[keycloak-user] How does conditional OTP form work?

Wed Nov 9 08:36:37 EST 2016

Dear all,
I’m trying out a scenario where users are forced into different login flows depending on their browser’s user agent HTTP header: all users have to log in over a SAML IP and, in addition, users who don’t use IE need to go through an OTP form.

I’ve set up a SAML IP with a post login flow that consists of a single “Conditional OTP Form” execution. For test purposes, the only condition in that execution is a “Skip OTP for Header” which is “User-Agent:.*MSIE.*” with a fallback OTP handling to “force”.

I noticed that when the execution is marked as “required”, an OTP form is always shown to the user regardless of their browser’s user agent and when it’s marked as “optional”, the user never gets to see the OTP form, so it looks like the condition on the HTTP header is always ignored. What am I missing?

version: 2.3.0 final

More information about the keycloak-user mailing list