validate check enrollment possible bug

[bcredeur97]

Hello @nilsbehlen !

In the configuration section of the docs, it states that the enable enrollment registry key essentially should not be used if you want to use the new enrollment method introduced in PrivacyIdea 3.8

I am trying to get this new enrollment method working with TOTP.

There seems to be no docs on how exactly to do this, but I went ahead and setup a Authentication Policy in PrivacyIDEA that adds the "enroll_via_multichallenge" option to the authentication policy and selected TOTP as described here in section 7.3.15https://privacyidea.readthedocs.io/en/latest/policies/authentication.html#otppin

Currently when a brand new user logs in, they are prompted in ADFS for a TOTP code, which they do not have, and they are not given the option to generate a new one, so they cannot login.

What am I missing here? How do we "trigger" the new enrollment method for the users?

[bcredeur97]

We did get this to work!! Figured out that for the new authentication method to work:

1. You must enable "enroll_via_multichallenge" authentication policy in PrivacyIDEA
2. You also must enable "passOnNoToken" in the same authentication policy
3. In the PrivacyIDEA ADFS-Provider Plugin, you must set the "send_empty_pass" registry key to "1"

This will have new users enroll, and existing users will get prompted for their codes like normal.

Also -- I may have discovered a bug, if a new user clicks the "Submit" Button without entering a code(or entering the wrong code) on the Enrollment screen, it enrolls the token as the user and the user will be stuck without a way to login (until the token is deleted)

[nilsbehlen]

Hey, good that you figured it out by yourself! I will check if i can confirm the bug when i have time