UCS + PrivacyIdea for passwordless windows/Mac Login

Hi Team,

I am working on a Univention UCS trial project to achieve passwordless login for windows and mac os.

Instead of username and password, we want to use any of the below token

Username + PIN or OTP or HOTP or YubiKey

Is that possible ?
or is it madatory to have username + password + token ?

Currently, I have setup

  1. UCS server (Version 5.0-6 errata906)
  2. PrivacyIdea server (Version 3.0.0)

Both the servers are connected
Configured UCS for PrivacyIdea parameters (configs attached)
PrivacyIdea has pulled all the users from UCS via ldapresolver
Test user setup with hotp token key in PrivacyIdea.

Below are my current configs, are there any other parameters I need to setup.

ucr set privacyidea/saml/url=https://privacyidea.example.com
ucr set privacyidea/saml/enable=authsource
ucr set privacyidea/saml/realm=example.com
ucr set privacyidea/saml/verifypeer=False
ucr set privacyidea/saml/verifyhost=False
ucr set privacyidea/saml/uidKey=uid

when Test user tries to login to a domain joined windows machine, it does login
But uses username + password (didnt even care about the hotp)

What am i missing ? what else do i need to setup ?
The windows machine does not prompt for hotp.

And the windows/mac should give an option to login with token instead of password.