0

Is it possible to made a 2-factors authentication with OIDC Identity Brokering

I'm trying to use TOTP to setup the 2-factors authentication, it work for password authentication method but not with OIDC Identity Brokering.

1- with password method:

  • login + password
  • OTP password
  • succes login

2- with OIDC Identity Brokering:

  • select oidc provider
  • select account
  • succes login

is it possible to add stage otp password in oidc method? May someone know the issue?

Jan Garaj
  • 25,598
  • 3
  • 38
  • 59
握草行天下
  • 41
  • 1
  • 1
  • 4
  • TOTP (Time-based One-time Password) works very well in the Keycloak with any SSO protocol: OIDC, SAML. Be more specific what is not working, please. `FreeOTP` is just app, but any standard OTP app can be used; some of them: Google Authenticator, Microsoft Authenticator, Authy, LastPass, Duo Mobile, Yubico Authenticator, ... – Jan Garaj Jun 25 '21 at 17:09
  • Hello, when I use SSO protocol for login, it didn't ask the OTP password, but with password authentication, it ask the OTP password. – 握草行天下 Jun 28 '21 at 14:04

1 Answers1

1

It is not a problem of OIDC protocol (actually, I guess your are using OIDC in both cases), but used authentication flow. Make sure you have properly configured First Broker Login flow, which fit your needs. For example: enter image description here

Source: https://github.com/keycloak/keycloak-community/blob/master/design/multi-factor-admin-and-step-up.md

But I would say it won't be clever idea to require TOTP in the Keycloak in this setup, when Keycloak is only middle layer (Identity Brokering). The proper config will be to configure (T)OTP on used OIDC provider (that's another IDP, which is only used by your Keycloak).

Jan Garaj
  • 25,598
  • 3
  • 38
  • 59
  • "The proper config will be to configure (T)OTP on used OIDC provider (that's another IDP, which is only used by your Keycloak)." The advantage of doing in as an authentication flow is that you have the option of applying it to specific clients/applications instead of the entire IDP. I'm not sure if it will work, but it seems possible. – DavidS Jun 03 '22 at 19:19
  • "The proper config will be to configure (T)OTP on used OIDC provider". In some cases organizations want to let their employees execute an additional 2FA when they want to login into our SaaS application (because it contains sensitive data). In that case, the IAM of the organization is configured as an Identity Provider in our Keycloak instance, where an additional 2FA post login flow should be executed on our side. – JeroenS Jul 22 '22 at 07:46