User's first time login to web ui with email confirmation

I have a working system with PI and users can login to web ui from internal network and enroll a token.
It works fine.
But now I’m trying to make some solution for external users. Those users are imported to PI from Active Directory too. But I do not want to open PI’s web ui to external network without 2fa. Those users do not have tokens yet. Is there any option to enable email confirmation for all logins to web ui even if user has no token yet? All users already have email address in AD, so PI knows it too.

This is called “Email Token”.

Yes, I know about email token. But new users do not have this token. They need to enroll it first. But how can they login to web ui without any token if 2fa authentication is enabled?
Can such token be enrolled for all users automatically?

This is a question in regards to enrollment process. This can be a topic of long discussions and consultancy. There is never on answer, that fits all.

E.g. you could write your own script as cron job.
You could look at this: privacyIDEA 2.23 - pre-Event-Handling / automatic token enrollment - YouTube
or your could do a lot of other things…

Thanks for mentioning pre-event handling! I’ve configured it to enroll email token if user has no tokens yet. It completely solves my problem.

1 Like