a token, you need to enable “passOnNoToken” from scope=authentication aswell.

The feature to enroll token from the plugin itself will be removed in the future because it is contrary to the workflows we want to encourage.

Porfirio_Trincheiras · July 5, 2023, 11:50am

OK, im new to privacyIDEA , so im going to give it a try.
Best Regards