I’m confused by your response, does it work fine with the OTP as defined in FreeIPA? I’m not expecting users to re-configure their OTP codes for Keycloak once they’ve already configured them in FreeIPA. Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. callum@well.ox.ac.uk<mailto:callum@well.ox.ac.uk> On 17 Sep 2018, at 16:52, Jochen Hein <jochen@jochen.org<mailto:jochen@jochen.org>> wrote: Callum Smith <callum@well.ox.ac.uk<mailto:callum@well.ox.ac.uk>> writes: Keycloak and FreeIPA have separate integrations of 2FA, though very different obviously store keys in a different database. I was wondering whether you can configure Keycloak to authenticate against FreeIPA using the recommended SSSD method and also use the OTP/2FA as configured in FreeIPA on the backend? https://www.keycloak.org/docs/3.0/server_admin/topics/user-federation/sss... Yes, that works fine for password+OTP authentication. I couldn't get Kerberos authentication with password+OTP going in keycloak, but logging in with a kerberos ticket works fine. Jochen -- This space is intentionally left blank.