From 34dbf5c1dc25622ae7cca75a6be176f856bde97f Mon Sep 17 00:00:00 2001
From: Nicole Rappe <cyberstrawberry101@gmail.com>
Date: Fri, 26 Jan 2024 03:28:40 -0700
Subject: [PATCH] Update Configs & Servers/Linux/privacyIDEA.md

---
 Configs & Servers/Linux/privacyIDEA.md | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/Configs & Servers/Linux/privacyIDEA.md b/Configs & Servers/Linux/privacyIDEA.md
index 0991b82..6211126 100644
--- a/Configs & Servers/Linux/privacyIDEA.md	
+++ b/Configs & Servers/Linux/privacyIDEA.md	
@@ -104,10 +104,32 @@ You will need to create several policies, you can make them all individual, or m
 - **Scope**: `Authentication` > "**push_allow_polling**" = `allow`
 
 ## Enrolling the First Token
+!!! bug "Push Notifications Broken"
+    Currently, the push notification system (e.g. Cisco DUO") is not behaving as-expected.  For now, you can use other authentication methods for the tokens, such as HOTP (on-demand MFA codes) or TOTP (conventional time-based MFA codes).
+
+### TOTP Token
 Navigate to "**Tokens > Enroll Token**"
 
 | **Field** | **Value** |
 | :--- | :--- |
-| Token Type | `PUSH: Send a Push Notification to a Smartphone` |
+| Token Type | `TOTP` |
 | Realm | `Bunny-Lab` |
 | Username | `[256da6f8-9ddb-4ec5-9409-1a95fea27615] nicole.rappe (Nicole Rappe)` |
+
+Use any MFA authenticator app like Bitwarden or Google Authenticator to add the code and store the secret key somewhere safe.
+
+## Install Credential Provider on Endpoint
+When you want to leverage MFA in an environment using the server, you need to have a domain-joined computer running the Credential Provider, which can be found on the [Official Credential Provider Github Page](https://github.com/privacyidea/privacyidea-credential-provider/releases).
+
+- Download the MSI
+- Run the installer on the computer
+- Click "**Next**"
+- Check the "**Agree**" checkbox, then click "**Next**"
+- Hostname: `auth.bunny-lab.io`
+- Path: `/path/to/pi` 
+- [x] Ignore Unknown CA Errors when Using SSL
+- [x] Ignore Invalid Common Name Errors when Using SSL
+- Click "**Next**" > "**Next**" > "**Next**"
+- Click "**Install**" then "**Finish**"
+
+You can now log out and verify that the credential provider is displayed as an option, and can log in using your domain username, domain password, and TOTP that you configured in the privacyIDEA WebUI.
\ No newline at end of file