Enable OTP for a client in KeyCloak 7.3.0.GA

[mitovskaol]

The Aporeto client in DevHub realm in KeyCloak needs to have 2FA enabled for ALL client users

The following steps have been tried (see the screenshots for more details): 1) Create a custom authentication flow with an OTP authentication added as a REQUIRED step. 2) in the Aporeto client specify an Authentication Flow Override to use the custom flow.

We tried different custom flow configuration as seen on the screenshot, but none enforced the OTP authentication. Users were able to get to the protected resource once they successfully authenticated with the identity provider authentication in the step 1 (username/password) and were never prompted for OTP. Making the OTP the first step in the flow did not work either.

Any help with troubleshooting this is greatly appreciated.

[mitovskaol]

Working with RedHat's SSO team on this

[ShellyXueHan]

Updates: unresolved yet

• From Redhat: this is not an available feature, we need to create a feature request.
• From @cvarjao : could do some more testing on this to see if we can figure a way around it.

[ShellyXueHan]

Still waiting for feedback from Redhat on OTP feature (https://access.redhat.com/support/cases/#/case/02477238)

[ShellyXueHan]

Update: feature request has been made, but estimation unknown from redhat support It's too late for new features for 7.4 which is planned for Q1 2020, so the next possible time would be RH-SSO 7.5 which isn't currently scheduled. Temporary solution is to stay with GitHub idp for 2fa.