Enable TOTP Token Enrollment

[SoarinFerret]

Hello! I am looking for feedback on a feature I have started working on for this ADFS provider. I would like to roll out privacyIDEA as the 2FA provider for an ADFS instance, however a large number of users do not have any TOTP codes enrolled in the system. In order to ease the onboarding process, I thought it would be useful to enable token enrollment with ADFS, similar to how it works with the Keycloak provider.

To accomplish this, I added a new registry key enable_enrollment which is by default disabled. When enabled, it uses the username & password specified by the trigger_challenge functionality to make two API calls:

• Check if the user has any existing tokens (/token/). If not, then
• Enroll a new TOTP token (/token/init)

After the token is created, the user is displayed the following page:

The page is only shown once after initializing, if the user fails to register the token correctly, they are just presented with a screen to input the OTP. This could be fixed by adding a check if the user was able to successfully connect on the first attempt, and if not, delete the old token and create a new one. But the keycloak-provider did not do this from what I could tell.

Also, currently I have not added the enable_enrollment setting into the installer yet.

One point of feedback I am specifically looking for is the text on the ADFS page. The organization has some specific wants when it comes to which authenticator apps they would like to use - I thought maybe another registry key that would allow the organization to list the applications (and maybe include links?) they would like to promote internally could be useful.

[nilsbehlen]

Hi, thanks for your contribution. It would be great to see our own app (privacyIDEA Authenticator) on that list ;)

In the future there will be a feature in the server that handles token enrollment via challenge-response so that only the server can decide if a token should be enrolled if there is none yet. This will also solve the problem that the token is enrolled as soon as you do /token/init without actually checking if the user scanned the QR (and entered the first OTP). However, that feature is not implemented yet.

The organization has some specific wants when it comes to which authenticator apps they would like to use - I thought maybe another registry key that would allow the organization to list the applications (and maybe include links?) they would like to promote internally could be useful.

I would not spend too much effort for this since the enrollment feature will be reworked in the (hopefully near) future so that the server can dictate this kind of information for all plugins uniformly. But if you need that now you can add it anyway and most parts of your implementation could be reused later too.

Also, currently I have not added the enable_enrollment setting into the installer yet. It is fine if there is no checkbox in the installer. But i think it would be good if the installer at least writes the entry so that people do not have to check the documentation for the name of the entry.

[SoarinFerret]

I have made the requested changes, with the exception of the one I commented on. I also have a working branch of storing the authenticator applications in a REG_MULTI_SZ that I can include as part of the PR if you would like.

[nilsbehlen]

I'm happy with this now. If you have nothing more to add, we can merge.

[SoarinFerret]

I don't have anything more - happy for it to be merged. Thanks for your help!

[nilsbehlen]

thanks for making this pr!