Re: [keycloak-user] How does conditional OTP form work?
We're currently looking at the conditional otp form as it seems to be
broken. The way it should work is if it's required it's required only if
otp is required depending on roles and headers. If it's optional it should
only be required if user has configured OTP.
On 9 November 2016 at 14:36, Georgobasiles, Georgios (AMOS SE) <
GEORGIOS.GEORGOBASILES(a)allianz.de> wrote:
Dear all,
I’m trying out a scenario where users are forced into different login
flows depending on their browser’s user agent HTTP header: all users have
to log in over a SAML IP and, in addition, users who don’t use IE need to
go through an OTP form.
I’ve set up a SAML IP with a post login flow that consists of a single
“Conditional OTP Form” execution. For test purposes, the only condition in
that execution is a “Skip OTP for Header” which is “User-Agent:.*MSIE.*”
with a fallback OTP handling to “force”.
I noticed that when the execution is marked as “required”, an OTP form is
always shown to the user regardless of their browser’s user agent and when
it’s marked as “optional”, the user never gets to see the OTP form, so it
looks like the condition on the HTTP header is always ignored. What am I
missing?
version: 2.3.0 final
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user