7:36 a.m.
Dear all,
I’m trying out a scenario where users are forced into different login flows depending on
their browser’s user agent HTTP header: all users have to log in over a SAML IP and, in
addition, users who don’t use IE need to go through an OTP form.
I’ve set up a SAML IP with a post login flow that consists of a single “Conditional OTP
Form” execution. For test purposes, the only condition in that execution is a “Skip OTP
for Header” which is “User-Agent:.*MSIE.*” with a fallback OTP handling to “force”.
I noticed that when the execution is marked as “required”, an OTP form is always shown to
the user regardless of their browser’s user agent and when it’s marked as “optional”, the
user never gets to see the OTP form, so it looks like the condition on the HTTP header is
always ignored. What am I missing?
version: 2.3.0 final
8:10 a.m.
We're currently looking at the conditional otp form as it seems to be
broken. The way it should work is if it's required it's required only if
otp is required depending on roles and headers. If it's optional it should
only be required if user has configured OTP.
On 9 November 2016 at 14:36, Georgobasiles, Georgios (AMOS SE) <
GEORGIOS.GEORGOBASILES(a)allianz.de> wrote:
Dear all,
I’m trying out a scenario where users are forced into different login
flows depending on their browser’s user agent HTTP header: all users have
to log in over a SAML IP and, in addition, users who don’t use IE need to
go through an OTP form.
I’ve set up a SAML IP with a post login flow that consists of a single
“Conditional OTP Form” execution. For test purposes, the only condition in
that execution is a “Skip OTP for Header” which is “User-Agent:.*MSIE.*”
with a fallback OTP handling to “force”.
I noticed that when the execution is marked as “required”, an OTP form is
always shown to the user regardless of their browser’s user agent and when
it’s marked as “optional”, the user never gets to see the OTP form, so it
looks like the condition on the HTTP header is always ignored. What am I
missing?
version: 2.3.0 final
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
10:42 a.m.
Hello,
strange that the conditional OTP currently doesn't for you, when I wrote it
a few months back it worked quite well for us.
I didn't look at it for a while since I'm using a slightly different
authentication logic now which doesn't require the CondOTP anymore.
Let me know if I can help :)
Cheers,
Thomas
2016-11-09 15:10 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com>:
We're currently looking at the conditional otp form as it seems
to be
broken. The way it should work is if it's required it's required only if
otp is required depending on roles and headers. If it's optional it should
only be required if user has configured OTP.
On 9 November 2016 at 14:36, Georgobasiles, Georgios (AMOS SE) <
GEORGIOS.GEORGOBASILES(a)allianz.de> wrote:
> Dear all,
> I’m trying out a scenario where users are forced into different login
> flows depending on their browser’s user agent HTTP header: all users have
> to log in over a SAML IP and, in addition, users who don’t use IE need to
> go through an OTP form.
>
> I’ve set up a SAML IP with a post login flow that consists of a single
> “Conditional OTP Form” execution. For test purposes, the only condition
in
> that execution is a “Skip OTP for Header” which is “User-Agent:.*MSIE.*”
> with a fallback OTP handling to “force”.
>
> I noticed that when the execution is marked as “required”, an OTP form is
> always shown to the user regardless of their browser’s user agent and
when
> it’s marked as “optional”, the user never gets to see the OTP form, so it
> looks like the condition on the HTTP header is always ignored. What am I
> missing?
>
>
>
> version: 2.3.0 final
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3432
days inactive
3432
days old
2 comments
3 participants
participants (3)
-
Georgobasiles, Georgios (AMOS SE) -
Stian Thorgersen -
Thomas Darimont