Enable TOTP Token Enrollment #17
Conversation
|
Hi, In the future there will be a feature in the server that handles token enrollment via challenge-response so that only the server can decide if a token should be enrolled if there is none yet. This will also solve the problem that the token is enrolled as soon as you do /token/init without actually checking if the user scanned the QR (and entered the first OTP). However, that feature is not implemented yet.
I would not spend too much effort for this since the enrollment feature will be reworked in the (hopefully near) future so that the server can dictate this kind of information for all plugins uniformly. But if you need that now you can add it anyway and most parts of your implementation could be reused later too.
|
| { | ||
| htmlTemplate = htmlTemplate.Replace("#ENROLLMENT#", EnrollmentText); | ||
| htmlTemplate = htmlTemplate.Replace("#ENROLLVAL#", EnrollmentUrl); | ||
| htmlTemplate = htmlTemplate.Replace("#ENROLLIMG#", EnrollmentImg); |
There was a problem hiding this comment.
htmlTemplate = htmlTemplate.Replace("#ENROLLIMG#", "data:," + EnrollmentImg);
There was a problem hiding this comment.
I'm not sure I understand what this one does - isn't the data text already provided when pulling the data from the API? I originally had the img set to data:, because it was the equivalent of an empty image. In earlier revisions it was always shown, but now that it is hidden it makes sense for it to be empty upon creation.
There was a problem hiding this comment.
Ok, i thought it was required to prepend the "data:,", nevermind this comment then
|
I have made the requested changes, with the exception of the one I commented on. I also have a working branch of storing the authenticator applications in a REG_MULTI_SZ that I can include as part of the PR if you would like.
|
SoarinFerret
changed the title
|
I'm happy with this now. If you have nothing more to add, we can merge. |
SoarinFerret
changed the title
|
I don't have anything more - happy for it to be merged. Thanks for your help! |
|
thanks for making this pr! |
Hello! I am looking for feedback on a feature I have started working on for this ADFS provider. I would like to roll out privacyIDEA as the 2FA provider for an ADFS instance, however a large number of users do not have any TOTP codes enrolled in the system. In order to ease the onboarding process, I thought it would be useful to enable token enrollment with ADFS, similar to how it works with the Keycloak provider.
To accomplish this, I added a new registry key
enable_enrollmentwhich is by default disabled. When enabled, it uses the username & password specified by thetrigger_challengefunctionality to make two API calls:/token/). If not, then/token/init)After the token is created, the user is displayed the following page:
The page is only shown once after initializing, if the user fails to register the token correctly, they are just presented with a screen to input the OTP. This could be fixed by adding a check if the user was able to successfully connect on the first attempt, and if not, delete the old token and create a new one. But the keycloak-provider did not do this from what I could tell.
Also, currently I have not added the
enable_enrollmentsetting into the installer yet.One point of feedback I am specifically looking for is the text on the ADFS page. The organization has some specific wants when it comes to which authenticator apps they would like to use - I thought maybe another registry key that would allow the organization to list the applications (and maybe include links?) they would like to promote internally could be useful.