Hi Björn,
in fact this is possible, indirectly.
I also thought about switching to an n:m relation between users and
tokens, but I guess this will change a lot. And this scenario is not
that common.
So, assume your employee has an employee account in privacyIDEA.
You can assign the token to this employee. The human being now own this
token.
Now you have a lot of shell_users. I assume, you might have a shell user
"root", which of course is no employee, but you have employees Meier,
Schmidt, Kunze, who can be root.
So you assign "remote tokens" to the user "root".
http://privacyidea.readthedocs.io/en/latest/configuration/tokens/remote.html?highlight=remote
A remote token is a virtual token that forwards the authentication
request to another user or token on another privacyIDEA system.
You can also forward the authentication request to another token on the
same privacyIDEA system!
So you assign remote tokens to the user "root":
1. remote token to the token of user "meier"
2. remote token to the token of user "schmidt"
3. remote token to the token of user "kunze"
But you can also not only forward to the token but also to the user.
So you could assign remote tokens to the user "root" like
1. remote token forwards to user "meier"
2. remote token forwards to user "schmidt"
3. remote token forwards to uses "kunze"
The difference is that in the first case "meier" can only authenticate
as "root" with this one very token.
In the second case "meier" can authenticate as "root" with whichever
token he possesses.
Kind regards
Cornelius
> --
> Please read the blog post about getting help
>
https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
>
https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
>
https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to
privacyidea...@googlegroups.com.
> To post to this group, send email to
priva...@googlegroups.com.
> Visit this group at
https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
>
https://groups.google.com/d/msgid/privacyidea/5172f33c-efe2-4cb6-9e18-4c03f2af166b%40googlegroups.com.
> For more options, visit
https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel:
+49 561 3166797, Fax:
+49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel