New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fallback for multiple active/enabled tokens #682
Comments
@foot3print Reading this again, I realize I am not quite sure, what you try to accomplish.
Please shed some more light on this. You can use these questions to provide more details:
|
sorry for the confusion, i am setting up a privacyidea server which will authenticate the user against the userstore backend (ldap/krb5) and also provide the second factor authentication. This ticket is actually a follow up question to the Setup in my previous ticket -- https://github.com/privacyidea/privacyidea/issues/680 Q- Should the user be allowed to have several tokens?
/var/log/auth.log /var/log/privacyidea/privacyidea.log Q- Who enrolled the tokens for the user?
Did I made it clearer this time? I hope this make sense. ^,^ |
Therefore, I would close this fore the mean time unless anyone had better experience or has other ideas? |
If the user first enters his LDAP password (against privacyidea) and in a second step his OTP value, this is a challenge response. Multiple tokens were not supported with challenge response. This will be changed in 2.19. There is a closed issue in the milestone 2.19. As far as 2. and 3. your ideas about the event conditions is concerned, this sounds interesting. Please open an issue for each of them. |
My Setup
privacyIDEA: 2.18.1
Installation method: Ubuntu Repo
OS: Ubuntu 16 Xenial
Webserver: Apache2
Tokendatabase: default from Package- mysql
What did you try to do?
What I would like to do is to disable all tokens except the default (email) upon authentication, if the user has multiple active/enabled tokens. Then use the default token for the challenge, which is the email token.
PIN for Tokens are disabled for user enrollment and "otppin" is set to userstore.
I tried this using the Event Handler:
Events: [ "validate_check" ]
Handlermodule: Token
Conditions: {"token_has_owner":"True","tokentype":"totp,sms","user_token_number":"3"}
Action: disable
What outcome did you expect?
The expected outcome would be to use only the default Token after authentication against the userstore, since the user has multiple active tokens.
What outcome did you experience?
It fails with the message on the log:
Multiple tokens to create a challenge found!
Log file
[privacyidea.lib.tokens.smstoken:191] Exiting is_challenge_request with result True
[2017-04-13 13:50:09,000][2110][139733153937152][DEBUG][privacyidea.lib.token:191] Exiting check_token_list with result (False, {'message': 'Multiple tokens to create a challenge found!'})
[2017-04-13 13:50:09,000][2110][139733153937152][DEBUG][privacyidea.lib.token:191] Exiting check_user_pass with result (False, {'message': 'Multiple tokens to create a challenge found!'})
[2017-04-13 13:50:09,001][2110][139733153937152][DEBUG][privacyidea.lib.policy:179] Entering get_action_values with arguments (<privacyidea.lib.policy.PolicyClass object at 0x7f1613c00e50>,) and keywords {'action': 'auth_max_success', 'scope': 'authorization', 'client': '192.168.1.12', 'realm': u'ldapmain', 'user': u'admin1'}
Conclusion rather Questions
Thanks for your help! :-)
The text was updated successfully, but these errors were encountered: